Monitoring macOS, Part I: Monitoring Process Execution via MACF

March 30, 2018

Over the years, the FortiGuard Labs team has learned that it is very common for macOS malware to launch a new process to execute its malicious activity. So in order to more efficiently and automatically analyze the malicious behaviors of malware targeting macOS, it is necessary to develop a utility to monitor process execution. The MACF on macOS is a good choice to implement this utility. The Mandatory Access Control Framework - commonly referred to as MACF - is the substrate on top of which all of Apple’s securities, both macOS and iOS, are implemented. In this blog, I will detail the implementation of monitoring process execution, including command line arguments, via MACF.


Previous Article
Securing IT Modernization at The Federal Level
Securing IT Modernization at The Federal Level

Federal agencies are modernizing legacy IT systems to mitigate cyber risks. Learn why the modernization of ...

Next Article
Monitoring macOS, Part II: Monitoring File System Events and Dylib Loading via MACF

In the previous blog from FortiGuard Labs in this series, we discussed how to monitor process execution wit...