On-Privilege scanning module is a threat hunting tool for macOS Endpoint using EndpointSecurity Framework

One of the most dangous actions of malware is escape the privilege management of an infected host to execute more malicious behaviors. recent malware such as XCSSET.2020, MacMa.2021, dazzlespy.2022, CloudMensis.2022 all attempt to LPE on MacOS users. onPrivilege module continually monitors the system for events that may connect to privilege escalation attack. Specifically it watches for process rooting, bypass TCC, by SIP events.

To detect LPE on MacOS, this module does the following:

• Process rooting detection
• TCC.db file protection
• Legacy APP detection
• Special entitlement file tracking

This is a prove-of-concept project, please always running in virtual machine.

brew install expect

mkdir ./build
cd ./build
cmake ..
make

sudo ./OPApplication

• XPC service tracing
• TCC.db manipulate
• root privilege detect
• Protected folder collecting
• File attribute qurantine clear

• macprocmon
  • https://github.com/gyunaev/macprocmon
• Shield
  • https://github.com/theevilbit/Shield
• ESFang
  • https://github.com/WithSecureLabs/ESFang
• ESFplayground
  • https://themittenmac.com/the-esf-playground/
• OverSight
  • https://github.com/objective-see/OverSight
• BlockBlock
  • https://github.com/objective-see/BlockBlock