Leveraging Apple ESF for Behavioral Detections

Over the past two years, we’ve been using the Apple Endpoint Security Framework (ESF) as an event source in order to build detections.

In this talk, we will break down everything from the basics of ESF, all the way to how we’ve used it to write behavioral-based detections. In the first section, we will briefly focus on the difference between the old and new ways of detecting malicious activity on a Mac, speaking to why both are still relevant today. After that, we will focus on some basic level detections as well as how to use process field information that is often overlooked. The final section will discuss using a single ESF event as a pivot point in order to determine when system exploitation is taking place.