Over the years, the FortiGuard Labs team has learned that it is very common for macOS malware to launch a new process to execute its malicious activity. So in order to more efficiently and automatically analyze the malicious behaviors of malware targeting macOS, it is necessary to develop a utility to monitor process execution. The MACF on macOS is a good choice to implement this utility. The Mandatory Access Control Framework - commonly referred to as MACF - is the substrate on top of which all of Apple’s securities, both macOS and iOS, are implemented. In this blog, I will detail the implementation of monitoring process execution, including command line arguments, via MACF.
In the previous blog from FortiGuard Labs in this series, we discussed how to monitor process execution with command line arguments using MACF on macOS. In this blog, we will continue to discuss how to monitor file system events (including file open, read, write, rename, and delete operations) and dynamic library loading via MACF on macOS. I will provide all the technical details below. Let’s get started!
In the two previous blogs in this series from FortigGuard Labs, we discussed how to monitor process execution with command line arguments, file system events, and dylib loading events using MACF on macOS. In this blog, we will continue to discuss how to monitor network activities (another significant behavior for malware) using Socket Filters (a part of the Network Kernel Extension) on macOS. The network activities to be monitored include UDP, TCP, ICMP, DNS query, and response data. I provide all the technical details below, so let’s get started again!