Monitoring macOS, Part II: Monitoring File System Events and Dylib Loading via MACF

March 30, 2018

In the previous blog from FortiGuard Labs in this series, we discussed how to monitor process execution with command line arguments using MACF on macOS. In this blog, we will continue to discuss how to monitor file system events (including file open, read, write, rename, and delete operations) and dynamic library loading via MACF on macOS. I will provide all the technical details below. Let’s get started!

Read more...

Previous Article
Monitoring macOS, Part I: Monitoring Process Execution via MACF

Over the years, the FortiGuard Labs team has learned that it is very common for macOS malware to launch a n...

Next Article
Monitoring macOS, Part III: Monitoring Network Activities Using Socket Filters
Monitoring macOS, Part III: Monitoring Network Activities Using Socket Filters

In the two previous blogs in this series from FortigGuard Labs, we discussed how to monitor process executi...