macOS Endpoint Security Message Analysis Tool

Overview

Endpoint Security Message Analysis Tool - esmat

esmat is a command line tool for macOS that allows you to explore the behavior of Apple's Endpoint Security framework. By default esmat works like a stop watch: pressing ctrl + t prints statistics for the current interval in which you perform your experiments and starts a new interval (can be set to cumulative behavior).

Possible use cases:

  • perform (stress) tests or experiments and use esmat to see whether the recorded events match your expectation or message drops occured
  • investigate process behavior:
    • what child processes are created and how (fork,exec)?
    • which ES messages are created during your experiments?

Usage

Use ./esmat.app/Contents/MacOS/esmat -h to get all available options and flags with examples:

➜ ./esmat.app/Contents/MacOS/esmat -h
Endpoint Security Message Analysis Tool - esmat by ∞ vast limits GmbH

Prints statistics for Endpoint Security messages between two SIGINFO signals (ctrl + t).
Must be run as root to be able to subscribe to Endpoint Security events.

Examples:
sudo ./esmat.app/Contents/MacOS/esmat -a ls git

sudo ./esmat.app/Contents/MacOS/esmat -e NOTIFY_PTY_GRANT NOTIFY_PTY_CLOSE -a sshd

sudo ./esmat.app/Contents/MacOS/esmat -a xpcproxy -pc


Usage: ./esmat.app/Contents/MacOS/esmat [OPTIONS]

Options:
  -h,--help                   Print this help message and exit
  -a,--apps TEXT ...          Add executable names to watch events for.
                              If one or more executable names are specified as arguments,
                              the event types NOTIFY_EXEC, NOTIFY_FORK and NOTIFY_EXIT are automatically enabled.

  -e,--events TEXT ...        Define which ES event types you want to see statistics for.
                              NOTIFY_EXEC, NOTIFY_FORK and NOTIFY_EXIT are automatically enabled
                              if arguments are provided via the -a option.
                              Note: AUTH events are currently not supported.

  -E,--events-available       Prints a list of available Endpoint Security event types.
                              Note: Not all listed events are available on every version of macOS.
                              Only the newest macOS version typically supports all events.

  -p,--parent                 Shows which parent processes have exec'ed into the processes specified via -a.

  -c,--child                  Include child processes which the via -a specified processes exec into.

  -C,--cumulative             If set statistics are never reset between intervals.

Columns of Process Lifecycle Events

column description
#exec_source_events number of messages in which the executable was found as the source of an exec
#exec_target_events number of messages in which the executable was found as the target of an exec
#fork_events number of messages for fork events for that executable
#exit_events number of messages for exit events for that executable
delta 0 if the number of "creation events" matches the expected number of exit events. Calculated as #exec_target + #fork - #exec_source - #exit

Prerequisites

There is no need to install anything. However, before you can run the app you need to grant the bundle Full Disk Access by dragging it into the list of allowed apps under Security & Privacy -> Privacy -> Full Disk Access. This is a requirement from Apple for every Endpoint Security client. The app won't be able to run without this permission.

Examples

  • Investigate process lifecycle events or perform stress tests and evaluate message drops
sudo ./esmat.app/Contents/MacOS/esmat -a ls git exa

🚀 ES client statistics #3:
+------------+---------------------+---------------------+--------------+--------------+---------+
| executable | #exec_source_events | #exec_target_events | #fork_events | #exit_events |  delta  |
+------------+---------------------+---------------------+--------------+--------------+---------+
| git        |                  18 |                  36 |            0 |           18 |       0 | ✅
+------------+---------------------+---------------------+--------------+--------------+---------+
| exa        |                   0 |                   1 |            0 |            1 |       0 | ✅
+------------+---------------------+---------------------+--------------+--------------+---------+
| ls         |                   0 |                   3 |            0 |            3 |       0 | ✅
+------------+---------------------+---------------------+--------------+--------------+---------+

+---------------+--------------------+-------------------+
| ES_event_type | #messages_received | #messages_missing |
+---------------+--------------------+-------------------+
| NOTIFY_EXIT   |                248 |                 0 | ✅
+---------------+--------------------+-------------------+
| NOTIFY_FORK   |                255 |                 0 | ✅
+---------------+--------------------+-------------------+
| NOTIFY_EXEC   |                135 |                 0 | ✅
+---------------+--------------------+-------------------+
|        total: |                638 |                 0 | ✅
+---------------+--------------------+-------------------+
⏱ interval duration: 16 seconds
  • Investigate ES messages and processes for events such as ssh logins
sudo ./esmat.app/Contents/MacOS/esmat  -a  sshd -e NOTIFY_PTY_GRANT NOTIFY_PTY_CLOSE -pc

🚀 ES client statistics #2:
+-----------------------+---------------------+---------------------+--------------+--------------+---------+
| executable            | #exec_source_events | #exec_target_events | #fork_events | #exit_events |  delta  |
+-----------------------+---------------------+---------------------+--------------+--------------+---------+
| sshd                  |                   1 |                   1 |            3 |            3 |       0 | ✅
+-----------------------+---------------------+---------------------+--------------+--------------+---------+
| --zsh                 |                   - |                   1 |            - |            - |       - | 🐣
+-----------------------+---------------------+---------------------+--------------+--------------+---------+
| --sshd-keygen-wrapper |                   1 |                   - |            - |            - |       - | 👨‍👩‍👦
+-----------------------+---------------------+---------------------+--------------+--------------+---------+

+------------------+--------------------+-------------------+
| ES_event_type    | #messages_received | #messages_missing |
+------------------+--------------------+-------------------+
| NOTIFY_PTY_CLOSE |                  1 |                 0 | ✅
+------------------+--------------------+-------------------+
| NOTIFY_EXIT      |                115 |                 0 | ✅
+------------------+--------------------+-------------------+
| NOTIFY_PTY_GRANT |                  1 |                 0 | ✅
+------------------+--------------------+-------------------+
| NOTIFY_FORK      |                116 |                 0 | ✅
+------------------+--------------------+-------------------+
| NOTIFY_EXEC      |                 63 |                 0 | ✅
+------------------+--------------------+-------------------+
|           total: |                296 |                 0 | ✅
+------------------+--------------------+-------------------+
⏱ interval duration: 9 seconds

Build

Building requires Xcode 13 or later (C++20) and an Apple developer account. You also need to request the Endpoint Security entitlement from Apple. Once you received the ES entitlement you can create your provisioning profiles for development and distribution.

To avoid issues with signing and provisioning some configuration options have been offloaded into configuration files. Once you've cloned the repo you need to create a Shared.xcconfig, a Debug.xcconfig and optionally a Release.xcconfig based on the included template files and fill in the specified values. This prevents leaking personal information into the repository.

Note: Please do not change these values in the project editor if you want to contribute.

Dependencies

Uses CLI11 to build the command line interface.

Releases(v1.0.0)
Owner
vast limits GmbH
vast limits GmbH
Utility to install kexts, Frameworks and PrivateFrameworks in the System of macOS. For macOS Monterey 12 and Big Sur 11

Command-Line-SnapShot-Mounter Credit: chris1111 Apple This utility uses the macOS terminal Command Line SnapShot Mounter is an utility that allows you

chris1111 18 May 24, 2022
Macos-arm64-emulation - A guide for emulating macOS arm64e on an x86-based host.

macos-arm64-emulation Use the following guide to download and configure all of the necessary tools and files for emulating the macOS arm64e kernel. Th

Cylance 216 Jun 23, 2022
mimikatz is a tool I've made to learn C and make somes experiments with Windows security

mimikatz is a tool I've made to learn C and make somes experiments with Windows security

Benjamin DELPY 15.5k Jun 24, 2022
weggli is a fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.

weggli is a fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.

Google Project Zero 1.7k Jun 20, 2022
Ring powered by an adafruit gemma + neopixel that sends a positive affirmation message to me via morse code

Positive Affirmation Morse Code Ring ✨ Ring powered by an adafruit gemma + neopixel that sends a positive affirmation message to me via slowed-down mo

Stephanie 3 Dec 31, 2021
Realtime Micro Kernel -- Event-driven Run-to-Completion RTOS with Active Objects, Timed Events, Memory Pools, and Message Queues

Realtime Micro Kernel Features Active Objects Message queues Variable sized, custom messages Periodic and single timed events Memory pools Supported P

null 2 Feb 25, 2022
Cool and different approach to Strimer Plus. Colorful scrolling text message. It's ready for you!

Strimer Plus DIY Version: 2021.10.27 Author: Murat TAMCI Web Site: www.themt.co Note: In loving memory of my grandfather (Ahmet Ozdil) Welcome to Stri

Murat TAMCI 2 Jan 10, 2022
lua binding for Software implementation in C of the FIPS 198 Keyed-Hash Message Authentication Code HMAC

lua-hmac Compute the SHA-224, SHA-256, SHA-384, and SHA-512 message digests and the Hash-based Message Authentication Code (HMAC). this module is Lua

Masatoshi Fukunaga 3 Mar 22, 2022
Binary data analysis and visualization tool

Veles - A new age tool for binary analysis It is a very difficult task for a human to notice subtle patterns in large amounts of binary data, however,

CodiLime Sp. z o.o. 848 Jun 29, 2022
Pyramid is a free, open GUI tool for offline shader validation and analysis

Pyramid is a free, open GUI tool for offline shader validation and analysis. The UI takes HLSL or GLSL as input, and runs them through various shader compilers and static analyzers.

null 272 Jun 17, 2022
Animated sprite editor & pixel art tool (Windows, macOS, Linux)

Aseprite Introduction Aseprite is a program to create animated sprites. Its main features are: Sprites are composed of layers & frames as separated co

Aseprite 17.8k Jun 28, 2022
Gunyah is a Type-1 hypervisor designed for strong security, performance and modularity.

Gunyah is a Type-1 hypervisor, meaning that it is independent of any high-level OS kernel, and runs in a higher CPU privilege level. It does not depend on any lower-privileged OS kernel/code for its core functionality. This increases its security and can support a much smaller trusted computing base than a Type-2 hypervisor.

Qualcomm Innovation Center 65 Jun 27, 2022
The purpose of these streams is to be educational and entertaining for viewers to learn about systems architecture, reverse engineering, software security, etc., and NOT to encourage nor endorse malicious game hacking.

Memestream This repository holds the code that I develop during my live game "modding" ?? sessions. When I stream, I like to speedrun making a success

Stephen Tong 27 Jun 17, 2022
Proof-of-concept implementation for the paper "Osiris: Automated Discovery of Microarchitectural Side Channels" (USENIX Security'21)

Osiris This repository contains the implementation of the Osiris framework discussed in the research paper "Osiris: Automated Discovery of Microarchit

CISPA 35 Jun 16, 2022
anthemtotheego 323 Jun 18, 2022
Linux 4.19 + PS4 patches + Latest security patches

Linux kernel ============ There are several guides for kernel developers and users. These guides can be rendered in a number of formats, like HTML an

kquote03 1 Oct 12, 2021
A list of excellent resources for anyone to deepen their understanding with regards to Windows Kernel Exploitation and general low level security.

WinKernel-Resources A list of excellent resources for anyone trying to deepen their understanding with regards to Windows Kernel Exploitation and gene

Vector Security 36 May 30, 2022
libu8ident - Follow unicode security guidelines for identifiers

libu8ident - Follow unicode security guidelines for identifiers without adding the full Unicode database. This library does the unicode identifier sec

Reini Urban 5 Mar 3, 2022
42 Project as an introduction to Cyber Security Domaine.

SnowCrash Hello, This is SnowCrash project in 42. The starter projects for cyber security branch. What are you going to learn in this project ? Basic

Hatim Mzah 5 Apr 3, 2022