Skip to content

2. Common Data Sources

Jump to bottom
Brandon Dalton edited this page Dec 1, 2023 · 1 revision

Overview

While many of these data sources are well known we'll quickly review some of the most common ones here:

System Extensions (eventing)

  • Successor to the now deprecated Kernel Extensions (KEXTs) which previously allowed developers to integrate their solutions directly in the kernel. Specifically the Auxiliary Kernel Collection AuxKC.
  • System Extensions are implemented by developers with the opportunity to use a high level / memory safe language (see DriverKit exception). The idea here is to remove third party code from the kernel and protect them from tampering with System Integrity Protection (SIP). There are several types of System Extensions -- described in more technical depth in the table below:
  • Endpoint Security Extension: EDR / AV security solutions to identify malicious activity. These are replacements for the legacy Kernel Authorization KPI (KAuth) and the unsupported MACF.

    • Network Extension: Content filters, DNS proxies, and VPN clients.

    • DriverKit: (C++17) Drivers for USB, Serial, NIC, and HID devices.

      Successor Legacy tech
      Endpoint Security Extension KAUTH (kauth_listen_scope, kauth_unlisten_scope)
      Network Extension Socket (sock_accept, sock_bind, ...)
      Network Extension Network filter (ipf_addv4, ipf_inject_input, ...)
      DriverKit IOHIDFamily, IOUSBFamily
      DriverKit USB networking (IOUSBHostFamily, IOUSBFamily)
      DriverKit USB serial (IOUSBHostFamily, IOUSBFamily)
      DriverKit PCI networking (IOPCIFamily)
      DriverKit IOAudioFamily / IOBluetoothHIDDriver / IOSCSIParallelFamily

Apple System Logs (ASL) (eventing)

  • Legacy UNIX logging mechanism
  • install.log specifically logs updates done through /usr/bin/softwareupdate
    • Viewable in Console.app from the "Log Reports" section
    • Located on-disk at: /Library/Logs/*

Apple Unified Log (AUL) (eventing)

  • Modern logging mechanism for Apple platforms.
  • Viewable in Console.app or through the /usr/bin/log command
  • AUL has a wide range of applications. However, some specific ones currently outside Endpoint Security's purview are:
Event to Monitor Subsystem
Gatekeeper assessments com.apple.syspolicyd
Notarization ticket lookup com.apple.network
Screencaptures taken com.apple.screencapture
System Extension operations com.apple.sx
XProtect com.apple.xprotect
Launch Services app launch disambiguation com.apple.runningboard

Diagnostic Reports and specifically Crash Reports (triage)

  • Identifying when and how specific relevant processes crash (.ips files) is a key way to identify the use of exploits and the potential presence of advanced spyware. They're located at: /Library/Logs/DiagnosticReports/*
  • Specifically looking for crashes from the following processes dealing with memory corruption
    • IMTransferAgent
    • ReportCrash

Sysdiagnose (/usr/bin/Sysdiagnose) (triage)

  • A powerful record of system activity.
  • Helpful for identifying system services and processes behaving badly, the use of exploits, and the potential presence spyware.

SQLite databases on-disk (triage)

  • Some high value ones include:
    • Transparency, Consent, and Control (TCC):
      • System: /Library/Application Support/com.apple.TCC/TCC.db
      • User: ~/Library/Application Support/com.apple.TCC/TCC.db
    • Knowledge
      • System: /private/var/db/CoreDuet/Knowledge/knowledgeC.db
      • User: ~/Library/Application Support/Knowledge/knowledgeC.db
    • Gatekeeper: /var/db/SystemPolicy
    • XProtect: /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/gk.db
    • Passes: ~/Library/Passes/passes23.sqlite
Clone this wiki locally