Wild West Hackin' Fest - Deadwood 2024

Endpoint Detection and Response (EDR) agents typically comprise multiple sensory components that collect information from various telemetry sources the operating system provides. Many public blogs and conference talks have covered Windows telemetry sources, such as kernel callbacks and ETW, but only some mention macOS and Linux equivalents.

Developers using macOS often have privileged cloud accounts or access to intellectual property such as source code. Linux servers may host customer-facing interfaces or applications that access sensitive databases. Defenders must have confidence in their tools for these systems, and attackers must understand how to evade them.

This talk will detail telemetry sources available to EDR on macOS and Linux and compare them to Windows equivalents. The sources commonly used to monitor process creation, shared library loading, networking, and file activity will be described based on the presenter's observations while reverse engineering popular EDR agents.