{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/process-monitoring/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BlockBlock"],"_cs_severities":["medium"],"_cs_tags":["kernel-extension","kev_msg_post","macos","process-monitoring"],"_cs_type":"advisory","_cs_vendors":["Apple","Objective-See"],"content_html":"\u003cp\u003eThis threat brief describes the abuse of the undocumented \u003ccode\u003ekev_msg_post\u003c/code\u003e function in macOS to broadcast process creation notifications from a kernel extension (kext) to a user-mode application. This technique, highlighted in Objective-See\u0026rsquo;s research, allows a kext to bypass standard userland APIs for process monitoring. The \u003ccode\u003ekev_msg_post\u003c/code\u003e function is part of the Kernel Events API. It\u0026rsquo;s designed for kernel-to-userland communication but lacks proper documentation, which makes it difficult to monitor.\u003c/p\u003e\n\u003cp\u003eThe communication involves a kext utilizing \u003ccode\u003ekev_msg_post\u003c/code\u003e to send data to a user-mode application through a system socket.  Objective-See\u0026rsquo;s BlockBlock tool uses this technique to correlate persistent file I/O events with the responsible process.  Abuse of \u003ccode\u003ekev_msg_post\u003c/code\u003e can allow malicious kexts to exfiltrate sensitive kernel-level information or trigger actions in user-mode without detection by conventional monitoring tools. This technique is relevant to defenders because it provides a stealthy mechanism for malware to operate within macOS, potentially leading to undetected data theft, privilege escalation, or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious kext is loaded into the macOS kernel, often requiring elevated privileges or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe kext uses the \u003ccode\u003ekev_vendor_code_find\u003c/code\u003e function to obtain a vendor ID associated with the kext (e.g., \u0026ldquo;com.objective-see\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe kext registers for process execution events using kauth or MAC policies.\u003c/li\u003e\n\u003cli\u003eWhen a new process is created, the kext\u0026rsquo;s callback function is triggered.\u003c/li\u003e\n\u003cli\u003eThe kext populates a \u003ccode\u003ekev_msg\u003c/code\u003e structure with process information, including the process ID (PID), user ID (UID), parent process ID (PPID), and path to the executable.\u003c/li\u003e\n\u003cli\u003eThe kext calls the undocumented \u003ccode\u003ekev_msg_post\u003c/code\u003e function to broadcast the process information to a system socket.\u003c/li\u003e\n\u003cli\u003eA user-mode application with a socket connected to the same vendor ID receives the broadcasted message, extracting the process information.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the process information for malicious purposes, such as injecting code into the new process, monitoring its activity, or terminating it.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could allow attackers to monitor and manipulate processes on a compromised macOS system without detection by standard userland monitoring tools.  This could lead to data exfiltration, privilege escalation, or other malicious activities. Due to the nature of the kernel, even a single successful compromise can lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the loading of unsigned or untrusted kernel extensions using system integrity monitoring tools that track kext loading events.\u003c/li\u003e\n\u003cli\u003eImplement detections for user-mode applications creating system sockets with the \u003ccode\u003eSYSPROTO_EVENT\u003c/code\u003e protocol, as described in the \u0026ldquo;Receiving the Data in User-Mode\u0026rdquo; section. This can be done using an endpoint detection and response (EDR) solution or auditd.\u003c/li\u003e\n\u003cli\u003eDevelop YARA rules to scan kernel memory for the presence of kexts using the undocumented \u003ccode\u003ekev_msg_post\u003c/code\u003e function to detect malicious kexts attempting to communicate outside kernel space.\u003c/li\u003e\n\u003cli\u003eAudit the use of \u003ccode\u003eioctl\u003c/code\u003e calls with \u003ccode\u003eSIOCGKEVVENDOR\u003c/code\u003e and \u003ccode\u003eSIOCSKEVFILT\u003c/code\u003e to detect user-mode applications attempting to filter for specific kernel events, using the code samples from the \u0026ldquo;Receiving the Data in User-Mode\u0026rdquo; section as reference.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kev-msg-post-process-creation/","summary":"The kev_msg_post function can be abused by malware to broadcast process creation notifications from a kernel extension (kext) to a user-mode application, potentially bypassing security tools that rely on standard APIs and leading to undetected malicious activity.","title":"macOS Kernel-to-Userland Process Creation Notification via undocumented kev_msg_post","url":"https://feed.craftedsignal.io/briefs/2024-01-kev-msg-post-process-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["medium"],"_cs_tags":["macos","endpoint-security","process-monitoring","defense-evasion","discovery"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThis document explores the use of Apple\u0026rsquo;s Endpoint Security Framework, introduced in macOS 10.15 (Catalina), as a modern alternative to the OpenBSM subsystem for process monitoring. The Endpoint Security Framework provides a user-mode API that offers a simpler interface, comprehensive code-signing information, and proactive event response capabilities. This allows developers to create robust security tools for macOS without relying on kernel-level access, which Apple is actively deprecating. The framework requires the \u003ccode\u003ecom.apple.developer.endpoint-security.client\u003c/code\u003e entitlement and the use of Xcode 11 or later with the macOS 10.15 SDK or newer. This framework enables process monitoring with details such as process ID, path, arguments, and code-signing information, simplifying the development of security tools like Ransomwhere?, TaskExplorer, and BlockBlock.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis attack chain represents how a malicious actor can potentially bypass security measures by exploiting the capabilities of process monitoring frameworks:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e A malicious program gains initial access to the macOS system through a vulnerability or social engineering.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The program attempts to escalate privileges to gain broader access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProcess Creation:\u003c/strong\u003e The attacker creates a new process (e.g., \u003ccode\u003e/tmp/evil.sh\u003c/code\u003e) to execute malicious code on the system using \u003ccode\u003ees_event_type_notify_exec\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection:\u003c/strong\u003e The malicious process injects code into another running process to hide its activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The injected code collects sensitive data and attempts to exfiltrate it from the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating a launch agent or daemon.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker attempts to evade detection by modifying system files or disabling security tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objectives, such as stealing sensitive data, disrupting system operations, or gaining control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of process monitoring frameworks and the subsequent bypass of security measures can lead to various detrimental outcomes. This includes unauthorized access to sensitive data, system compromise, and the disruption of critical services. The number of affected systems can range from individual machines to entire networks, depending on the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Endpoint Security Framework logging to capture process execution events (\u003ccode\u003ees_event_type_notify_exec\u003c/code\u003e) for enhanced visibility.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected or unauthorized process creations, especially in sensitive directories like \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/var/tmp\u003c/code\u003e, using a Sigma rule targeting \u003ccode\u003ees_event_type_notify_exec\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement code-signing verification to ensure that only trusted processes are allowed to execute, leveraging process code signing information.\u003c/li\u003e\n\u003cli\u003eDevelop a detection rule to identify processes lacking proper code signatures or exhibiting suspicious signing characteristics.\u003c/li\u003e\n\u003cli\u003eMonitor the ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED error to detect unauthorized attempts to leverage the Endpoint Security framework.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-macos-endpoint-security-framework/","summary":"This brief discusses the use of Apple's Endpoint Security Framework in macOS 10.15 and later for user-mode process monitoring, offering improved capabilities over the older OpenBSM subsystem.","title":"Leveraging Apple's Endpoint Security Framework for Process Monitoring","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-endpoint-security-framework/"}],"language":"en","title":"CraftedSignal Threat Feed — Process-Monitoring","version":"https://jsonfeed.org/version/1.1"}