Monitoring macOS, Part III: Monitoring Network Activities Using Socket Filters

March 30, 2018

In the two previous blogs in this series from FortigGuard Labs, we discussed how to monitor process execution with command line arguments, file system events, and dylib loading events using MACF on macOS. In this blog, we will continue to discuss how to monitor network activities (another significant behavior for malware) using Socket Filters (a part of the Network Kernel Extension) on macOS. The network activities to be monitored include UDP, TCP, ICMP, DNS query, and response data. I provide all the technical details below, so let’s get started again!

Read more...

Previous Article
Monitoring macOS, Part II: Monitoring File System Events and Dylib Loading via MACF

In the previous blog from FortiGuard Labs in this series, we discussed how to monitor process execution wit...

Next Article
FortiGuard Labs Discovers Vulnerability in  D-Link Router DIR868L
FortiGuard Labs Discovers Vulnerability in D-Link Router DIR868L

In August of 2017, FortiGuard Labs discovered a pre-authenticated remote code execution vulnerability on D-...