The communication involves a kext utilizing kev_msg_post to send data to a user-mode application through a system socket. Objective-See’s BlockBlock tool uses this technique to correlate persistent file I/O events with the responsible process. Abuse of kev_msg_post can allow malicious kexts to exfiltrate sensitive kernel-level information or trigger actions in user-mode without detection by conventional monitoring tools. This technique is relevant to defenders because it provides a stealthy mechanism for malware to operate within macOS, potentially leading to undetected data theft, privilege escalation, or system compromise.

Attack Chain

1. A malicious kext is loaded into the macOS kernel, often requiring elevated privileges or exploiting a vulnerability.
2. The kext uses the kev_vendor_code_find function to obtain a vendor ID associated with the kext (e.g., “com.objective-see”).
3. The kext registers for process execution events using kauth or MAC policies.
4. When a new process is created, the kext’s callback function is triggered.
5. The kext populates a kev_msg structure with process information, including the process ID (PID), user ID (UID), parent process ID (PPID), and path to the executable.
6. The kext calls the undocumented kev_msg_post function to broadcast the process information to a system socket.
7. A user-mode application with a socket connected to the same vendor ID receives the broadcasted message, extracting the process information.
8. The attacker can use the process information for malicious purposes, such as injecting code into the new process, monitoring its activity, or terminating it.

Impact

Successful exploitation could allow attackers to monitor and manipulate processes on a compromised macOS system without detection by standard userland monitoring tools. This could lead to data exfiltration, privilege escalation, or other malicious activities. Due to the nature of the kernel, even a single successful compromise can lead to complete system compromise.

Recommendation

• Monitor for the loading of unsigned or untrusted kernel extensions using system integrity monitoring tools that track kext loading events.
• Implement detections for user-mode applications creating system sockets with the SYSPROTO_EVENT protocol, as described in the “Receiving the Data in User-Mode” section. This can be done using an endpoint detection and response (EDR) solution or auditd.
• Develop YARA rules to scan kernel memory for the presence of kexts using the undocumented kev_msg_post function to detect malicious kexts attempting to communicate outside kernel space.
• Audit the use of ioctl calls with SIOCGKEVVENDOR and SIOCSKEVFILT to detect user-mode applications attempting to filter for specific kernel events, using the code samples from the “Receiving the Data in User-Mode” section as reference.

Attack Chain

This attack chain represents how a malicious actor can potentially bypass security measures by exploiting the capabilities of process monitoring frameworks:

1. Initial Access: A malicious program gains initial access to the macOS system through a vulnerability or social engineering.
2. Privilege Escalation: The program attempts to escalate privileges to gain broader access to the system.
3. Process Creation: The attacker creates a new process (e.g., /tmp/evil.sh) to execute malicious code on the system using es_event_type_notify_exec.
4. Code Injection: The malicious process injects code into another running process to hide its activities.
5. Data Exfiltration: The injected code collects sensitive data and attempts to exfiltrate it from the system.
6. Persistence: The attacker establishes persistence by creating a launch agent or daemon.
7. Defense Evasion: The attacker attempts to evade detection by modifying system files or disabling security tools.
8. Impact: The attacker achieves their objectives, such as stealing sensitive data, disrupting system operations, or gaining control of the system.

Impact

The successful exploitation of process monitoring frameworks and the subsequent bypass of security measures can lead to various detrimental outcomes. This includes unauthorized access to sensitive data, system compromise, and the disruption of critical services. The number of affected systems can range from individual machines to entire networks, depending on the scope of the attack.

Recommendation

• Enable Endpoint Security Framework logging to capture process execution events (es_event_type_notify_exec) for enhanced visibility.
• Monitor for unexpected or unauthorized process creations, especially in sensitive directories like /tmp or /var/tmp, using a Sigma rule targeting es_event_type_notify_exec.
• Implement code-signing verification to ensure that only trusted processes are allowed to execute, leveraging process code signing information.
• Develop a detection rule to identify processes lacking proper code signatures or exhibiting suspicious signing characteristics.
• Monitor the ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED error to detect unauthorized attempts to leverage the Endpoint Security framework.