v1.0.5

What's new in v1.0.5?

Keep the suggestions coming!

📝 Summary

In this release we’ve focused on starting to enable some fancy new features in macOS 14 Sonoma. First up: SwiftUI — finally we can customize our table columns (in a non-hacky way) and can provide a native alert with a suppression button!

Beyond all the excitement with SwiftUI — we’ve been introduced to a host of new Endpoint Security events which generally speaking this year focus on Open Directory / authorization eventing — macOS is making headway in enterprise! These events should make it easier for vendors to pull in eventing around Active Directory / LDAP nodes.

As of v1.0.5 macOS Sonoma users will have 41 events available to test with! To start supporting these new events (all of which have been subscribed to by default) we’ve covered a few higher impact Open Directory, authorization, MDM, and XPC events.

When working with Open Directory (OD) it’s helpful to keep an eye on the subsystem com.apple.opendirectoryd in the console. However, to help our users more easily understand the context of OD operations we’ve also decoded the error codes into a human readable form.

One small note for authorization judgment events we’ve organized the rights judged into a table within their event facts.

🏎️ Lastly, we’ve generally improved the performance of the Security Extension and the app with the help of the Core Data team over WWDC!

More to come — stay tuned for updates!

🥳 Fun stuff

🙌 Endpoint Security events added (see the telemetry reports section for more info)

These events are only available on machines running macOS 14 or later.
Additional muting has been applied by default to reduce noise. Check out the ../Mute sets/ directory.

• ES_EVENT_TYPE_NOTIFY_PROFILE_ADD
  • When a profile is installed
• ES_EVENT_TYPE_NOTIFY_OD_CREATE_USER
  • When a user has been created in an Open Directory node
• ES_EVENT_TYPE_NOTIFY_OD_CREATE_GROUP
  • When a group has been created in an Open Directory node
• ES_EVENT_TYPE_NOTIFY_OD_GROUP_ADD
  • When a member has been added to an Open Directory group
• ES_EVENT_TYPE_NOTIFY_OD_MODIFY_PASSWORD
  • When a user’s password has been modified
• ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_ADD
  • When a value has been added to a record
• ES_EVENT_TYPE_NOTIFY_XPC_CONNECT
  • A connection has been established to an XPC service
• ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_PETITION
  • A process has asked / “petitioned” for a set of authorization rights.
• ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_JUDGEMENT
  • The decision by the security framework of the petitioned rights for the process

😌 User experience

macOS 14 and newer

• 📖 Human readable Open Directory error codes to assist with debugging
• 🎨 Customizable table columns
  • System Security Unified table view
  • Process Execution events table view
  • Unified event correlation table view
  • Process Group table view
• 🚨 Native alert for displaying a warning before clearing events

Cross compatible updates

• ⚡️ General performance improvements across: Security Extension with data retrieval and the Core Data stack with the Event tracer app.
• ❤️ Huge shoutout to the Core Data team for digging in with me over WWDC this year!

👨‍💻 Boring stuff

Sonoma bug fixes

• Table row selection
• Ask before quit
• Disabling the event mask
• Activity indicator

v1.0.4

What's new in v1.0.4?

Keep the suggestions coming!

📝 Summary

In this release we've focused on enabling users to customize their experience with Mac Monitor! You'll now be able to customize what your "secondary / right click" menu options are, remove supported table columns, etc. Additionally, this capability enables user to directly hit the Endpoint Security API with target path muting for supported events, and have pulled in macOS 13.3's dyld_exec_path for process execution events.

🥳 Fun stuff

• 💻 HID (Human Interface Device) attachment heuristic via IOKIT_OPEN
• 🚀 Heuristics for WRITE and RENAME occurring on the BTM (Background Task Management) binary property list file
• 🎯 target_path: a new telemetry field (not all events support this -- see the app settings for more info). This enables users to mute / filter target paths in a more defined way. Previously, users could only filter "target" paths for EXEC events.
• 📦 macOS 13.3 introduced the dyld_exec_path field for EXEC events. We've added support for that here. When the dyld_exec_path does not match the process_path of the EXEC event we'll add the following SF Symbol: "curlybraces.square".
• ⚙️ Someone say user customization? No one did, but we thought it'd be a good path to head down. There's now a new "User Preferences" section in the app's settings which enable the user to customize the behavior of the app to better fit their needs. So far, we've implemented:
  1. Options to selectively remove certain columns from the "System Security Unified" table
  2. Customize the "right / secondary" click context menu to only have the options you want (you can also do this independently for EXEC events. A live preview is shown in-window!
     a. Here you'll now see the option to mute / filter target paths! (Thank you @theevilbit)
  3. Manage the app lifecycle: Do you want the app to confirm before clearing events or app exit? (Thank you @AndrewMohawk)

👨‍💻 Boring stuff

• 💾 IOKIT_OPEN events are now subscribed to by default.
• 🔎 Searching by context now only happens when the user hits return.
• 🗑️ To better support uninstalling the Security Extension from the command line we've updated the .../Contents/SharedSupport/uninstall.sh to hit the System Extension API (the same way we do in-app).
  • Additionally, we've added the --deactivate-security-extension command line switch to Red Canary Mac Monitor.app/Contents/MacOS/Red Canary Mac Monitor. This will prompt the user to authenticate and the Security Extension will be deactivated.
• 🕵️ target has been renamed to context. The context field shows more than just a "target path". For example, SIGNAL events will also contain the signal name.
• 🟢 The "spinner" representing the tracing of system events has been replaced by a glowing green activity indicator.

Red Canary Mac Monitor `v1.0.3`

What's new in v1.0.3?

More to come, but this is a start! In this release you'll find some bug fixes, feature additions, and a whole new project dedicated to a very small Endpoint Security client.

• Homebrew: brew install --cask red-canary-mac-monitor
• AtomicESClient! This is a completely independent project, but closely related! Check it out: https://github.com/redcanaryco/mac-monitor/tree/main/AtomicESClient
• The “target” column now supports a much wider width
  • Within the “System Security Unified” Table
  • Within unified “Event correlation”
• Timestamps in the format of: HH:mm:ss.SSS have been added to:
  • Within the “System Security Unified” table
  • Within unified “Event correlation” table
  • Within the “Process group” table
  • These columns are still not sortable
• Filter by User ID
  • Section within the Filters
  • Right click option
• Event mask
  • (Bug) Sync with adding subscriptions. We’re still not going to do this for unsubscribing from events. It leads to a strange user experience.
• (Edge case) Fixed a SwiftUI crash when resolving an event date time
• Added an uninstall.sh script which runs the following command line to uninstall Mac Monitor. /usr/bin/osascript -e 'tell application "Finder" to move application file "Red Canary Mac Monitor" of folder "Applications" of startup disk to trash'. The reason we took this approach is because forcefully deleting the app will not also uninstall the System Extension.
• Top level repository eula.txt

Red Canary Mac Monitor

Overview

Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research, malware triage, and system troubleshooting. Harnessing Apple Endpoint Security (ES) -- and beyond, it collects and enriches system events, displaying them graphically, with an expansive feature set designed to surface only the events that are relevant to you. The telemetry collected includes process, interprocess, and file events in addition to rich metadata, allowing users to contextualize events and tell a story with ease. With an intuitive interface and a rich set of analysis features, Red Canary Mac Monitor was designed for a wide range of skill levels and backgrounds to detect macOS threats that would otherwise go unnoticed. As part of Red Canary’s commitment to the research community, the Mac Monitor distribution package is available to download for free.

We’re releasing Red Canary Mac Monitor as a stable open beta, and we’re hopeful that the security community can help us improve this complex software by using it and offering feedback.

---

1.0.2 release

• Fixes a minor bug with target path muting. Not all events support target path muting, but we displayed all of them anyhow. This is now fixed 😄

Red Canary Mac Monitor

Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research, malware triage, and system troubleshooting. Harnessing Apple Endpoint Security (ES) -- and beyond, it collects and enriches system events, displaying them graphically, with an expansive feature set designed to surface only the events that are relevant to you. The telemetry collected includes process, interprocess, and file events in addition to rich metadata, allowing users to contextualize events and tell a story with ease. With an intuitive interface and a rich set of analysis features, Red Canary Mac Monitor was designed for a wide range of skill levels and backgrounds to detect macOS threats that would otherwise go unnoticed. As part of Red Canary’s commitment to the research community, the Mac Monitor distribution package is available to download for free.

Today, we’re releasing Red Canary Mac Monitor as a stable open beta, and we’re hopeful that the security community can help us improve this complex software by using it and offering feedback.