Is there a list of LOLBINs for macOS?

Question

Level 1

14 points

Is there a list of LOLBINs for macOS?

In the event of drive-by downloads and infected email attachments employing fileless exploit techniques, there are a number of ubiquitous programs known as Living Off the Land Binaries, or LOLBins, that can be leveraged to make changes to user resources (if not the system) without raising alarms.

While modern browsers make drive-by downloads increasingly difficult to pull off, and those that get through are almost certain to be targeted at Windows, I am always looking for ways to stay ahead of the curve. I've found an app that password-protects other apps from being launched by visiting relatives, but could also serve as the Mac equivalent to an anti-exe.

Is it possible to obtain a list of vulnerable processes on macOS? At least those most likely to be used in such an exploit, and that can be restricted without triggering alerts during normal operation? Thank you.

Posted on Mar 28, 2020 3:48 PM

Reply

Answer 1

MrHoffman

Level 10

148,683 points

Mar 28, 2020 6:57 PM in response to santuccie

Ah, so it was guests on your login, and now it’s drive-by downloads in Safari, and yes, there’s been Mac malware.

Here’s one discussion of file-less malware for Mac, though the user has to click through several dialogs, so hardly a drive-by...

https://objective-see.com/blog/blog_0x51.html

I’m not aware of a detailed public list outside of the one likely maintained at Apple, and what’s in the CVEs.

Reply

Answer 2

MrHoffman

Level 10

148,683 points

Mar 28, 2020 8:17 PM in response to santuccie

santuccie wrote:

Quoting myself: I've found an app that password-protects other apps from being launched by visiting relatives, but could also serve as the Mac equivalent to an anti-exe.

That can be an ACL.

But then I’m also not running the family time-sharing service. BYOD. Or borrow an iPad.

With Catalina, bypassing checks gets that much harder. And the next release will be yet further locked down, and we only really know a few details such as the kext-related deprecations, and the Apple doc discussions around pointer authentication checks.

What I'm talking about is taking a sort of parental control app, and repurposing it for an extra layer of defense against drive-by downloads

Who’s running this system, who’s the threat, how much is the breach worth?

Whitelist everything?

Or run something else. Maybe atop Qubes.

But pragmatically, go build whatever scheme this is you’re envisioning, and see how well it works.

And just don’t give untrusted folks login access...

Reply

Answer 3

santuccie Author

Level 1

14 points

Mar 29, 2020 9:47 AM in response to MrHoffman

That can be an ACL.

I'd considered that. Of course, the app is more convenient, because I can launch the apps as needed by entering my password.

Then there's still the issue of knowing what they are. :)

Reply

Answer 4

John Galt

Level 10

156,416 points

Mar 28, 2020 4:09 PM in response to santuccie

Don't give visiting relatives your login credentials.

I don't know what you mean by "vulnerable processes" but perhaps that's due to the fact I do not use operating systems that were vulnerable since their inception. macOS is invulnerable to malicious alteration. Unless you were to give visiting relatives login credentials with Administrator privileges there is no point in password-protecting individual apps or processes... which would just another way of providing Admin-level access anyway.

Reply

Answer 5

MrHoffman

Level 10

148,683 points

Mar 28, 2020 4:10 PM in response to santuccie

Disable automatic open of downloads.

For the more security-cavalier folks, I add a rule into mail that trashes any message with an attachment from a new contact.

As for guests, I never allow folks onto any primary login, much less an admin login. Let them use the Guest account. That’s what it exists for.

And password protecting apps using a third-party add-on, that seems a bother. Use an access control list and a group, and mark those apps as inaccessible to the untrusted group, or whatever you have decide to call it. This,with,some local variation of the guest login.

Or loan them an iPad.

A Mac is not single user, nor is NT-descended Windows. An iPad is...

Reply

Answer 6

santuccie Author

Level 1

14 points

Mar 28, 2020 5:37 PM in response to John Galt

Not true. No computer is invulnerable to malicious alteration. As long as you can install software on your computer, you can install malicious software on your computer. White hats are doing it all the time. In March of last year, the phoenhex & qwerty team managed to escape the sandbox and escalate to root privileges with a drive-by download in Safari. Most ITW malware for the Mac is just Trojans and browser hijackers, but one kernel-level drive-by is one too many.

The topic in this thread is about fileless malware. Thank you.

Reply

Answer 7

John Galt

Level 10

156,416 points

Mar 28, 2020 7:22 PM in response to santuccie

santuccie wrote:

Not true. No computer is invulnerable to malicious alteration.

That's not what I said though, and it's not what you asked. Forgive me if I don't want to indulge your fantasies regarding theoretical exploits. I don't have the patience.

Reply

Answer 8

santuccie Author

Level 1

14 points

Mar 28, 2020 7:35 PM in response to MrHoffman

Quoting myself: I've found an app that password-protects other apps from being launched by visiting relatives, but could also serve as the Mac equivalent to an anti-exe.

What I'm talking about is taking a sort of parental control app, and repurposing it for an extra layer of defense against drive-by downloads, particularly LOL exploits that would be very difficult to defect if they ever gained a foothold. I understand the confusion, but this thread is and always has been about fileless malware.

I'm familiar with the blog at Objective-See. However, not all Mac malware depends entirely on user intervention. Flashback infected over 600,000 Macs in 2014, some of them with no user interaction at all. Of course, that wasn't a fileless exploit, and all it really did was display ads. But I digress.

I appreciate your effort to help. I'll keep looking. Cheers!

Reply

Answer 9

etresoft

Level 9

57,044 points

Mar 28, 2020 7:59 PM in response to santuccie

santuccie wrote:

I've found an app that password-protects other apps from being launched by visiting relatives, but could also serve as the Mac equivalent to an anti-exe.

The best solution to this would be to use a Guest User, as explained in this Apple support document: Change Users & Groups Guest user preferences on Mac - Apple Support

If your visiting relatives are staying for a longer period, say 14 days?, then I would suggest that you create a dedicated, standard user for them to use. See Set up users, guests, and groups on Mac - Apple Support

Is it possible to obtain a list of vulnerable processes on macOS? At least those most likely to be used in such an exploit, and that can be restricted without triggering alerts during normal operation?

My suggestion here is to avoid reading too many of those "security blogs". For most people, their visiting relatives are not sophisticated enough to worry about. Sometimes kids can be clever. You can Set up Screen Time for a child on Mac to better control them.

All that being said, there is no security when someone has unsupervised, physical access. So if you know someone who you think is sophisticated enough to do damage, don't give them your machine at all.

Reply