Since its 2019 introduction in macOS Catalina, we have used the Apple Endpoint Security Framework (ESF) as an event source to fuel behavioralbased detections.

In this talk, we will focus on the difference between the old and new ways of detecting malicious activity on macOS, speaking to why both are relevant today. We will break down how we use ESF data, both in its basic form, as well as a pivot point to perform more advanced detections.

Presented by Jaron Bradley & Matt Benyo

Full Abstract & Presentation Materials: https://www.blackhat.com/us22/briefi...