Team: Huntress EDR
Product: Huntress Agent for macOS
Environment: macOS
Summary: The Huntress Agent for macOS requires Full Disk Access and other TCC considerations (Apple's Transparency Consent and Control mechanism) related to the incident response process.
What is Full Disk Access?
Full Disk Access is a privacy setting on machines running macOS Mojave or later that enables the user to grant an application access to all user folders (Desktop, Documents, Downloads) as well as access other personal user data such as Mail, Safari, and other administrative settings.
What is Transparency, Consent, and Control (TCC)?
For the last few years, Apple has emphasized and championed user privacy (formerly known as Transparency, Consent, and Control, or TCC).
"Apple believes that users should have full transparency, consent, and control over what apps are doing with their data."
This is enforced by requiring all users to consent to applications having access to user data. This explicit consent was introduced with macOS Mojave 10.14.
With most security tools, the concepts of “privacy” and “security” play on the same playground—but with differing principles on how data should be accessed. Security inherently requires obtaining visibility into the areas you are looking to protect; privacy is about keeping that data to yourself.
This means that most security tools, including Huntress, will need to obtain consent from the user for visibility and access into what would be considered private.
Why does the Huntress Agent for macOS require Full Disk Access?
Huntress requires Full Disk Access so that the Huntress Agent has what it needs to investigate all areas of the endpoint. Threats vary wildly and change constantly; having access to data readily available to us provides the agility to explore threat details without having to stop and interrupt the user for permission gathering. In addition, Huntress anticipates continuous development, which may require deeper access into the endpoint for visibility and remediation as we continue to enhance our macOS agent.
In order to understand what the Huntress Agent for macOS requires -- specifically for persistence hunting -- we have to think about the various stages of threat hunting:
- Capturing persistence telemetry and hunting for malicious and/or suspicious autoruns.
- Isolation of the affected endpoint to stop the spread.
- Investigation into binaries, executables, and directories on the system.
- Issuing an incident report with Assisted or Active Remediations -- a mechanism to task the Huntress Agent to handle remediation.
Based on the current capabilities within our macOS agent, most persistence that we capture are in non-user areas of the endpoint that are not currently subject to TCC. This means Full Disk Access is not a current requirement for Huntress’ ability to capture and obtain telemetry with which to hunt.
Isolating macOS endpoints requires that the Agent be granted Full Disk Access, as well as permissions for our system extension and network content filter.
Investigation activities, however, are a bit more nuanced. If the binaries, artifacts, IOCs that are needed to validate and confirm a threat are located in user data areas (i.e. Desktop, Downloads, Documents folders), the Huntress Agent would need to be granted permission to access them in order to continue the investigation.
The same goes for Assisted or Active Remediations, where remediation tasks that apply to those files and folders must have the right permissions in order to succeed.
What if Huntress does not have Full Disk Access on my endpoint?
Without Full Disk Access, Huntress still has the ability to capture telemetry regarding persistence on your managed endpoints for threat hunting.
There may be situations where deeper investigation or remediation of a suspicious threat requires access into those restricted user directories. Without Full Disk Access, Huntress may have blind spots on the endpoint, making it difficult to confirm or provide in-depth details for suspected threats that manifest in those user directories. Without Full Disk Access, Huntress cannot isolate the macOS endpoint.
In addition, any necessary file remediations in user directories may need to be done manually rather than through our Huntress Agent.
Other TCC Considerations
If you encounter an error message during installation that states, "The Installation Failed," you may be experiencing interference from Apple's TCC.
Beginning with macOS Ventura 13.0+, Apple has changed how its Installer behaves with TCC. If a user declines the prompt for Installer access to the Downloads folder, they will not be prompted again for that access, which leads to every installer failing that needs access to that folder.
You can update this setting by:
- On the endpoint, go into System Settings > Files and Folders.
- Expand the Installer row and grant access to the Downloads Folder.
- Alternatively, you can grant the Installer Full Disk Access by going back to the Privacy & Security menu and then into the Full Disk Access list and enabling it there.
Comments
0 comments
Please sign in to leave a comment.