I recently ventured into macOS security and how to get past it for red team tradecraft. This series of posts contains an overview of components that make up macOS security architecture:

• macOS security fundamentals for red team professionals - Part 1

• macOS security fundamentals for red team professionals - Part 2

• macOS security fundamentals for red team professionals - Part 3

• macOS security fundamentals for red team professionals - Part 4

• Kernel Extensions - Kernel Extensions (KEXTs) are loadable modules that extend the functionality of the macOS kernel (XNU). They enable developers to add low-level features, such as hardware drivers or file system capabilities, that require deep integration with the operating system. KEXTs are stored in /System/Library/Extensions or /Library/Extensions. They can be loaded using kextload and unloaded with kextunload commands and active extensions listed via kextstat. Starting with macOS 10.9, KEXTs must be signed with an Apple-issued Developer ID, and from macOS 10.11 onwards, unsigned KEXTs are blocked unless System Integrity Protection (SIP) is disabled. KEXTs were officially depreciated in macOS 10.15 Catalina, and were replaced by System Extensions which run in user space. The last macOS version supporting KEXTs is macOS 11 Big Sur.

• System Extensions - System Extensions in macOS, supported from macOS 10.15 Catalina onwards, replace kernel extensions (kexts) to improve system stability, security, and performance. They run in user space, reducing the risk of kernel panics and enabling better isolation. macOS provides three type of System Extensions, Driver Extensions (via DriverKit), Network Extensions, and Endpoint Security Extensions. To ensure security, applications leveraging System Extensions must be signed and notarized. Users must explicitly approve extensions through System Preferences (or Settings), and administrators can manage them using MDM or command-line tools.

• Secure Enclave - It is a dedicated security co-processor, introduced with T1, T2, and Apple Silicon chips. It helps in keeping the sensitive data safe. It enables things like Touch ID, Apple Pay, FileVault, and Keychain and keeps biometric data and encryption keys secure. Secure Enclave is run as its own tiny operating system, isolated from the rest of macOS. This ensures that even if the system is compromised, the sensitive data stays protected. It uses hardware-generated cryptographic keys which are non-exportable, and tied to device and the passcode. This adds an extra layer of security.

• Data Vault - It is a security feature designed to protect sensitive data by encrypting and isolating files. It uses AES-256 encryption and integrates with Secure Enclave to keep data secure at rest, ensuring that only authorized users and apps can access it. Sensitive app data is stored in isolated containers, preventing cross-app access without user consent. The feature works alongside System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC) frameworks to ensure tight access controls. Data Vault also integrates with FileVault, enhancing disk encryption, and supports app sandboxing for additional security. While it protects user data from malware and unauthorized access, mismanaging permissions or losing encryption keys present a security risk.

Red Team Notes
 - Kernel Extensions (KEXTs) - These are dynamically loadable modules that help in extending macOS kernel functionality.
 - System Extensions - Replaces KEXTs from macOS 10.15 onwards, runs in user space for better security and stability.
 - Secure Enclave - A co-processor in T1, T2, and Apple Silicon chips that keeps sensitive data safe, manages encryption keys, and enables features like Touch ID and FileVault.
 - Data Vault - Protects sensitive data with AES-256 encryption and Secure Enclave, ensuring secure storage and app isolation, and integrates with FileVault and SIP for enhanced security.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.