BlockBlock icon indicating copy to clipboard operation
BlockBlock copied to clipboard

Published 20 hours ago verified publisher icon objective-see

Persistence installed before detection

Open Spl01ter opened this issue 4 years ago • 5 comments

When malware installs persistence (tested with https://github.com/neoneggplant/EggShell), the script is loaded into memory before detection and blocking. It is persistent as long as the user does not reboot.

Spl01ter avatar Jan 09 '21 11:01 Spl01ter

@Spl01ter have you possibly checked to see if this is still the case with 2.0.3?

luckman212 avatar Apr 15 '21 01:04 luckman212

It is still the case

acheong08 avatar Apr 15 '21 05:04 acheong08

I am now testing with https://github.com/RPwnage/EggShell-Community-Fork

acheong08 avatar Apr 15 '21 05:04 acheong08

Screen Shot 2021-04-15 at 1 36 09 PM Screen Shot 2021-04-15 at 1 36 35 PM

acheong08 avatar Apr 15 '21 05:04 acheong08

Will clarify, but this is by design. macOS delivers events (such as file events) via the Endpoint Security Framework.

BlockBlock subscribes to the ES_EVENT_TYPE_NOTIFY_WRITE event which (as you have noted), is delivered after the event ...it's a notification event. While there are ES_EVENT_TYPE_AUTH* events (that are delivered before the event occurs), there is no ES_EVENT_TYPE_AUTH_WRITE ...and BlockBlock needs a write event, so we can examine what was added.

objective-see avatar Jun 02 '21 22:06 objective-see