Team: Huntress EDR
Product: Persistent Footholds
What is included with the Huntress macOS agent?
Our first iteration of the Huntress macOS agent will be focused on seamless installation and threat hunting for persistence.
Even on different platforms, the fundamental attacker tactics and tradecraft concepts are actually quite similar. Persistence remains a common high-fidelity tactic and is a key indicator in a majority of attacks seen in macOS. Based on our extensive threat research, we have selected the most common persistence mechanisms exploited by macOS attacks and collect them through our agent for review.
What Operating Systems will be supported?
The Huntress macOS agent will run on Intel and M1/M2 machines. Huntress will now support macOS 11 Big Sur and above with the recent EOL of macOS 10.15. See the Huntress Agent End of Support Policy for more information.
How can I install the Huntress macOS agent?
For more information on installing the Huntress macOS agent, check out Installing the Huntress macOS Agent for details on manual installation and/or deployment through your RMM.
Make sure to grant Full Disk Access to Huntress following installation (see next question below).
Will I need to grant Full Disk Access permissions to Huntress?
Yes. For additional details on how Full Disk Access is used by Huntress, check out Full Disk Access for the macOS Huntress Agent for details on how to grant permission either manually or through your MDM solution.
How can I manually uninstall the macOS agent?
To manually uninstall the macOS agent, open Terminal on the endpoint and run the Uninstall scriptwith the following command:
You can also remotely uninstall the agent via the Huntress portal:
Note: It is important not to drag the Huntress application to the trash as this may result in artifacts being left on the endpoint. If you run into this and have questions, please reach out to email@example.com.
Can I hide the Huntress app from my end user? Why does it appear in the Applications Folder?
Through our discussions with several of our partners, we came to understand that staying invisible from the end user is very helpful for many IT providers to avoid disruption from "uninformed self-service" or having to answer unnecessary questions. We took this feedback and actually did explore ideas on how we could keep our agent out of the way.
This research was also accompanied by exploration into future roadmap work on our macOS agent, focusing on enhancing our detection, response and remediation capabilities. The more we dug into it, the more it became clear that working within the bounds of the macOS ecosystem requires active acknowledgement of Huntress' activities -- part of which requires that Huntress lives in the /Applications folder. Read more about "What is Transparency, Consent, and Control (TCC)" in our article on Full Disk Access for high level concepts of privacy championed by Apple.
While we hear our partners loud and clear, we felt it important to follow the boundaries that Apple has set up -- especially given these boundaries are a big part of why end-users have chosen macOS in the first place.
Will there be more to the macOS agent beyond persistence?
Absolutely. We have a team dedicated to pushing our macOS agent forward and are hard at work figuring out how we can enhance our capabilities with additional visibility for detection, response and remediation. Got an idea you want to share? Let us know by submitting or voting for an idea on feedback.huntress.com!
Lastly, we just want to express a big thank you for any partners who helped out in our private and public beta testing of our macOS agent. We are proud to be part of this community and incredibly thankful to have partners like you who are generous with their time and feedback. Please continue to give us feedback on our feedback portal. For any questions please reach out to firstname.lastname@example.org!