![]() ![]() However, it did not show how to implement monitor process execution with command line arguments. The blog series “Monitoring Process Creation via the Kernel” explains how to monitor process creation via the kernel using MACF and KAuth (Kernel Authorization). If you are interested in the research of malware and vulnerabilities on macOS, the blogs from are great study resource. In this blog, I will detail the implementation of monitoring process execution, including command line arguments, via MACF. The Mandatory Access Control Framework - commonly referred to as MACF - is the substrate on top of which all of Apple’s securities, both macOS and iOS, are implemented. ![]() The MACF on macOS is a good choice to implement this utility. So in order to more efficiently and automatically analyze the malicious behaviors of malware targeting macOS, it is necessary to develop a utility to monitor process execution. ![]() Over the years, the FortiGuard Labs team has learned that it is very common for macOS malware to launch a new process to execute its malicious activity. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |