EDR Freeze on macOS
The article discusses a technique called "EDR Freeze" that targets macOS systems, allowing attackers to suspend or freeze Endpoint Detection and Response (EDR) security tools, thereby bypassing security monitoring and evading detection.
Background
- EDR (Endpoint Detection and Response) is security software that monitors computers for threats like malware; it's the modern successor to traditional antivirus.
- "EDR Freeze" refers to a technique that temporarily suspends an EDR's ability to monitor the system, making the computer blind to malicious activity. On macOS, this is done by exploiting legitimate system tools (like `kill` or `launchctl`) or abusing authorisation frameworks (ESF, Endpoint Security Framework).
- Attackers use this to bypass Apple's security layers (SIP, TCC, notarisation) and to evade detection by enterprise security suites commonly deployed on corporate Macs.
- The blog details a proof-of-concept tool that automates EDR disabling on macOS, and discusses how Apple's slow evolution of its security APIs leaves gaps that defenders must monitor manually.