15th July 2018

xnumon - monitor macOS for malicious activity

Copyright 2017–2018 Daniel Roethlisberger. All rights reserved.
Licensed under the Open Software License 3.0.

tl;dr

Latest release: xnumon-0.1.4.pkg
Documentation: man page tbd — README.mdNEWS.mdconfiguration.plist
Development: droe/xnumon — follow @droethlisberger for news

Overview

xnumon is a monitoring agent that produces system activity logs intended to be suitable for monitoring potentially large fleets of macOS systems for malware and intrusions. It aims at providing similar capabilities on macOS that sysmon provides on Windows.

Currently implemented are the following log events:

  • xnumon-ops[0] and xnumon-stats[1] for in-band monitoring of agent status and activity metrics.
  • image-exec[2]: a process has replaced its executable image as a result of calling one of the execve(2) or posix_spawn(2) family syscalls.
  • process-access[3]: a process has accessed and possibly manipulated another process using either the task_for_pid or ptrace(2) syscalls.
  • launchd-add[4]: a process has added or modified a launch daemon or launch agent plist.

xnumon provides context information such as executable image hashes, code signing meta-data, script shebang handling, and the history of previous executable images that led to the current process state. It does so by tracking fork and other syscalls instead of relying only on the ppid, which can change over the lifetime of a process.

For more documentation, see the README.md file linked above for now.

Talk «Monitoring macOS for malware and intrusions» at AREA41 2018

Featured

Sponsoring

If you are interested in supporting the development and maintenance of xnumon, contact me.

Fork me on GitHub

Ƿ