13th July 2020

For contractual reasons I am currently unable to maintain any of my Open Source projects. I will remove or update this notice if and when that changes again. You are free to fork my projects under the provisions of their respective licensing terms, or contact me in case the license is not permissive enough for your purpose.

xnumon - monitor macOS for malicious activity

Copyright 2017–2019 Daniel Roethlisberger. All rights reserved.
Licensed under the Open Software License 3.0.


Latest release: xnumon-
Documentation: wikiREADME.mdNEWS.mdconfiguration.plist
Development: droe/xnumon — follow @droethlisberger for news


xnumon is a monitoring agent that produces system activity logs intended to be suitable for monitoring potentially large fleets of macOS systems for malware and intrusions. It aims at providing similar capabilities on macOS that sysmon provides on Windows.

Currently implemented are the following log events:

  • xnumon-ops[0] and xnumon-stats[1] for in-band monitoring of agent status and activity metrics.
  • image-exec[2]: a process has replaced its executable image as a result of calling one of the execve(2) or posix_spawn(2) family syscalls.
  • process-access[3]: a process has accessed and possibly manipulated another process using either the task_for_pid or ptrace(2) syscalls.
  • launchd-add[4]: a process has added or modified a launch daemon or launch agent plist. (experimental)

The development branch contains code for additional events that have not made it into a release yet, mostly due to unresolved bugs in macOS audit(4).

xnumon provides context information such as executable image hashes, code signing meta-data, script shebang handling, and the history of previous executable images that led to the current process state. It does so by tracking fork and other syscalls instead of relying only on the ppid, which can change over the lifetime of a process.

For more documentation, see the README.md file linked above for now.

Talk «Monitoring macOS for malware and intrusions» at AREA41 2018


Fork me on GitHub