October 16th, 2024
Threat Hunting in macOS with the SecOps Cloud Platform
Daniel Ballmer
Despite being the second most popular OS in today’s business environment, macOS, is often neglected in cybersecurity discussions. This is often due to a lack of technological capabilities, as well as highly-publicized cyberattacks that often don't involve macOS systems. Most attacks are on external-facing systems and adversary techniques still favor the Windows operating system. Thus, it’s easy to see why macOS is excluded from the conversation. However, if you have macOS devices in your fleet, you cannot afford to exclude them from your security strategy.
With LimaCharlie's native support for macOS, including macOS in your monitoring capabilities is easy. Matt Bromiley, Lead Solutions Engineer at LimaCharlie, demonstrates ways to conduct effective MacOS threat hunting in his two-part webinar series, Threat Hunting for macOS. Here are a few key takeaways:
macOS threat hunting begins by searching for suspicious indicators in high-level basics like processes, network connection, DNS requests, and file system events.
We can use macOS' granular data points to identify key anomalies, such as responsible processes, to add more context to your hunts.
LimaCharlie's code identity events can be used to inspect binaries for signs of file signature anomalies. With LimaCharlie extensions like BinLib, this can be done at enterprise scale.
The Mac Unified Log (MUL) can be queried for highly detailed information about system activity. By filtering searches using predicates such as messages, subsystems, or processes you can uncover a wealth of information.
Finally, successful threat hunting queries should be adopted as detection rules. This allows you to automatically detect activity that is suspicious to your organization.
Coupling MUL events with system telemetry can take your macOS hunting, detection, and response capabilities to the next level. LimaCharlie's EDR agent allow you to collect data as well as triage, contain, and issue commands to the system. Operating at an n+1 scale, macOS response can be done at any scale.
Diving Deeper into the MUL
Security analysts familiar with Windows systems may be used to importing and analyzing Windows Event Logs with ease. macOS' Unified Log is extremely verbose, and requires careful queries to ensure you are extracting the correct data. It should not be imported in its entirety.
To query the MUL on your Mac, use the following commands:
log show --predicate
For example, to view Safari processes, write:
log show --predicate ‘process == “Safari”’
To specify the subsystem, write:
log show --predicate ‘subsystem == “com.apple.preference”’
As always, it is important to declare the correct process and subsystem to retrieve the desired information. A misstep here could result in a flood of unrelated results or nothing returned at all.
Ingesting the MUL into LimaCharlie is a fairly simple process outlined in our documentation. Once you have your MUL predicate(s) defined, the LimaCharlie EDR agent will begin to collect and stream MUL events. If everything is set correctly you will see MUL entries appear on your EDR timeline.
When threat hunting through macOS environments, consider the data you are collecting and the adversary technique or anomalous activity you are looking to detect. Some basic, but useful, examples of other MUL predicates you may find useful:
Keychain activity:
log show --predicate ‘subsystem == “com.apple.securityd” and message contains “Keychain”’
Usage of ChatGPT App:
log show --predicate ‘process ==”ChatGPT”’ —info
Messages from Apple's transparency, consent, and control (TCC):
log show --predicate ‘subsystem == “com.apple.TCC”’ —info
Authentication messages:
log show --predicate ‘subsystem == “com.apple.LocalAuthentication”’ —info
With the power of LimaCharlie's macOS Agent tapping into macOS' Unified Logging capabilities, you can use the SecOps Cloud Platform to gain extreme visibility into your macOS deployment.
Additionally, there are several third-party tools that integrate with the SecOps Cloud Platform and extend its capabilities. For example, Velociraptor offers an MUL-specific hunting artifiact while also providing insights into:
Browsing history
Autoruns
Files
System Preferences
Users
For more specific examples of threat hunting in macOS watch part 1 and part 2 of the webinar, or reach out to LimaCharlie for a demo.
Happy hunting!