This article covers Red Canary’s recommended macOS sensor configuration based on system extension changes introduced in macOS Catalina (version 10.15), and finalized in macOS Big Sur (version 11).

Apple sensor background

Endpoint detection and response (EDR) sensors developed for macOS were traditionally designed around insecure, error-prone kernel programming interfaces (KPI) called kernel extensions (kexts). The interface between the user space macOS EDR sensor and the EDR's kext is usually a root-level launch program located in the `/Library/LaunchDaemons/` directory. This directory is not protected by System Integrity Protection (SIP), and is vulnerable to unauthorized modifications.

Apple macOS sensor update

Apple has introduced a new secure and reliable framework for extending the functionality of macOS without entering kernel mode, which  can introduce vulnerabilities and is unsupported in macOS versions beyond macOS Catalina (version 10.15). System extensions on macOS are composed of: 

• Security extensions for interacting with the endpoint security framework (ESF)
• Network extensions for the network extension framework (NEF)
• A DriverKit for interfacing with the endpoint input and output process

By implementing these extensions in the user space rather than the kernel of macOS, many of the intricacies and risky side effects of deployment are allocated to the ESF, NEF, and DriverKit utilities. This allows for risk mitigation by using the comprehensive framework testing and security maintained by Apple’s security architectural teams.

EDR vendors who implement their sensor with system extensions will benefit from Apple’s native SIP anti-tamper technology. These benefits include restrictions on the ability of macOS's root user account to make changes to the file system. Thus, even if an adversary were to achieve root access on the endpoint, the adversary would still not be able to delete or modify system extensions. Additionally, since system extensions are also user space processes, the extensions can be manipulated in the user space at runtime, avoiding reboots when modifications are necessary. 

System extension guidance

Red Canary recommends installing and operating EDR sensors on macOS Catalina (version 10.15 or later) with system extensions if possible. SIP must be enabled on the endpoint. To learn more about turning SIP on or off, see Disabling and enabling SIP. 

For more information about the anti-tamper technologies exposed by system extensions, check out these vendor-specific articles: 

• Apple
• Jamf Protect
• Microsoft Defender For Endpoint
• SentinelOne
• Kandji