Skip to main content

Huntress macOS Agent Beta FAQ

Annie Ballew
  • Updated

What is included with the macOS Public Beta?  

Our first iteration of the Huntress macOS agent will be focused on seamless installation and threat hunting for persistence

Even on different platforms, the fundamental attacker tactics and tradecraft concepts are actually quite similar. Persistence remains a common high-fidelity tactic and is a key indicator in a majority of attacks seen in macOS. Based on our extensive threat research, we have selected the most common persistence mechanisms exploited by macOS attacks and collect them through our agent for review.  

It also includes a self-updater, similar to the updating experience with the Huntress Windows agent. macOS Assisted Remediation for persistence was introduced in early July and is currently being rolled out.  

What Operating Systems will be supported?  

The Huntress macOS agent in Beta will run on Intel and M1/M2 machines. With the September 2022 EOL of Catalina 10.15, Huntress will now support macOS 11 Big Sur and above going forward.
 

How “baked” is the macOS agent in beta?  

We have done extensive testing so far with our macOS agent and an extensive macOS Private Beta, including rolling out to all of our macOS users within Huntress. Our primary goal for the beta is for us to find additional scenarios and edge cases so that we can identify and address any remaining issues.

Our ThreatOps team is also engaged in reviewing and monitoring macOS persistence collected by our agent, which is still in an active learning phase as part of the beta to understand efficacy and visibility. This beta phase will help us validate all of our operational workflows, help us identify gaps in our visibility, collect feedback to help us prioritize additional items we need to develop, and then prepare Huntress for scale.  

Installation  

The installation today is through the use of an installation script. This script will prompt for your account and organization keys, then downloads and installs the latest Huntress agent onto the associated Mac.  

Once we have confirmed your participation in our beta, we will enable macOS for your account. From there, you should be able to:  

  1. Go to the top right hamburger menu of the Huntress Portal and click on “Download Agent” 
  2. A section should now appear for macOS Installation Script.  
      • Click to Show Link
      • Click on the link to download the script.
      • To run the install script manually, open Terminal and type or paste in the following:
    sudo bash ~/Downloads/HuntressMacInstall.sh
  3. Then follow the prompts for your Account Key and for your Organization Key. Your Account key should be found on the Download Agent page. Your Organization key will be found if you go to Organizations in the top menu and select the key for the relevant organization. 
     

Do you have deployment scripts for my RMM?  

We are currently working through deployment through various well-known RMM solutions. Check back frequently for updates to our deployment scripts located here or reach out to support@huntress.com for the latest information.  

Please note: These deployment scripts are subject to change and are currently being tested. For feedback on any of our scripts or if you have questions while working through your deployment with any RMM or software distribution system, please do not hesitate to reach out to support@huntress.com.   

Will I be billed for these macOS agents?  

Yes, installed macOS agents in the private beta will be included in your billed agent count. If you have any questions or concerns about this, please reach out to support@huntress.com to address any specific needs, questions, or have feedback.  

Current Limitations 

  1. Assisted Remediation tasks require additional security permissions for the Huntress macOS agent (such as Full Disk Access). Capturing telemetry and passing to Huntress for threat hunting has not been a challenge and does not require special permissions.  
  2. Dragging the application to Trash to uninstall is not recommended. This may result in artifacts being left on the endpoint. Options for Uninstall are by tasking from the Huntress Portal, or running the Huntress Uninstall script:  
    /Applications/Huntress.app/Contents/MacOS/Uninstall
     

Thank you!  

Lastly, we just want to express a big thank you for testing our macOS agent. We are proud to be part of this community and incredibly thankful to have partners like you who are generous with their time and feedback. For any questions please reach out to support@huntress.com!

Comments

0 comments

Please sign in to leave a comment.

Related articles