Presented at
Objective by the Sea version 6.0 (2023),
Oct. 12, 2023, 5:05 p.m.
(25 minutes).
Launch Items continue to be the most common persistence mechanism leveraged by macOS malware. In macOS Ventura, Apple's expanded a core persistence mechanism (BTM) aimed both at centrally managing and notifying users whenever new launch items are added. \n\n This talk focuses on the undocumented and proprietary internals of BTM, revealing exactly how launch items are managed and user notifications are delivered. We'll also describe and demonstrate how security and forensics tools, which aim to heuristically detect malware via unauthorized persistence events, can now leverage BTM to better protect macOS endpoints.\n\n Of course, we must also be cognisant of BTM shortcomings and limitations. As such, we'll end the talk by highlighting various design flaws and bypasses that malware could, and still can, trivially employ to sidestep BTM, such that persistence may still be silently achieved.
Presenters:
-
Christopher Lopez
- Senior macOS Security Researcher at Kandji
Christopher Lopez is a Senior macOS Security Researcher at Kandji with previous experiences at Tanium and UPS. Chris' passion for macOS has drawn him to the security researcher role where he spends his time discovering vulnerabilities with the Apple community while also reverse engineering and analyzing malware. \n\n He loves spending time with his family, running, Jiu Jitsu, and playing video games.
-
Patrick Wardle
- Founder, Objective-See Foundation
Patrick Wardle is the founder of the Objective-See Foundation. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. \n\n Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware, and writing free open-source security tools to protect Mac users.
Links:
Similar Presentations: