I came across this open-source project called LOOBins which I thought would be the perfect place to get started in doing some macOS research and provide something of value to the security community.
LOOBins stands for Living Off the Orchard, get it, cause of ‘Apple.’ Like many security tools, we got to have some jokes in there. It’s looking for built-in macOS binaries and how threat actors can use them for malicious purposes. This concept of ‘Living Off The Land’ isn’t new, but seeing something like this for macOS is excellent.
Luckily, I could pick a binary, hdiutil, and contribute to the project here. This required me to research how this worked, look to see if it had been used before in a malicious way, which it actually had, and then see where this fit in the MITRE Att&ck. This took me a bit longer than I thought it would, and there are probably more scenarios I need to add, but I’m pleased it was accepted.
If you are interested in contributing, several other binaries are looking for someone to look at. The complete issues list can be found here. I’m wrapping up a few other non-tech-related writing projects shortly, but this is a project I hope to be able to continue to contribute to in the future.
I also realize it’s been about a month since my last post. So I’ll try to post a bit more frequently going forward but at least post once a month.