Implement mitigations for whitelisting-evasion tactics

[mike-myers-tob]

On Windows, attackers sometimes "live off the land" in order to accomplish their goals without introducing new executables to the filesystem, thus possible evading detection or blocking by process-monitoring and executable-whitelisting tools.

Windows-specific mitigations for this have included hardening/lockdown of the WMI subsystem and PowerShell tool, and restricting how msbuild can be invoked.

The corresponding attacker tactics on macOS are less well developed/known. Research what an attacker might do to evade process-monitoring and executable-whitelisting tools on macOS, and what Sinter (or a Sinter user) could do in order to mitigate those tactics.

References:

• https://community.carbonblack.com/t5/Threat-Advisories-Documents/Technical-Analysis-MSBuild-App-Whitelisting-Bypass/ta-p/62308
• In the MITRE ATT&CK framework (all are Windows-specific examples, but tactic is OS agnostic)
  • https://attack.mitre.org/techniques/T1085/
  • https://attack.mitre.org/techniques/T1216/
  • https://attack.mitre.org/techniques/T1218/
  • https://attack.mitre.org/techniques/T1127/
• Hypothetical evasion tactics https://s3.amazonaws.com/s3.synack.com/infiltrate.pdf
  • Infecting a known binary on macOS and then updating the code signature silently
  • Binary planting / DyLib Hijacking (a vulnerability where app developers don't specify full paths for their dynamic library loads)
  • Plugins / extensions