macOS Security Event Monitor written in Swift
Part of the NullSec offensive security toolkit
Discord: discord.gg/killers
Portal: bad-antics.github.io
SwiftSentinel is a macOS security event monitor that analyzes process, file, network, and authentication events for threats. Built with Swift's protocol-oriented programming, value types, and type-safe enums for robust security analysis.
- Protocol-Oriented Design: SecurityEvent, Analyzable, Reportable
- Enums with Associated Values: Event categories, threat indicators
- Value Types (Structs): Immutable event objects
- Generics: Type-safe EventAnalyzer
- Closures: Rule definitions as first-class functions
- Pattern Matching: switch with case binding
- Optionals: Safe nil handling
- Protocol Extensions: Default implementations
| Category | Events | Detection |
|---|---|---|
| Process | Spawn, Exec, Exit | Shell injection, malware |
| File | Create, Modify, Delete | Persistence, exfiltration |
| Network | Connect, Listen, DNS | C2 communication |
| Auth | Login, Sudo, TouchID | Brute force, privilege escalation |
| System | Kernel, SIP, Gatekeeper | System tampering |
| Rule | Severity | MITRE | Description |
|---|---|---|---|
| Web Shell | CRITICAL | T1059.004 | Shell from web server |
| C2 Port | CRITICAL | T1071.001 | Known C2 port connection |
| Recon Tool | HIGH | T1046 | nmap/masscan execution |
| Sensitive File | HIGH | T1003.008 | /etc/shadow access |
| Launch Daemon | HIGH | T1543.001 | Persistence mechanism |
| Privilege Escalation | MEDIUM | T1548.003 | Sudo command |
| SSH Brute Force | MEDIUM | T1110.001 | Failed SSH attempts |
# Clone
git clone https://github.com/bad-antics/nullsec-swiftsentinel.git
cd nullsec-swiftsentinel
# Build with Swift
swiftc -O SwiftSentinel.swift -o swiftsentinel
# Or run directly
swift SwiftSentinel.swift# Run demo mode
./swiftsentinel
# Monitor live events (requires root)
sudo ./swiftsentinel --live
# Filter by event type
./swiftsentinel --filter process,network
# JSON output
./swiftsentinel --jsonUSAGE:
swiftsentinel [OPTIONS]
OPTIONS:
--live Monitor live events
--filter Event types (process,file,network,auth)
--json JSON output format
-v, --verbose Verbose output
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β NullSec SwiftSentinel - macOS Security Event Monitor β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[Demo Mode]
Analyzing macOS security events...
Processing Events...
[Process] Event received
[Process] Event received
[Process] Event received
[File] Event received
[File] Event received
[Network] Event received
[Network] Event received
[Authentication] Event received
[Authentication] Event received
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SECURITY ALERTS
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[CRITICAL] Shell spawned from web server process
ID: PROC-A1B2C3D4
Source: EndpointSecurity
Risk Score: 85/100
MITRE: T1059.004
Remediation: Investigate web server compromise, check for webshells
[CRITICAL] Connection to known C2 port
ID: NET-E5F6G7H8
Source: NetworkExtension
Risk Score: 95/100
MITRE: T1071.001
Remediation: Block connection, investigate process
[HIGH] Network reconnaissance tool executed
ID: PROC-I9J0K1L2
Source: EndpointSecurity
Risk Score: 90/100
MITRE: T1046
Remediation: Investigate suspicious tool execution
[HIGH] Sensitive file accessed: /etc/shadow
ID: FILE-M3N4O5P6
Source: EndpointSecurity
Risk Score: 75/100
MITRE: T1003.008
Remediation: Review access to sensitive file
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Summary:
Events Processed: 9
Alerts Generated: 8
Critical: 2
High: 4
Medium: 2
Low: 0
protocol SecurityEvent {
var timestamp: Date { get }
var severity: Severity { get }
var source: String { get }
var description: String { get }
var mitreId: String { get }
}
protocol Analyzable {
associatedtype Input
associatedtype Output
func analyze(_ input: Input) -> Output
}enum EventCategory {
case process(ProcessEvent)
case file(FileEvent)
case network(NetworkEvent)
case authentication(AuthEvent)
case system(SystemEvent)
}
enum ThreatIndicator {
case maliciousProcess(name: String, pid: Int)
case suspiciousFile(path: String, operation: String)
case c2Communication(ip: String, port: Int)
case bruteForce(user: String, attempts: Int)
}struct EventAnalyzer<E: SecurityEvent>: Analyzable {
typealias Input = E
typealias Output = Alert?
private let rules: [(E) -> Alert?]
func analyze(_ input: E) -> Alert? {
for rule in rules {
if let alert = rule(input) {
return alert
}
}
return nil
}
}static let processRules: [(ProcessEvent) -> Alert?] = [
{ event in
let shells = ["bash", "sh", "zsh"]
guard shells.contains(event.name),
event.path.contains("nginx") else {
return nil
}
return Alert(
id: "PROC-\(UUID().uuidString.prefix(8))",
event: event,
indicator: .maliciousProcess(name: event.name, pid: event.pid),
riskScore: 85.0,
remediation: "Investigate web server compromise"
)
}
]ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SwiftSentinel Architecture β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Event Sources (Protocols) β β
β β βββββββββββ βββββββββββ βββββββββββ βββββββββββ β β
β β βEndpoint β βNetwork β βOpen β βUnified β β β
β β βSecurity β βExtensionβ βDirectoryβ βLogging β β β
β β ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ β β
β βββββββββΌββββββββββββΌββββββββββββΌββββββββββββΌβββββββ β
β β β β β β
β βββββββββββββΌββββββββββββΌββββββββββββ β
β βΌ βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β EventCategory (enum with associated) β β
β β .process(ProcessEvent) | .file(FileEvent) β β
β β .network(NetworkEvent) | .auth(AuthEvent) β β
β ββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β EventAnalyzer<E: SecurityEvent> (Generic) β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β rules: [(E) -> Alert?] (Closure Array) β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββ ββββββββββββββββββββ β
β β Alert β β Reportable β β
β β (struct) βββββΆβ (protocol) β β
β β Value Type β β generateReport()β β
β ββββββββββββββββββββ ββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Requirement | Swift Advantage |
|---|---|
| Type Safety | Protocol constraints, optionals |
| Performance | Value types, zero-cost abstractions |
| Expressiveness | Enums with associated values |
| Safety | Memory safety, bounds checking |
| Concurrency | async/await, actors (Swift 5.5+) |
| macOS Integration | Native Endpoint Security API |
MIT License - See LICENSE for details.
- nullsec-kotlinguard - Container scanner (Kotlin)
- nullsec-adashield - Protocol validator (Ada)
- nullsec-fsharpsignal - Threat correlator (F#)