xnumon
xnumon copied to clipboard
droe
monitor macOS for malicious activity
Symhash is a proposal for an imphash-like hash for Mach-O binaries. Look into whether it makes sense to implement it in c and add support for a symhash hash type...
Add support to acquire tlsh hashes from binaries to support fuzzy indicator matching down the pipeline.
Add support to acquire ssdeep hashes from binaries to support fuzzy indicator matching down the pipeline.
Current file monitoring based on `AUE_CLOSE` and other audit events has a number of issues that need a solution. Think about reimplementing or improving the event acquisition. Options include: -...
Consider acquiring stat and hashes in-kernel in order to move burden to the task calling exec. This should reduce the amount of time the main thread spends acquiring data the...
The kext should verify the identity of the userspace process attaching to `/dev/xnumon` based on its code signature and refuse attaching if the code is unsigned or signed by the...
Add new event for kext loads. Not covered by audit(4), need to identify a good method to acquire this event. Analysis of kextd source might reveal some insights.
Detect the installation of Login Items and produce eventcode 4 events from it.
Hi, Is usually use tools from Patrick Wardle (KnockKnock, BlockBlock, ...) to create events within macos and later on forward them to Splunk. The xnumon looks very promising to replace...
Config changes are already monitorable by watching eventcode 0 for unexpected settings and agent restarts. However, self-defense could be further improved, perhaps by: - Including hashes of configuration file in...