GitHub - maecer/silimon: SiliconBox Monitor · GitHub
/" data-turbo-transient="true" />
Skip to content
Search or jump to...
Search code, repositories, users, issues, pull requests...
-->
Search
Clear
Search syntax tips
Provide feedback
--><br>We read every piece of feedback, and take your input very seriously.
Include my email address so I can be contacted
Cancel
Submit feedback
Saved searches
Use saved searches to filter your results more quickly
-->
Name
Query
To see all available qualifiers, see our documentation.
Cancel
Create saved search
Sign in
/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up
Appearance settings
Resetting focus
You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.
Dismiss alert
{{ message }}
maecer
silimon
Public
Notifications<br>You must be signed in to change notification settings
Fork
Star
main
BranchesTags
Go to file
CodeOpen more actions menu
Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit
History<br>7 Commits<br>7 Commits
Monitor
Monitor
Utilities
Utilities
silimon.xcodeproj
silimon.xcodeproj
.gitignore
.gitignore
LICENSE
LICENSE
LocalConfig.xcconfig.example
LocalConfig.xcconfig.example
README.md
README.md
main.swift
main.swift
silimon-bridging-header.h
silimon-bridging-header.h
silimon.entitlements
silimon.entitlements
View all files
Repository files navigation
silimon
silimon is a powerful analysis tool designed to help you with software analysis. By leveraging the built-in security features of macOS, silimon allows you to analyze potentially malicious or problematic binaries by collecting Endpoint Security events, Apple Unified logs, network packets. It also runs static analysis on the sample being analyzed. This should give you a comprehensive overview of the sample's behavior and help understand what it does quicker than reversing the sample.
silimon was designed to be run in a dedicated physical or virtual malware analysis lab but it's also fine to run it on your host for debugging/analysing regular applications. A bit like Sysmon for macOS.
It's currently built only for ARM-architecture.
Features
Endpoint Security Events Collection: Monitors and logs security events generated by the macOS Endpoint Security framework.
Apple Unified Logs Collection: Captures logs from the Unified Logging system for detailed analysis. Currently basic keyword matching but improvements are planned.
Static Analysis: Runs static analysis on the provided binary to detect potential issues before execution.
Packet Capture: Captures network traffic to identify any suspicious outbound connections or data exfiltration attempts. Currently a pcap is produced as well as a JSON file with source-destination IPv4 traffic seen.
Planned Features: More features are planned for future releases to enhance analysis capabilities.
Building from Source
Prerequisites
Because silimon uses Apple's Endpoint Security framework, it requires a privileged entitlement (com.apple.developer.endpoint-security.client) that Apple gates explicitly. Ad-hoc signing is not supported — you must have an active Apple Developer account.
silimon must also be run as root (sudo) since the Endpoint Security framework requires it.
Installation
You can find a release pkg in https://github.com/maecer/silimon/releases/tag/v1.0.0.
It will install the silimon binary in /usr/local/bin and prompt you to add a provisioning profile SiliconBox CLI to the device.
Due to no notarization, you must follow the below steps for installation:
After getting a prompt for "Apple could not verify..."
Go to System Settings > Privacy & Security, and scroll down to the Security section near the bottom.
You should see a message that signed-silimon.pkg was blocked.
Click Open Anyway, authenticated, and then proceed with installation.
Usage
silimon is a command-line tool that can be used as follows:
[--timeout ] [--runmode ] [--interface ] [--output-dir ] [--output-format ] [--auto-exec-sample] [--debug-output]
ARGUMENTS:<br>Path to sample
OPTIONS:<br>-t, --timeout Timeout in seconds. (default: 60)<br>-r, --runmode Run mode options (e.g., 's - static', 'a - aul collection', 'n - network logs', 'e - esf events', 'sane - all'). (default: sane)<br>-i, --interface Network interface to capture (e.g., en0). (default: en0)<br>-o, --output-dir Directory to write result files and the zip archive. (default: /tmp)<br>-f, --output-format Output format ('json', 'sqlite', or 'both'). (default: both)<br>-a, --auto-exec-sample Enable automatic execution. (default: false)<br>-d, --debug-output Enable debug output. (default: false)<br>-h, --help Show help information.">USAGE: silimon sample-path> [--timeout timeout>] [--runmode runmode>] [--interface interface>] [--output-dir output-dir>] [--output-format output-format>]...