I recently ventured into macOS security and how to get past it for red team tradecraft. This series of posts contains an overview of components that make up macOS security architecture:

• macOS security fundamentals for red team professionals - Part 1

• macOS security fundamentals for red team professionals - Part 2

• Code Signing Services - Apple code signing services allow developers to certify that the app was indeed created by them. Code signing also helps MacOS in detecting any alterations made to the binary, whether introduced accidentally or by a malicious software. Apple required binaries and libraries to signed if they are to be distributed to a larger set of audience. Unlike Windows, MacOS does not allow unsigned apps to execute on the machine unless an administrator explicitly allows that app from Privacy & Security settings. To sign a binary or a library, a developer needs an Apple Developer account and a code-signing certificate, both of which are not hard to obtain. This article contains a step-by-step process to avail code signing services.

• Notarization - Notarization is a mechanism through which Apple is able to map a binary, a plugin or a library to it’s developer. To be able to distribute software outside the Mac App Store, Apple requires developers to submit a signed version for notarization. As part of the notarization process, Apple scans the software for malicious content, checks for code-signing issues, fingerprints the app and creates a unique identifier for it. All of this is done via an automated system, Apple Notary Service. If malicious software is able to pass through the Notarization process, Apple can just kill it by adding it’s unique identifier to the Gatekeeper. Software distributed via the Mac App Store does not require notarization because the App Store submission process already includes equivalent security checks. Notarization also required hardened runtime to be enabled for apps.

• Keychain Services - Keychain is an encrypted database that allows users to store sensitive information such as passwords, encryption keys, certificates notes, credit card information etc. Developers can access leverage Keychain Services in their apps via the Keychain API. Devices running iOS have access to only one keychain whereas devices running MacOS can work with multiple keychains.

• File Vault - File Vault is an encrypted storage service provided by MacOS. It can work on top of an encrypted disk to provide an extra layer of security. File Vault ensures that files on the system can only be accessed after entering the login password. To enable this, other features, such as requiring login passwords, are also enabled when File Vault is turned on. This poses a bit of a problem for a user, with an account which don’t have File Vault enabled, on a Mac with File Vault turned on for other users. If a user has an account that doesn’t have FileVault turned on, another user with an account that has FileVault turned on must start up Mac, log in, then log out (but not restart). Only then the user with an account that doesn’t have FileVault enabled can log in.

Red Team Notes
 - Code Signing Services - Apple’s code signing requires developers to sign their software with their code-signing certificate to distribute it securely.
 - Notarization - Apple’s notarization process links software to its developer, scans for threats, and assigns a unique identifier, enhancing security of software distributed outside the Mac App Store.
 - Keychain Services - Keychain is an encrypted database for storing sensitive user data. It is accessible to developers through the Keychain API.
- File Vault - File Vault provides encrypted storage on macOS.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.