Sandboxing with ESF Playground on macOS

Presented at Objective by the Sea version 5.0 (2022), Oct. 6, 2022, 2:55 p.m. (25 minutes)

The constantly changing landscape of macOS and its hardware is exciting and dreadful. System extensions have changed how all software works. The side effect was lots of broken software on modern macOS versions, including some software that was useful for examining the behavior of malware. VirtualBox and Mac-a-mal Cuckoo were integral to some companies that wanted to automate this process. As Apple slowly phases out x86 applications, we look to update our workflow with new utilities that will persevere through upcoming changes. \n\n This talk will introduce ESFriend, a minimal malware analysis system modeled after Cuckoo. ESFriend uses existing applications wrapped in Python to automate the collection of behavioral events from a physical macOS machine on your network.

Presenters:

• Matt Carman - Product Consulting Engineer at Kandji
  Matt is a Product Consulting Engineer at Kandji, hailing from metro Denver. He is a self-taught programmer with experience in malware research, malware removal support, and quality assurance.

Links:

• https://objectivebythesea.org/v5/talks.html#Speaker_16

Similar Presentations:

• Objective by the Sea version 5.0 (2022) / Process Injection: Breaking all macOS Security Layers with a Single Vulnerability
• Black Hat USA 2022 / Process Injection: Breaking All macOS Security Layers With a Single Vulnerability
• DEF CON 30 (2022) / Process injection: breaking all macOS security layers with a single vulnerability