Red Canary Mac Monitor: advanced, stand-alone system monitoring tool tailor-made for macOS security research
Red Canary Mac Monitor
Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research, malware triage, and system troubleshooting. Harnessing Apple Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to surface only the events that are relevant to you. The telemetry collected includes process, interprocess, and file events in addition to rich metadata, allowing users to contextualize events and tell a story with ease. With an intuitive interface and a rich set of analysis features, Red Canary Mac Monitor was designed for a wide range of skill levels and backgrounds to detect macOS threats that would otherwise go unnoticed. As part of Red Canary’s commitment to the research community, the Mac Monitor distribution package is available to download for free.
What are some standout features?
-
High fidelity ES events modeled and enriched with some events containing further enrichment. For example, a process being File Quarantine-aware, a file being quarantined, code signing certificates, etc.
-
Dynamic runtime ES event subscriptions. You have the ability to on-the-fly modify your event subscriptions — enabling you to cut down on noise while you’re working through traces.
-
Path muting at the API level — Apple’s Endpoint Security team has put a lot of work recently into enabling advanced path muting / inversion capabilities. Here, we cover the majority of the API features:
es_mute_path
andes_mute_path_events
along with the types ofES_MUTE_PATH_TYPE_PREFIX
,ES_MUTE_PATH_TYPE_LITERAL
,ES_MUTE_PATH_TYPE_TARGET_PREFIX
, andES_MUTE_PATH_TYPE_TARGET_LITERAL
. Right now we do not support inversion. I’d love it if the ES team added inversion on a per-event basis instead of per-client. -
Detailed event facts. Right click on any event in a table row to access event metadata, filtering, muting, and unsubscribe options. Core to the user experience is the ability to drill down into any given event or set of events. To enable this functionality we’ve developed “Event facts” windows which contain metadata / additional enrichment about any given event. Each event has a curated set metadata that is displayed. For example, process execution events will generally contain code signing information, environment variables, correlated events, etc. Below you see examples of file creation and BTM launch item added event facts.
-
Event correlation is an exceptionally important component in any analyst’s tool belt. The ability to see which events are “related” to one-another enables you to manipulate the telemetry in a way that makes sense (other than simply dumping to JSON or representing an individual event). We perform event correlation at the process level — this means that for any given event (which have an initiating and/or target process) we can deeply link events that any given process instigated.
-
Process grouping is another helpful way to represent process telemetry around a given
ES_EVENT_TYPE_NOTIFY_EXEC
orES_EVENT_TYPE_NOTIFY_FORK
event. By grouping processes in this way you can easily identify the chain of activity. -
Artifact filtering enabled users to remove (but not destroy) events from view based on: event type, initiating process path, or target process path. This standout feature enables analysts to cut through the noise quickly while still retaining all data.
- Lossy filtering (i.e. events that are dropped from the trace) is also available in the form of “dropping platform binaries” — another useful technique to cut through the noise.
- Telemetry export. Right now we support pretty JSON and JSONL (one JSON object per-line) for the full or partial system trace (keyboard shortcuts too). You can access these options in the menu bar under “Export Telemetry”.
- Process subtree generation. When viewing the event facts window for any given event we’ll attempt to generate a process lineage subtree in the left hand sidebar. This tree is intractable – click on any process and you’ll be taken to its event facts. Similarly, you can right click on any process in the tree to pop out the facts for that event.
- Dynamic event distribution chart. This is a fun one enabled by the SwiftUI team. The graph shows the distribution of events you’re subscribed to, currently in-scope (i.e. not filtered), and have a count of more than nothing. This enables you to very quickly identify noisy events. The chart auto-shows/hides itself, but you can bring it back with the: “Mini-chart” button in the toolbar.
Some other features
- Another very important feature of any dynamic analysis tool is to not let an event limiter or memory inefficient implementation get in the way of the user experience. To address this (the best we currently can) we’ve implemented an asynchronous parent / child-like Core Data stack which stores our events as “entities” in-memory. This enables us to store virtually unlimited events with Mac Monitor. Although, the time of insertions does become more taxing as the event limit gets very large.
- Since Mac Monitor is based on a Security Extension which is always running in the background (like an EDR sensor) we baked in functionality such that it does not process events when a system trace is not occurring. This means that the Red Canary Security Extension (
com.redcanary.agent.securityextension
) will not needlessly utilize resources / battery power when a trace is not occurring. - Distribution package: The install process is often overlooked. However, if users do not have a good understanding of what’s being installed or if it’s too complex to install the barrier to entry might be just high enough to dissuade people from using it. This is why we ship Mac Monitor as a notarized distribution package.
Install & Use
Copyright (C) 2023 redcanaryco