macOS
- 03 Mar 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
macOS
- Updated on 03 Mar 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
LimaCharlie's Mac sensor interfaces with the kernel to acquire deep visibility into the host's activity while taking measures to preverse the host's performance. The Mac sensor currently supports all versions of MacOS 10.7 and up.
Installation Instructions
Basic sensor installation instructions can be found here.
Looking for alternative installation methods?
- macOS Sensor Installation - Latest OS Versions
- macOS Sensor Installation - Older OS Versions
- macOS Sensor Installation - MDM Configuration profiles
Supported Events
AUTORUN_CHANGECLOUD_NOTIFICATIONCODE_IDENTITYCONNECTEDDATA_DROPPEDDNS_REQUESTEXEC_OOBFILE_CREATEFILE_DELETEFILE_MODIFIEDFILE_TYPE_ACCESSEDFIM_HITHIDDEN_MODULE_DETECTEDMODULE_LOADMODULE_MEM_DISK_MISMATCHNETWORK_CONNECTIONSNETWORK_SUMMARYNEW_DOCUMENTNEW_PROCESSNEW_TCP4_CONNECTIONNEW_UDP4_CONNECTIONNEW_TCP6_CONNECTIONNEW_UDP6_CONNECTIONRECEIPTSERVICE_CHANGESHUTTING_DOWNSTARTING_UPTERMINATE_PROCESSTERMINATE_TCP4_CONNECTIONTERMINATE_UDP4_CONNECTIONTERMINATE_TCP6_CONNECTIONTERMINATE_UDP6_CONNECTIONUSER_OBSERVEDVOLUME_MOUNTVOLUME_UNMOUNTYARA_DETECTION
Supported Commands
artifact_getdeny_treedir_find_hashdir_listdns_resolvedoc_cache_getexfil_addexfil_delexfil_getfile_delfile_getfile_hashfile_infofile_movfim_addfim_delfim_gethidden_module_scanhistory_dumpmem_find_handlemem_find_stringmem_handlesmem_mapmem_readmem_stringsnetstatos_autorunsos_kill_processos_processesos_resumeos_servicesos_suspendos_versionputreg_listrejoin_networkrestartrunsegregate_networkset_performance_modeuninstallyara_scanyara_update
Artifacts
Given configured paths to collect from, the Mac sensor can batch upload logs / artifacts directly from the host.
Learn more about collecting Artifacts here.
Payloads
For more complex needs not supported by Events, Artifacts, or Commands, it's possible to execute payloads on hosts via the Mac sensor.
Learn more about executing Payloads here.
Was this article helpful?