Home

Overview

Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research, malware triage, and system troubleshooting. We'll encourage you to check out our blog resources on Mac Monitor as well:

• Introducing: Red Canary Mac Monitor
• Finding and reporting a Gatekeeper bypass exploit with help from Mac Monitor

Starting with Endpoint Security, it collects and enriches system events, displaying them graphically, with an expansive feature set designed to surface only the events that are relevant to you. The artifacts collected include, but are not limited to process, interprocess, and file events in addition to rich metadata, allowing users to contextualize events and tell a story with ease. With an intuitive interface and a rich set of analysis features, Red Canary Mac Monitor was designed for a wide range of skill levels and backgrounds to profile system activity that might otherwise go unnoticed (e.g. memory, exit/error codes, logins, XPC, etc).

What you'll find here

• Red Canary Mac Monitor: Our stand-alone system monitoring app for macOS. Similar to Process Monitor from Microsoft for Windows. Total Endpoint Security (ES) events collected: 41 on macOS 14 Sonoma and 32 on macOS 13 Ventura.
  • Download/install:
    • Homebrew: brew install --cask red-canary-mac-monitor
    • Package download: https://github.com/redcanaryco/mac-monitor/releases/
  • Overview of events collected and their properties.
• AtomicESClient: Example code showing the basics of Endpoint Security development in Swift.
• Mac Data Sources: In-depth research on how macOS has/does implement security logging and authorization. This content will be more technical than our official Red Canary blogs we'd typically release on this topic.
  • Common data sources
  • macOS system architecture
  • User / kernel space communication
  • Legacy collection: KAuth, MACF, DTrace, OpenBSM
  • (Primary focus) Endpoint Security Extensions (System Extensions implementing Endpoint Security)