{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cleanmymac/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS","CleanMyMac","Malwarebytes","Airo AV","FileMonitor.app","Ransomwhere?","BlockBlock"],"_cs_severities":["medium"],"_cs_tags":["file-monitoring","endpoint-security","macos"],"_cs_type":"advisory","_cs_vendors":["Apple","Objective-See"],"content_html":"\u003cp\u003eThis brief examines the creation of a file monitor on macOS 10.15 (Catalina) using Apple\u0026rsquo;s Endpoint Security Framework, as detailed by Objective-See. This framework offers a user-mode interface to a new Endpoint Security Subsystem, providing a simplified API and comprehensive process information. The file monitor can capture file I/O events, file paths, and process details like process ID, path, and code-signing information. Objective-See highlights the limitations of older file monitoring methods like \u003ccode\u003e/dev/fsevents\u003c/code\u003e and OpenBSM, which lack detailed process information or face deprecation. This new framework aims to address these limitations, enabling more robust user-mode security tools. Tools like Ransomwhere? and BlockBlock use file monitoring for detecting ransomware and persistence events respectively, demonstrating its importance in macOS security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system (e.g., through exploitation or social engineering).\u003c/li\u003e\n\u003cli\u003eAttacker executes a malicious binary or script.\u003c/li\u003e\n\u003cli\u003eThe malicious process creates or modifies a file on the system.\u003c/li\u003e\n\u003cli\u003eThe Endpoint Security Framework captures the file I/O event.\u003c/li\u003e\n\u003cli\u003eThe file monitor, leveraging the Endpoint Security Framework, receives a notification about the event.\u003c/li\u003e\n\u003cli\u003eThe file monitor extracts information about the event, including the process ID, path, code-signing information, and the type of file event (e.g., create, write).\u003c/li\u003e\n\u003cli\u003eBased on the extracted information, the file monitor determines if the event is malicious (e.g., rapid creation of encrypted files, persistence attempt).\u003c/li\u003e\n\u003cli\u003eThe file monitor alerts the user or security system about the malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to various detrimental outcomes, including data encryption by ransomware, persistent malware installation, and unauthorized access to sensitive information. File monitors, such as the one described, aim to detect and prevent such attacks. Without proper file monitoring, malicious activities can go unnoticed, leading to significant data loss, system compromise, and financial damage. The Endpoint Security Framework intends to address the limitations of previous monitoring solutions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Endpoint Security Framework event collection to monitor file creation events using the \u003ccode\u003eES_EVENT_TYPE_NOTIFY_CREATE\u003c/code\u003e event type described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for detecting file creation by unsigned processes to identify potentially malicious activity (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for processes with missing or invalid code-signing information, as these may be indicators of malicious activity, using the Endpoint Security Framework\u0026rsquo;s process information detailed in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:41:00Z","date_published":"2024-01-02T18:41:00Z","id":"/briefs/2024-01-macos-file-monitor/","summary":"Objective-See details how to create a file monitor for macOS 10.15 using Apple's Endpoint Security Framework to capture file I/O events and process information.","title":"macOS File Monitoring via Endpoint Security Framework","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-file-monitor/"}],"language":"en","title":"CraftedSignal Threat Feed — CleanMyMac","version":"https://jsonfeed.org/version/1.1"}