macOS
- 13 Aug 2024
- 1 Minute to read
- Print
- DarkLight
This documentation version is deprecated, please click here for the latest version.
macOS
- Updated on 13 Aug 2024
- 1 Minute to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback!
LimaCharlie's Mac sensor interfaces with the kernel to acquire deep visibility into the host's activity while taking measures to preverse the host's performance. The Mac sensor currently supports all versions of MacOS 10.7 and up.
Installation Instructions
Basic sensor installation instructions can be found here.
Looking for alternative installation methods?
- macOS Sensor Installation - Latest OS Versions
- macOS Sensor Installation - Older OS Versions
- macOS Sensor Installation - MDM Configuration profiles
Supported Events
AUTORUN_CHANGECLOUD_NOTIFICATIONCODE_IDENTITYCONNECTEDDATA_DROPPEDDNS_REQUESTEXEC_OOBFILE_CREATEFILE_DELETEFILE_MODIFIEDFILE_TYPE_ACCESSEDFIM_HITHIDDEN_MODULE_DETECTEDMODULE_LOAD-- temporarily disabledMODULE_MEM_DISK_MISMATCHNETWORK_CONNECTIONSNETWORK_SUMMARYNEW_DOCUMENTNEW_PROCESSNEW_TCP4_CONNECTIONNEW_UDP4_CONNECTIONNEW_TCP6_CONNECTIONNEW_UDP6_CONNECTIONRECEIPTSERVICE_CHANGESHUTTING_DOWNSSH_LOGINSSH_LOGOUTSTARTING_UPTERMINATE_PROCESSTERMINATE_TCP4_CONNECTIONTERMINATE_UDP4_CONNECTIONTERMINATE_TCP6_CONNECTIONTERMINATE_UDP6_CONNECTIONUSER_LOGINUSER_LOGOUTUSER_OBSERVEDVOLUME_MOUNTVOLUME_UNMOUNTYARA_DETECTION
Supported Commands
artifact_getdeny_treedir_find_hashdir_listdns_resolvedoc_cache_getexfil_addexfil_delexfil_getfile_delfile_getfile_hashfile_infofile_movfim_addfim_delfim_gethidden_module_scanhistory_dumpmem_find_handlemem_find_stringmem_handlesmem_mapmem_readmem_stringsnetstatos_autorunsos_kill_processos_processesos_resumeos_servicesos_suspendos_versionputreg_listrejoin_networkrestartrunsegregate_networkset_performance_modeuninstallyara_scanyara_update
Artifacts
Given configured paths to collect from, the Mac sensor can batch upload logs / artifacts directly from the host.
Learn more about collecting Artifacts here.
Payloads
For more complex needs not supported by Events, Artifacts, or Commands, it's possible to execute payloads on hosts via the Mac sensor.
Learn more about executing Payloads here.
Was this article helpful?