ESF modular ingestion tool for development and research.

Related tags

Official SDK ESFang
Overview

ESFang

This is a tool devised for modular consumption of EndpointSecurity Framework (ESF) events from the MacOs environment. This is my attempt to overcome a number of issues encountered with existing tools including things such as silent data dropping, strict event type consumption, lack of support for alternative data event types and file access handler overload.

This tool heavily leans on the excellent work done by Chris Ross, Omark-Ikram and the team at Objective-See for their tools ProcessMonitor, Appmon and EndpointSecurityDemo. My core understanding and applicability of ESF data ingestion was greatly enhanced and kick-started by examining their works which did much of the heavy lifting in order to make this development possible. This tool has attempted to extrapolate the best elements of these tools and expand on them in order to allow for a case-by-case ESF consumption action based on investigators needs.

The existing tools, including more refined tools such as Crescendo by FireEye, fall foul of a number of issues associated with ESF itself which in testing seems related to the way in which the ESF client ingests the data from the sub-system. The primary issue encountered was the silent loss of data. In testing, when numerous event types were ingested the results when compared to ingestion of a single event type showed that there was disparity in the data accumulated. In testing, critical events related to malicious activity were not in the acquired data set that was present in the singular event type ingestion.

This tools primary purpose was 3 fold:

  • Create a tool which avoided the silent data drop issue
  • Allowed for case-by-case event collection specification
  • Be expandable and integratable into monitoring systems

To this end, the tool allows the user to specify which event types they want to collect during operations from the 51 available NOTIFY event types (AUTH event types were omitted for this tool). This means researchers can target specific event types related to specific operations they wish to monitor as well as helping reduce the associated silent data loss by reducing the overall event types collected by the client.

Data output is distributed into individual event type log files which in turn are grouped under event genre files such as process, file, sockets etc. All logs are written in JSON for easy ingestion and can be expanded to by users by altering the source code to collect additional fields outlined in the event_type documentation provided by Apple.

FUTURE NOTES -

In order to prevent the silent data loss a potential solution would be to multi-thread the tool in order to allow for multiple ESF clients to run simultaneously with each collecting a subset of the event types. This could potentially overcome the internal threshold being reached causing the data loss being observed. I simply did not have time to employ the additional controls for this.

HOW TO USE

Requires SIP to be disabled!

  • Unfortunately, as this is a development POC code you will not be able to use this with SIP enabled as access to the ESF sub-system is restricted to signed binaries. As this is unsigned, SIP must be disabled for use. As such, only use this on non-production machines.

  • There are three types of execution, either you can specify the ID of an event_id from the configuration file, specify a group_id from the configuration file, or you can reference the configuration file with the lines of the event type ID's or groups uncommented.

  • Example 1 = Collect ES_EVENT_TYPE_NOTIFY_EXEC events only: ./ESFang -id 2

  • Example 2 = Collect File genre events: ./ESFang -group 2

  • Example 3 = Collect event types or groups specified by config file: ./ESFang -config ./ESF_config.txt

NOTE ON HARD CODED FILTER

Within the source code is a hard coded process filter which is found at line 460 - 469. This filter can be manipulated to either capture on specific PID, PPID or process name. This was added as a "hacky" workaround for specific filtering purposes. Attempts to make this dynamic at command line to feed into Inspector all errored out. So left as hard coded.

NOTE ON HARD CODED PROCESS MUTER

Within the source code is a hard coded process muting capacity found at line 471 - 491. This filter can be used to mute the capture of specific events based on process or parent process path respectively. This should be used with caution as all processes matching the name specified will be muted if either the process or parent of any activity. This was in beta-testing when released.

You might also like...
CareKit is an open source software framework for creating apps that help people better understand and manage their health.
CareKit is an open source software framework for creating apps that help people better understand and manage their health.

CareKit CareKit™ is an open source software framework for creating apps that help people better understand and manage their health. The framework prov

⚡️ A fully-featured and blazing-fast Swift API client to interact with Algolia.
⚡️ A fully-featured and blazing-fast Swift API client to interact with Algolia.

The perfect starting point to integrate Algolia within your Swift project Documentation • Community Forum • Stack Overflow • Report a bug • FAQ • Supp

Build, Measure and Grow iOS subscription business

Apphud SDK Apphud SDK is a lightweight open-source Swift library to manage auto-renewable subscriptions and other in-app purchases in your iOS app. No

Sample app to demonstrate the integration code and working of Dyte SDK for iOS, using Objective-C.
Sample app to demonstrate the integration code and working of Dyte SDK for iOS, using Objective-C.

iOS sample app (using Objective-C) by dyte Sample app to demonstrate the usage of Dyte iOS SDK Explore the docs » View Demo · Report Bug · Request Fea

An Application to list the products and on selection of product list the detail of particular product
An Application to list the products and on selection of product list the detail of particular product

Merchandising An Application to list the products and on selection of product list the detail of particular product This application uses VIPER design

Build a workout app from scratch using SwiftUI and HealthKit
Build a workout app from scratch using SwiftUI and HealthKit

Build a workout app for Apple Watch Build a workout app from scratch using SwiftUI and HealthKit during this code along. Learn how to support the Alwa

Simple proxy in Swift for converting between HTTP and API Gateway Lambda payloads

SwiftLambdaProxy A simple proxy that can convert HTTP requests to Lambda API Gat

📲 The curated list of iOS Developer interview questions and answers, Swift & Objective-C
📲 The curated list of iOS Developer interview questions and answers, Swift & Objective-C

Awesome iOS interview questions and answers 🔛 Get started by picking interview's language and start preparing right now Install the app Prepare for t

MetaWear-Swift-Combine-SDK - Build iOS and macOS apps controlling MetaWear Bluetooth Low Energy wearables without C++ or CoreBluetooth expertise
Owner
F-Secure Countercept
F-Secure Countercept
A very simple way to implement Backbone.js style custom event listeners and triggering in Swift for iOS development.

Swift Custom Events A very simple way to implement Backbone.js style custom event listeners and triggering in Swift for iOS development. This provides

Stephen Haney 98 Dec 25, 2022
Here it is my study note for iOS development.

iOS-Projects for beginners HI, this is Kaia and here it is my study note for iOS development. Check the detailed Notes below: Project Name Objective B

Qingying Gao(Kaia) 2 Nov 2, 2022
In-app feedback and bug reporting tool for apps.

Instabug iOS SDK Instabug is an in-app feedback and bug reporting tool for mobile apps. With just a simple shake, your users or beta testers can repor

Instabug 274 Dec 14, 2022
The Gini Bank SDK provides components for capturing, reviewing and analyzing photos of invoices and remittance slips.

Gini Bank SDK for iOS The Gini Bank SDK provides components for capturing, reviewing and analyzing photos of invoices and remittance slips. By integra

Gini GmbH 0 Dec 16, 2021
Zilla connect is an easy, fast and secure way for your users to buy now and pay later from your app

Zilla Checkout iOS SDK Zilla connect is an easy, fast and secure way for your us

null 0 Jan 19, 2022
Alter SDK is a cross-platform SDK consisting of a real-time 3D avatar system, facial motion capture, and an Avatar Designer component built from scratch for web3 interoperability and the open metaverse.

Alter SDK is a cross-platform SDK consisting of a real-time 3D avatar system, facial motion capture, and an Avatar Designer component built from scratch for web3 interoperability and the open metaverse.

Alter 45 Nov 29, 2022
Hyperledger Sawtooth is an enterprise solution for building, deploying, and running distributed ledgers (also called blockchains).

Hyperledger Sawtooth SDK Hyperledger Sawtooth is an enterprise solution for building, deploying, and running distributed ledgers (also called blockcha

Ann 1 Oct 29, 2021
A platform where NYUAD students can both Help and Seek Help.

A platform where NYUAD students can both Help and Seek Help.

Omar Rayyan 0 Nov 7, 2021
Accept credit cards and PayPal in your iOS app

Important: PayPal Mobile SDKs are Deprecated. The APIs powering them will remain operational long enough for merchants to migrate, but the SDKs themse

PayPal 973 Dec 18, 2022
Unopinionated and flexible library for easily integrating Tumblr data into your iOS or OS X application.

Tumblr SDK for iOS An unopinionated and flexible library for easily integrating Tumblr data into your iOS or OS X application. The library uses ARC re

Tumblr 420 Dec 8, 2022