Mac OS Incident Response Cheat-sheet

Just a brain dump of my notes for general Mac Os Incident Response and Forensics. Feel free to add any relevant notes in the comments or email them to me and I'll build this up accordingly.

Timestamps

On MacOS most logs are in Cocoa format timestamps. They're also bzip compressed.

Persistence

To hunt for persistence, one can look at:

Startup Items .plist file locations: OSX 10.4 +

/Library/LaunchDaemons -> System tasks on system run
/Library/LaunchAgents -> System tasks on any user login
/Users/your-username/Library/LaunchAgents -> System tasks on specific user login

The following commands will list launchd agents and Daemons

launchctl list;
launchtl unload XXXX

OSX 10.4-

Library/StartupItems and /System/Library/StartupItems
kernel extensions

kextstat | grep -v com.apple

Cron job

crontab -l

#!/bin/zsh
for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done

Quarantine sqlitedb

/Users/<user>/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

xattributes

xattr -l "/Users/warsang/Documents/malware/helperd_installer33.app"


codesign -v /path/to/MyApp.app

XPCProxy

Can be relevant of an xpc service running ( can be usesd to circumvent child process based detections)

Timestomp

touch -mt 202002101023 /Users/warsang/Library/Logs/systemlogd

Hide binary

chflags hidden /private/tmp/.WS21.tmp

authdb:

The authorizationdb in macOS defines rules around who can do which tasks in macOS (look for suspicious high privd process etc.)

/var/db/auth.db is what is used by authd
The SecurityAgent auth popup is triggered by an authdb IPC

App info

lsappinfo → gives last app that ran
lsmp gives ipc data

General syslogs

/private/var/log/DiagnosticMessages/

Can read these either from console:

$ open -a console

Or using syslog:

$ syslog -f /var/log/DiagnosticMessages/2019.03.11.asl | head -20

Apple System logs

/private/var/log/asl/
/var/log/asl.db ( OS > 10.5.6)
Apple Unified Log (OS > macOS 10.12) (https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/)

Unsafe API call to keep an eye on

https://objective-see.com/blog/blog_0x55.html

MDNS logs

Apple is annoying for DNS logs as you don't natively have a 1:1 correpsondence of dns logs to process. You need to enable the below for these to be recored

sudo log config --mode "private_data:on"
$ log stream --predicate 'process == "mDNSResponder"' --info

Password Hash location MacOs

The hashes were in /var/db/shadow/hash/ in 10.6 and earlier, but they are stored in /var/db/dslocal/nodes/Default/users/username. plist in 10.7 and 10.8

sudo defaults read /var/db/dslocal/nodes/Default/users/warsang.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o -
Can crack using hashcat with https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2

All MACOS file downloads

SQLITEv3 DB

~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 on Lion

~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents on Snow Leopard after

Can also check extended attributes to get source of download

SrumDB equivalent for MACOS

netusage.sqlite and DataUsage.sqlite. These two databases contain very similar information – one is available in a backup (and file system dump) the other only in file system dumps.

/private/var/networkd/netusage.sqlite [19659004] Backup: / Wireless / Library / Databases /
/private/var/wireless/Library/Databases/DataUsage.sqlite

Check suspicious pkg

-> Can use Suspicious package app to see pre/postinstall scripts on packages etc. https://mothersruin.com/software/SuspiciousPackage/

Sample File

sample -- Profile a process during a time interval

sudo /usr/bin/sample <PID> -wait -mayDie -f out.txt

Forensic Artifact list and resources:

PreviousKringlecon 22 and chatGPT fun NextZero2Auto Bi-weekly challenge 5