I recently ventured into macOS security and how to get past it for red team tradecraft. This series of posts contains an overview of components that make up macOS security architecture:

• macOS security fundamentals for red team professionals - Part 1

• File Quarantine - File Quarantine feature in MacOS works like mark-of-the-web on Windows systems. Whenever a file is downloaded from a network location, the File Quarantine feature of MacOS tags the file to indicate that it could be unsafe. The first time any such file is opened in Finder, in Spotlight, or from the Dock, the file quarantine feature will display a warning about unsafe file types. An application quarantines a file simply by assigning values to one or more quarantine properties which preserve information about when and where the file come from. Read this post to dive deep into the internals of File Quarantine.

• XProtect - XProtect is a signature-based malware detection tool for MacOS. It ships with MacOS by default. XProtect includes signatures for common Mac malware families in form of YARA rules. A scan from XProtect gets triggered whenever:

  • An executable is launched for the first time and even on subsequent runs

  • An app has been changed in the file system

  • XProtect signatures have been updated

  One thing to note is that an executable can bypass some components of XProtect scanning when launched via the command line. XProtect also helps in blocking malicious and older versions of Safari plugins. Updates to XProtect are pushed every 7-21 days. Read this post to dive deep into the internals of XProtect.

• Malware Removal Tool (MRT) - In case a malware has managed to made it past XProtect, Apple also provides utility to eradicate it from the machine. It performs periodic scans of files on the disk to detect malware infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). MRT is launched upon every login or restart of the machine. It runs in two modes, agent and daemon and can also be spawned from the command line. Read this post to dive deep into the internals of MRT.

• Gatekeeper - Gatekeeper expands the functionality provided by File Quarantine to ensure that only trusted applications run on the system. When a user opens an application, a plugin or an installer downloaded outside the App Store (for example, from the internet), Gatekeeper performs certain checks to ensure that the downloaded software is not malicious. These checks include, verifying software is from an identified developer, is notarized by Apple to be free of known malicious content and hasn’t been altered. Gatekeeper also requires approval from users, the first time a downloaded software is run. It also tracks the origin of files written by downloaded software. Gatekeeper also protects against the distribution of malicious plug-ins with benign apps.

Red Team Notes
 - File Quarantine - MacOS tags files downloaded from the internet as potentially unsafe, displaying a warning when accessed for the first time.
 - XProtect - A signature-based malware detection tool for MacOS that scans executables during launch, changes, or updates, leveraging YARA rules.
 - Malware Removal Tool (MRT) - A utility in MacOS that scans and removes malware periodically or during system restarts, based on updates from Apple.
 - Gatekeeper - Ensures only trusted applications run on MacOS by verifying developer identity, notarization, and user approval for downloaded apps.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.