Techlabchronicles

Safeguarding Your Mac with Objective-See’s Open Source Tools

httpsdavid

As macOS users become increasingly aware of cybersecurity threats, the need for robust security solutions has never been more crucial. Objective-See offers a suite of open-source security tools designed specifically for macOS, empowering users to take control of their device security. In this blog post, we’ll explore the top tools that I’ve been using for a few years from Objective-See, highlighting their unique features and how they enhance system protection.

What is Objective-See?

Objective-See is a company that specializes in developing open-source security tools for macOS. Founded by Patrick Wardle, a well-known security researcher, the tools are designed to empower users to protect their devices from various threats, including malware, phishing, and unauthorized access.

Key Tools from Objective-See

1. BlockBlock

Unique Features:

  • Persistent Malware Detection: BlockBlock focuses on identifying applications that attempt to install themselves as persistent agents on your system. This includes applications that set themselves to launch automatically upon startup, which is a common tactic used by malware. (In the context of malware, “persistent” refers to the ability of malicious software to remain on a system and continue operating even after reboots or attempts to remove it).
  • Real-time Monitoring: The tool continuously monitors specific directories that are commonly targeted for malware installations, such as LaunchAgents, LaunchDaemons, and other autostart locations. This real-time monitoring allows for immediate detection of potential threats.
  • Detailed Alerts: When BlockBlock detects a new persistent agent installation, it provides detailed alerts that include information about the application trying to install itself, such as the name, path, and whether it has been previously seen or flagged as suspicious. This transparency helps users make informed decisions.

System Protection:

By blocking unauthorized installations, BlockBlock helps prevent malware from gaining a foothold in your system, significantly reducing the risk of data breaches and unauthorized access. It prevents unauthorized applications from gaining persistent access to the system, thereby minimizing the risk of malware executing harmful actions or stealing sensitive information.

A list of modes BlockBlock can be set too.

Screenshot of blockbock showing all the processes(launchAgents & lanchDaemons) that are running which have been allowed unless they are processes from Apple needed for system to run properly.

A live alert from blockblock notifying the user the process responsible for the action. The alert shows both the file that was modified to achieve persistence(launchdaemon or launchagent) as well as the persistent item that was added. If you trust the process then click allow, if not click block. Both actions will create a rule to remember your selection.

2. Lulu

Unique Features:

  • Outbound Connection Control: LuLu acts as a firewall that monitors and blocks unauthorized outgoing network connections. LuLu focuses on monitoring outgoing connections rather than incoming ones. This allows it to detect when applications attempt to send data out of your system, which is crucial for identifying potential data exfiltration or malicious communication.
  • Real-Time Alerts: When an application attempts to establish an outgoing connection, LuLu provides real-time alerts, notifying users of the attempt. This feature enables users to respond immediately to suspicious activities.
  • Detailed Connection Information: LuLu provides detailed information about each connection attempt, including the process name, destination IP address, and port number. This transparency helps users understand the nature of the connections and make informed decisions.
  • Application Whitelisting and Blacklisting: LuLu allows users to create lists of trusted applications (whitelist) and those that are not allowed to connect (blacklist).
  • User-friendly Interface: The intuitive interface allows users to easily allow or deny connections based on their needs.

System Protection:

By monitoring and controlling outgoing connections, LuLu helps prevent unauthorized applications from accessing the internet. This is crucial for stopping potential malware from communicating with command-and-control servers or sending sensitive data out of the system. The real-time alerts and detailed information about connection attempts empower users to be more aware of their system’s network activity. Increased awareness allows users to detect suspicious behavior and take action before it leads to serious threats.

A list of settings that allow user to set LuLu to a certain mode.

A list of predefined settings that can be turned on or off.

Example of a list of LuLu rules that have been allowed, but have the option of changing the rule by double clicking the process name.

I created a LuLu rule that blocks any connection attempt from Curl to display the outcome. I received a failed to connect message ,therefore Lulu succeeded at its job.

Example of a real time LuLu alert notifying me that python is attemping to connect to that IP address as well as a bunch of other important details.

By clicking on the code signing button any user can find if the process is validly signed. The virus total button displays a detection ratio that has been flagged as a malicious item.

You can also click on the process hierarchy button to view the origins of the process.

3. TaskExplorer

Unique Features:

  • Real-Time Process Monitoring: TaskExplorer allows you to view all running processes in real-time. This feature enables users to identify any unfamiliar or suspicious applications that may be running on their system.
  • Detailed Process Information: The tool provides comprehensive information about each process, including its “signing status, open files, global search, network connections, loaded dynamic libraries, and virus total integration”.
  • Search and Filtering: One of the most powerful features is the ability to filter and search for files, tasks, dylibs, and any active network connections.
  • Interactive User Interface: TaskExplorer features an intuitive and user-friendly interface that makes it easy for users to navigate through the list of processes. This accessibility is crucial for users who may not have extensive technical knowledge.

System Protection:

By providing real-time visibility into all running processes, TaskExplorer allows users to detect and respond to potential malware infections quickly. By understanding what each process does and its legitimacy, users can better manage their system’s security. Identifying suspicious processes early can prevent further damage or data breaches.

TaskExplorer showing all the processes running on your Mac.

Showing the ability to filter or search for any task, dylibs, files, or network connections.

Clicking on the info button will display detailed information including its command line arguments, hashes, and signed status:

4. KnockKnock

Unique Features:

  • Persistent Malware Detection: KnockKnock scans your system for applications that are designed to persistently run on your machine. This includes items that may not be easily detectable by traditional antivirus solutions, focusing on those that automatically start when your Mac boots up.
  • Integration with VirusTotal: KnockKnock integrates with VirusTotal, allowing users to check the reputation of detected applications against a vast database of known malware. This additional layer of verification helps users assess the risk associated with each application.
  • Complementing Other Security Measures: KnockKnock works well alongside other Objective-See tools, such as BlockBlock and LuLu. While BlockBlock prevents unauthorized installations, KnockKnock provides additional insights into what is already running on the system, creating a more comprehensive security strategy.

System Protection:

By identifying persistent applications, KnockKnock enables users to detect potential malware early. Many malware types are designed to remain hidden, and KnockKnock’s focus on persistence allows for proactive threat management.

After a full system scan, KnockKnock will list all the persistently(Launch Agent & Launch Daemon) installed software. Do not be afraid , every computer system has some sort of persistent software installed, especially the software that comes preinstalled. The preinstalled software is needed for the system to function properly.

A pop up notice that notifies a user the scan was completed.

File information of one of the processes, click on the “i”(info) button to view.

If the process is persisted via a property list(plist) than you can click on it to view it’s contents. A property list in macOS is a structured way to store serialized data. One way to use a property list is to create a launch daemon or launch agent which are used to create persisted software.

5. Netiquette

Unique Features:

  • Real-time Monitoring: Netiquette provides real-time monitoring of network traffic, allowing users to see what data is being sent and received.
  • Network Traffic Visualization: Netiquette provides a visual representation of network traffic, allowing users to see which applications are communicating over the internet. This visualization helps in understanding how data is flowing to and from their system.
  • Detailed Connection Information: The tool offers detailed information about each network connection, including the application name, destination IP address, protocol used, and the amount of data being transmitted. This level of detail aids in identifying suspicious activities.
  • Application-Specific Insights: The tool provides insights specific to each application’s network activity, helping users understand which apps are consuming bandwidth and communicating with external servers. This can help identify unnecessary or potentially harmful applications.

System Protection:

By monitoring network traffic, Netiquette helps users identify unauthorized applications attempting to communicate over the internet. This is crucial for detecting potential malware or unwanted software. The real-time monitoring and visualization features enhance user awareness of their system’s network activity. Increased awareness allows users to respond quickly to suspicious or unexpected traffic.

Example of active connections on my network and all the connections associated with each application. You can expand or collapse the detailed view of each application. I only expanded a few of the applications to show as an example.

A list of predefined settings that can be turned on or off.

6. Reikey

Unique Features:

  • Detect Event Taps: Scan, Detect, and monitor keyloggers. ReiKey is specifically designed to identify keyloggers running on a macOS system. It monitors processes that may be capturing keystrokes, providing users with the ability to detect malicious activity.
  • Detailed Process Information: ReiKey provides comprehensive details about any detected keyloggers, including the process name, path, and the user account associated with it.
  • Real-Time Monitoring: The tool continuously monitors for suspicious behavior related to keystroke recording. This real-time monitoring allows users to be alerted immediately if a keylogger is detected, enabling swift action.

System Protection:

By actively monitoring for keyloggers, ReiKey helps users detect potential threats early. Early detection is crucial in preventing keyloggers from capturing sensitive information over an extended period.

Predefined settings that can be turned on or off.

An example of an alert generated by reikey informing me that a new keyboard event tap was detected. In order to demonstrate how reikey works I created a simple keylogger using python. As soon as i executed the python script, reikey detected the keylogger instantly.

Conclusion

By utilizing Objective-See’s open-source tools, everyday macOS users can significantly enhance their device security. These tools provide essential protection against various cyber threats, from unauthorized network connections to persistent malware installations. Download and test out the tools discussed to get started with your security journey and ensure that your macOS device remains safe and secure. Regularly monitoring your system and keeping these tools updated will help maintain a robust security posture in an increasingly digital world.

Tags:

, , , , , , , , , ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Search

Categories

Recent Posts

Tags

command prompt cyber security firewall homelab it support keylogger linux macos malware network networking network monitor objective-see open source pfsense support tech terminal tools troubleshoot virtualbox virtualization virustotal windows 11 zeek