13th July 2020

xnumon - monitor macOS for malicious activity

Copyright 2017–2019 Daniel Roethlisberger. All rights reserved.
Licensed under the Open Software License 3.0.


Latest release: xnumon-
Documentation: wikiREADME.mdNEWS.mdconfiguration.plist
Development: droe/xnumon — follow @droethlisberger for news


xnumon is a monitoring agent that produces system activity logs intended to be suitable for monitoring potentially large fleets of macOS systems for malware and intrusions. It aims at providing similar capabilities on macOS that sysmon provides on Windows.

Currently implemented are the following log events:

  • xnumon-ops[0] and xnumon-stats[1] for in-band monitoring of agent status and activity metrics.
  • image-exec[2]: a process has replaced its executable image as a result of calling one of the execve(2) or posix_spawn(2) family syscalls.
  • process-access[3]: a process has accessed and possibly manipulated another process using either the task_for_pid or ptrace(2) syscalls.
  • launchd-add[4]: a process has added or modified a launch daemon or launch agent plist. (experimental)

The development branch contains code for additional events that have not made it into a release yet, mostly due to unresolved bugs in macOS audit(4).

xnumon provides context information such as executable image hashes, code signing meta-data, script shebang handling, and the history of previous executable images that led to the current process state. It does so by tracking fork and other syscalls instead of relying only on the ppid, which can change over the lifetime of a process.

For more documentation, see the README.md file linked above for now.

Talk «Monitoring macOS for malware and intrusions» at AREA41 2018


Fork me on GitHub