{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kernel-extension/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BlockBlock"],"_cs_severities":["medium"],"_cs_tags":["kernel-extension","kev_msg_post","macos","process-monitoring"],"_cs_type":"advisory","_cs_vendors":["Apple","Objective-See"],"content_html":"\u003cp\u003eThis threat brief describes the abuse of the undocumented \u003ccode\u003ekev_msg_post\u003c/code\u003e function in macOS to broadcast process creation notifications from a kernel extension (kext) to a user-mode application. This technique, highlighted in Objective-See\u0026rsquo;s research, allows a kext to bypass standard userland APIs for process monitoring. The \u003ccode\u003ekev_msg_post\u003c/code\u003e function is part of the Kernel Events API. It\u0026rsquo;s designed for kernel-to-userland communication but lacks proper documentation, which makes it difficult to monitor.\u003c/p\u003e\n\u003cp\u003eThe communication involves a kext utilizing \u003ccode\u003ekev_msg_post\u003c/code\u003e to send data to a user-mode application through a system socket.  Objective-See\u0026rsquo;s BlockBlock tool uses this technique to correlate persistent file I/O events with the responsible process.  Abuse of \u003ccode\u003ekev_msg_post\u003c/code\u003e can allow malicious kexts to exfiltrate sensitive kernel-level information or trigger actions in user-mode without detection by conventional monitoring tools. This technique is relevant to defenders because it provides a stealthy mechanism for malware to operate within macOS, potentially leading to undetected data theft, privilege escalation, or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious kext is loaded into the macOS kernel, often requiring elevated privileges or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe kext uses the \u003ccode\u003ekev_vendor_code_find\u003c/code\u003e function to obtain a vendor ID associated with the kext (e.g., \u0026ldquo;com.objective-see\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe kext registers for process execution events using kauth or MAC policies.\u003c/li\u003e\n\u003cli\u003eWhen a new process is created, the kext\u0026rsquo;s callback function is triggered.\u003c/li\u003e\n\u003cli\u003eThe kext populates a \u003ccode\u003ekev_msg\u003c/code\u003e structure with process information, including the process ID (PID), user ID (UID), parent process ID (PPID), and path to the executable.\u003c/li\u003e\n\u003cli\u003eThe kext calls the undocumented \u003ccode\u003ekev_msg_post\u003c/code\u003e function to broadcast the process information to a system socket.\u003c/li\u003e\n\u003cli\u003eA user-mode application with a socket connected to the same vendor ID receives the broadcasted message, extracting the process information.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the process information for malicious purposes, such as injecting code into the new process, monitoring its activity, or terminating it.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could allow attackers to monitor and manipulate processes on a compromised macOS system without detection by standard userland monitoring tools.  This could lead to data exfiltration, privilege escalation, or other malicious activities. Due to the nature of the kernel, even a single successful compromise can lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the loading of unsigned or untrusted kernel extensions using system integrity monitoring tools that track kext loading events.\u003c/li\u003e\n\u003cli\u003eImplement detections for user-mode applications creating system sockets with the \u003ccode\u003eSYSPROTO_EVENT\u003c/code\u003e protocol, as described in the \u0026ldquo;Receiving the Data in User-Mode\u0026rdquo; section. This can be done using an endpoint detection and response (EDR) solution or auditd.\u003c/li\u003e\n\u003cli\u003eDevelop YARA rules to scan kernel memory for the presence of kexts using the undocumented \u003ccode\u003ekev_msg_post\u003c/code\u003e function to detect malicious kexts attempting to communicate outside kernel space.\u003c/li\u003e\n\u003cli\u003eAudit the use of \u003ccode\u003eioctl\u003c/code\u003e calls with \u003ccode\u003eSIOCGKEVVENDOR\u003c/code\u003e and \u003ccode\u003eSIOCSKEVFILT\u003c/code\u003e to detect user-mode applications attempting to filter for specific kernel events, using the code samples from the \u0026ldquo;Receiving the Data in User-Mode\u0026rdquo; section as reference.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kev-msg-post-process-creation/","summary":"The kev_msg_post function can be abused by malware to broadcast process creation notifications from a kernel extension (kext) to a user-mode application, potentially bypassing security tools that rely on standard APIs and leading to undetected malicious activity.","title":"macOS Kernel-to-Userland Process Creation Notification via undocumented kev_msg_post","url":"https://feed.craftedsignal.io/briefs/2024-01-kev-msg-post-process-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Kernel-Extension","version":"https://jsonfeed.org/version/1.1"}