ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
As a malware analyst or systems programmer, having a suite of solid
dynamic analysis tools is vital to being quick and effective. These
tools enable us to understand malware capabilities and undocumented
components of the operating system. One obvious tool that comes to
mind is Procmon
from the legendary Sysinternals Suite from Microsoft. Those
tools only work on Windows though and we love macOS.
macOS has some fantastic dynamic instrumentation software included
with the operating system and Xcode. In the past, we have used dynamic
instrumentation tools such as Dtrace,
a very powerful tracing subsystem built into the core of macOS. While
it is very powerful and efficient, it commonly required us to write D
scripts to get the interesting bits. We wanted something simpler.
Today, the Innovation and Custom Engineering (ICE) Applied Research
team presents the public release of Monitor.app
for macOS, a simple GUI application for monitoring common system
events on a macOS host. Monitor.app captures the following event types:
- Process execution with command line arguments
creates (if data is written)
- File renames
- DNS requests and replies
- Dynamic library
- TTY Events
Monitor.app identifies system activities using a kernel extension
(kext). Its focus is on capturing data that matters, with context.
These events are presented in the UI with a rich search capability
allowing users to hunt through event data for areas of interest.
The goal of Monitor is simplicity. When launching Monitor, the user
is prompted for root credentials to launch a process and load our kext
(don’t worry, the main UI process doesn’t run as root). From there,
the user can click on the start button and watch the events roll in!
The UI is sparse with a few key features. There is the start/stop
button, filter buttons, and a search bar. The search bar allows us to
set simple filters on types of data we may want to filter or search
for over all events. The event table is a listing of all the events
Monitor is capable of presenting to the user. The filter buttons allow
the user to turn off some classes of events. For example, if a
TimeMachine backup were to kick off when the user was trying to
analyze a piece of malware, the user can click the file system filter
button and the file write events won’t clutter the display.
As an example, perhaps we were interested in seeing any processes
that communicated with xkcd.com. We can simply use an “Any” filter and
enter xkcd into the search bar, as seen in Figure 1.
Figure 1: Monitor.app User Interface
We think you will be surprised how useful Monitor can be when trying
to figure out how components of macOS or even malware work under the
hood, all without firing up a debugger or D script.
Apple, Mac and MacOS are registered trademarks or trademarks of
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.