Olivia
Online
Silvio R.
@Pinas_
IR & detection engineering. I like infosec.
Deutschland
Joined April 2011
468 Following
99 Followers
318 Posts
I recently noticed two new reserved event types in macOS’s EndpointSecurity framework.
ES_EVENT_TYPE_RESERVED_7 / 155 (AUTH)
ES_EVENT_TYPE_RESERVED_8 / 156 (NOTIFY)
After poking at them with a small ES client and a tty/ioctl corpus, they appear to be a new auth/notify pair for tty termios-setting ioctls.
Observed struct shape:
typedef struct {
uint32_t selector; // tagged ES-private tty/file selector, not raw fd
uint32_t request; // ioctl request code
} es_event_reserved_7_8_termios_ioctl_guess_t;
The second word cleanly decodes as Darwin ioctl requests:
0x80487414 = TIOCSETA
0x80487415 = TIOCSETAW
0x80487416 = TIOCSETAF
Denying the AUTH event works too: returning ES_AUTH_RESULT_DENY caused the triggering stty/termios ioctl to fail - as seen in the image.
XNU lines up with this: ioctl() hits mac_file_check_ioctl(cred, fileglob, cmd) before dispatching to the tty handler, and the open-source tty path handles these three termios setters together.
very likely mediated through the MACF file_check_ioctl hook, with ES’s private policy choosing to emit auth/
notify events for selected tty termios setter ioctls (of which I will try confirm with further RE).
@GergelyOrosz I like to think that questions I ask during interviews are hard to answer via ChatGPT or similar tools. Questions are mostly about personal preferences (what is your favorite C2 framework) or scenario based using network diagrams and screenshots.
@ido_cohen2 Ransomhub seems to be having some uptime issues as well.
@Hypatia53 Ein Gesetz ähnlichem dem Schweizer Waffengesetz finde ich sinnvoll. Kann man denn davon ausgehen, dass (Klein)Kriminelle abgeschreckt werden wenn sie davon ausgehen müssen, das viele Menschen bewaffnet sind? Die haben ja dann sehr wahrscheinlich auch eine Waffe.
Who to follow
@TheAntiLie @Niko69820823 @Sadie_NC Jumping in as a European. We actually were and are still glad US troops came to save Europe. I was told by older people that the US troops were the ones behaving like decent humans (no looting, no raping, …) in contrast to the ones from the east.
@chesteronio @RedTeamTactics Less then 10 for x and y in my experience.
Encryption of >100 docx files in one folder may very well be a problem, I am not aware of any ransomware being that targeted though. The goal is to block ransomware and not somebody zipping up a folder.
@chrissanders88 1. Check the process hierarchy, especially children of this powershell process. Maybe find traces of executed commands (c2 commands).
2. Check network connections. We might find IPs/URLs to analyze manually.
3. Check file events to find dropped files.
@vxunderground Vxug hoodie XL please :)
@vxunderground What’s the password please?
@HackingDave @TonikJDK Just a warning for unlicensed plutonium. Didn‘t know US arms laws are that relaxed.
@SecuritySphynx I can recommend Orange Cyber Defense but not sure if they are active in the US.
@vxunderground I am interested and leaving a comment below.
@securityweekly Oh no, this is the end for widespread Linux on desktop :( so sad.
@MVGticker Was sonst
@vysecurity You are simulating something unknown til the minute the report is delivered - then every binary, every command and everything else is ours muhahaha (not that strict of course but you get the idea). If the goal is different then of course that’s fine. Scope is important
@vysecurity Red teams not willing to share detailed information about their techniques is quite rare as well imho. They know that this is what they get paid for. Only had this discussion once reg. a custom C2 framework and we found a good solution for both parties.
@vysecurity Interesting … I never met blue teams that try to sabotage a red team engagement. Detecting them and kicking them out of the network - sure, because that’s a blue teams job. We had on-site red teams escorted out by company security (as defined in the runbooks).
@0gtweet Oh I clearly missed that - thx :)
Last Seen Users on Sotwe
Plla grande Oficial 
Seen from United States
Wala munda
Seen from Pakistan
Murai Batu
Seen from Malaysia
Santa
Seen from New Zealand
sami zain
فحل يمني زبه كبير
Seen from Algeria
Whore King
Seen from Japan
مـيــۅلك آلجـنــســي 🔥
Seen from Jordan
GAVAT_PASİF
Seen from Turkey
goarkin
Seen from United States
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers