2024-06-08, 12:00–12:45, Track 1 (UC Conference Rm A)
Endpoint security agents for Windows have been explored in great detail, but their counterparts for other operating systems are largely undocumented. This talk will focus on the telemetry sources available to EDR agents on macOS and Linux to understand how they detect malicious behavior and identify opportunities for evasion.
Endpoint Detection and Response (EDR) agents typically comprise multiple sensory components that collect information from various telemetry sources the operating system provides. Many public blogs and conference talks have covered Windows telemetry sources, such as kernel callbacks and ETW, but only some mention macOS and Linux equivalents.
Developers using macOS often have privileged cloud accounts or access to intellectual property such as source code. Linux servers may host customer-facing interfaces or applications that access sensitive databases. Defenders must have confidence in their tools for these systems, and attackers must understand how to evade them.
This talk will detail telemetry sources available to EDR on macOS and Linux and compare them to Windows equivalents. The sources commonly used to monitor process creation, authentication, networking, and file activity will be described based on the presenter's observations while reverse engineering popular EDR agents.
Kyle Avery has been interested in computers for his entire life. Growing up, he and his dad self-hosted game servers and ran their own websites. He focused on offensive security in university and has spent the last few years learning about malware and post-exploitation. Kyle previously worked as a red teamer at Black Hills Information Security, specializing in .NET development. He has since moved to a full-time R&D role at Outflank, contributing to their offensive security toolkit for red teamers. Previously, Kyle presented at conferences, such as DEF CON and Texas Cyber Summit, and hosted webcasts for BHIS and WWHF.