hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections
2023-10-15 14:02:44 +00:00
..
macos-sandbox GITBOOK-4123: change request with no subject merged in GitBook 2023-10-15 09:54:49 +00:00
macos-tcc GITBOOK-4124: change request with no subject merged in GitBook 2023-10-15 14:02:44 +00:00
macos-dangerous-entitlements.md GITBOOK-4124: change request with no subject merged in GitBook 2023-10-15 14:02:44 +00:00
macos-gatekeeper.md GITBOOK-4120: change request with no subject merged in GitBook 2023-10-14 10:04:46 +00:00
macos-sip.md GITBOOK-4075: change request with no subject merged in GitBook 2023-09-10 23:59:38 +00:00
README.md GITBOOK-4118: change request with no subject merged in GitBook 2023-10-12 16:09:18 +00:00

macOS Security Protections

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Gatekeeper

Gatekeeper is usually used to refer to the combination of Quarantine + Gatekeeper + XProtect, 3 macOS security modules that will try to prevent users from executing potentially malicious software downloaded.

More information in:

{% content-ref url="macos-gatekeeper.md" %} macos-gatekeeper.md {% endcontent-ref %}

MRT - Malware Removal Tool

The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to remove known malware from infected systems.

Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically remove the malware. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded (it looks like the rules MRT has to detect malware are inside the binary).

While both XProtect and MRT are part of macOS's security measures, they perform different functions:

  • XProtect is a preventative tool. It checks files as they're downloaded (via certain applications), and if it detects any known types of malware, it prevents the file from opening, thereby preventing the malware from infecting your system in the first place.
  • MRT, on the other hand, is a reactive tool. It operates after malware has been detected on a system, with the goal of removing the offending software to clean up the system.

The MRT application is located in /Library/Apple/System/Library/CoreServices/MRT.app

Processes Limitants

SIP - System Integrity Protection

{% content-ref url="macos-sip.md" %} macos-sip.md {% endcontent-ref %}

Sandbox

MacOS Sandbox limits applications running inside the sandbox to the allowed actions specified in the Sandbox profile the app is running with. This helps to ensure that the application will be accessing only expected resources.

{% content-ref url="macos-sandbox/" %} macos-sandbox {% endcontent-ref %}

TCC (Transparency, Consent, and Control) is a mechanism in macOS to limit and control application access to certain features, usually from a privacy perspective. This can include things such as location services, contacts, photos, microphone, camera, accessibility, full disk access, and a bunch more.

{% content-ref url="macos-tcc/" %} macos-tcc {% endcontent-ref %}

Trust Cache

The Apple macOS trust cache, sometimes also referred to as the AMFI (Apple Mobile File Integrity) cache, is a security mechanism in macOS designed to prevent unauthorized or malicious software from running. Essentially, it is a list of cryptographic hashes that the operating system uses to verify the integrity and authenticity of the software.

When an application or executable file tries to run on macOS, the operating system checks the AMFI trust cache. If the hash of the file is found in the trust cache, the system allows the program to run because it recognises it as trusted.

Launch Constraints

It controls from where and what can launch an Apple signed binary:

  • You can't launch an app directly if should be run by launchd
  • You can't run an app outside of the trusted location (like /System/)

The file that contains information about this constrains is located in macOS in /System/Volumes/Preboot/*/boot/*/usr/standalone/firmware/FUD/StaticTrustCache.img4 (and in iOS it looks like it's in /usr/standalone/firmware/FUD/StaticTrustCache.img4).

It looks like it was possible to use the tool img4tool to extract the cache:

img4tool -e in.img4 -o out.bin 

(However, I haven't been able to compile it in M1). You could also use pyimg4, but the following script doesn't work with that output.

Then, you could use a script such as this one to extract data.

From that data you can check the Apps with a launch constraints value of 0 , which are the ones that aren't constrained (check here for what each value is).

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥