1、XUnprotect:Reverse Engineering macOS XProtect RemediatorKoh M.Nakagawa(tsunek0h)FFRI Security,Inc.NSUserFullName()Koh M.Nakagawa(tsunek0h)Security researcher at FFRI Security,Inc.Mainly focusing on Apple product security Gave talks at Black Hat and CODE BLUEAbout This Presentation This presentation
2、covers:oTechnical deep dive into XProtect Remediator(XPR)How XPRs detection logic works Malware removed(or remediated)by each scanner Provenance Sandbox(which XPR utilizes for identifying the source of files being remediated)This presentation does not cover:oEvaluation of XPR Such as effectiveness a
3、s a macOS security productoTraditional XProtect For this topic,see Stuart Ashenbrenners excellent talk at MDOYVR23 https:/youtu.be/43BIK-e7FBEWhat Youll Gain from This Talk?For Red Teamers:Learn TCC&Provenance Sandbox bypass For Blue Teamers:Learn XPRs detection/remediation capabilities&Apple-exclus
4、ive threat intelDeep understanding of XPRDefensiveOffensiveOutline1.Introduction2.Tooling3.RE results4.Vulnerability Research5.ConclusionWhat Is XPR?https:/ layers of defenseMalware defenses are structured in three layers:1.Prevent launch or execution of malware:App Store,or Gatekeeper combined with
5、 Notarization2.Block malware from running on customer systems:Gatekeeper,Notarization,and XProtect3.Remediate malware that has executed:XProtectRemediatorXProtectRemediator acts to remediate malware that has managed to successfully execute.-“Apple Platform Security”by AppleWhat Is XPR?Introduced in
6、macOS Monterey as a replacement for the MRT Built-in mechanisms and updated once or twice per month Contains 20+scanners,each targeting a specific malware family https:/eclecticlight.co/2022/08/30/macos-now-scans-for-malware-whenever-it-gets-a-chance/https:/ scanner targets a specific malware family