Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to reduce noise.
Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research, malware triage, and system troubleshooting. Harnessing Apple Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to surface only the events that are relevant to you. The telemetry collected includes process, interprocess, and file events in addition to rich metadata, allowing users to contextualize events and tell a story with ease. With an intuitive interface and a rich set of analysis features, Red Canary Mac Monitor was designed for a wide range of skill levels and backgrounds to detect macOS threats that would otherwise go unnoticed. As part of Red Canary’s commitment to the research community, the Mac Monitor distribution package is available to download for free.
Apple Silicon
machine, but Intel
works too!4GB+
is recommended13.1+
(Ventura)Homebrew?
brew install --cask red-canary-mac-monitor
Red Canary Mac Monitor.app
Full Disk Access
– you’ll need to flip the switch to enable this for the Red Canary Security Extension
. Full Disk Access is a requirement of Endpoint Security./Applications/Red Canary Mac Monitor.app
w/signing identifier of com.redcanary.agent
./Library/SystemExtensions/../com.redcanary.agent.securityextension.systemextension
w/signing identifier of com.redcanary.agent.securityextension.systemextension
.Homebrew?
brew uninstall red-canary-mac-monitor
. When using this option you will likely be prompted to authenticate to remove the System Extension.
1.0.3
) Supports removal using the ../Contents/SharedSupport/uninstall.sh
script.Homebrew?
brew update && brew upgrade red-canary-mac-monitor
. When using this option you will likely be prompted to authenticate to remove the System Extension.
Here we’ll be hosting:
Releases
section. Each major build corresponds to a code name. The first of these builds is GoldCardinal
.Telemetry reports/
(i.e. all the artifacts that can be collected by the Security Extension).Iconography/
Mute sets/
AtomicESClient
is a seperate, but very closely related project showing the ropes of Endpoint Security check it out in: AtomicESClient/
Additionally, you can submit feature requests and bug reports here as well. When creating a new Issue you’ll be able to use one of the two provided templates. Both of these options are also accessible from the in-app “Help” menu.
Each release of Red Canary Mac Monitor has a corresponding build name and version number. The first release has the build name of: GoldCardinal
and version number 1.0.1
.
High fidelity ES events modeled and enriched with some events containing further enrichment. For example, a process being File Quarantine-aware, a file being quarantined, code signing certificates, etc.
Dynamic runtime ES event subscriptions. You have the ability to on-the-fly modify your event subscriptions – enabling you to cut down on noise while you’re working through traces.
Path muting at the API level – Apple’s Endpoint Security team has put a lot of work recently into enabling advanced path muting / inversion capabilities. Here, we cover the majority of the API features: es_mute_path
and es_mute_path_events
along with the types of ES_MUTE_PATH_TYPE_PREFIX
, ES_MUTE_PATH_TYPE_LITERAL
, ES_MUTE_PATH_TYPE_TARGET_PREFIX
, and ES_MUTE_PATH_TYPE_TARGET_LITERAL
. Right now we do not support inversion. I’d love it if the ES team added inversion on a per-event basis instead of per-client.
Detailed event facts. Right click on any event in a table row to access event metadata, filtering, muting, and unsubscribe options. Core to the user experience is the ability to drill down into any given event or set of events. To enable this functionality we’ve developed “Event facts” windows which contain metadata / additional enrichment about any given event. Each event has a curated set metadata that is displayed. For example, process execution events will generally contain code signing information, environment variables, correlated events, etc. Below you see examples of file creation and BTM launch item added event facts.
Event correlation is an exceptionally important component in any analyst’s tool belt. The ability to see which events are “related” to one-another enables you to manipulate the telemetry in a way that makes sense (other than simply dumping to JSON or representing an individual event). We perform event correlation at the process level – this means that for any given event (which have an initiating and/or target process) we can deeply link events that any given process instigated.
Process grouping is another helpful way to represent process telemetry around a given ES_EVENT_TYPE_NOTIFY_EXEC
or ES_EVENT_TYPE_NOTIFY_FORK
event. By grouping processes in this way you can easily identify the chain of activity.
Artifact filtering enabled users to remove (but not destroy) events from view based on: event type, initiating process path, or target process path. This standout feature enables analysts to cut through the noise quickly while still retaining all data.
com.redcanary.agent.securityextension
) will not needlessly utilize resources / battery power when a trace is not occurring.We know how much you would love to learn from the source code and/or build tools or commercial products on top of this. Currently, however, Mac Monitor will be distributed as a free, closed-source tool. Enjoy what’s being offered and please continue to provide your great feedback. Additionally, never hesitate to reach out if there’s one aspect of the implementation you’d love to learn more about. We’re an open book when it comes to geeking out about all things implementation, usage, and research methodology.