Threat Research

FortiAppMonitor: A Powerful Utility for Monitoring System Activities on macOS

By Kai Lu | August 16, 2018

As a malware analyst or security researcher, having a powerful and dynamic analysis utility is vital to being able to effectively and efficiently identify malware. FortiAppMonitor is a freeware utility developed and released by Fortinet designed to monitor the behaviors of programs on macOS. It enables users to understand malware capabilities and quickly analyze the malicious behaviors of malware targeting macOS. Its capabilities include the following features:

1.     Monitors process execution with command line arguments and process exit.

2.     Monitors all common file system events, including file open, read, write, delete, and rename operations.

3.     Monitors network activities, including UDP, TCP, DNS query and response, and ICMP for both IPv4 and IPv6 protocols.

4.     Monitors .dylib loading events.

5.     Monitors KEXT loading and unloading events.

It also provides a fine-grained filter so that users can set a filter for those event types they are interested in, as well as a powerful search functionality so users can quickly search through records based on the keywords. Users can also save all records into a JSON format file. In addition, all these FortiAppMonitor features are all accessed through an easy-to-navigate GUI design. Users can also copy one specific record on a GUI screen to the clipboard using the shortcut key “Command+C”.

This utility was initially demonstrated by FortiGuard Labs researcher Kai Lu at the Black Hat USA 2018 Arsenal entitled, “Learn How to Build Your Own Utility to Monitor Malicious Behaviors of Malware on macOS”. In this presentation, Kai presented this advanced solution for monitoring the malicious behaviors of malware in the macOS kernel. He also walked attendees through all the key technical details for the implementation of this utility. For users interested in a quick tutorial, you can download his presentation slides here.

Users are welcome to send feedback or submit bugs to fortiappmon@fortinet.com.

FortiAppMonitor Screenshots:

Figure 1. The GUI of the FortiAppMonitor app
Figure 2. The filter options in the Network category
Figure 3. The filter options in the File category
Figure 4. The search function
Figure 5. Saving all records into a JSON format file

 

Supported OS Versions

macOS 10.11 (OS X El Capitan)

macOS 10.12 (macOS Sierra)

macOS 10.13 (macOS High Sierra)

macOS 10.14 (macOS Mojave, Beta)

Changelog

Latest Version: FortiAppMonitor.app 1.0.0

Release Date: August 15, 2018

File Size: 52.1 MB

SHA-1: 6DDA29A5B96B5AB9AC64471B94600FFD8024398C

Download

FortiAppMonitor_v1.0.0


Download
 our latest Global Threat Landscape Report.

Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.