# Mac OS Incident Response Cheat-sheet Just a brain dump of my notes for general Mac Os Incident Response and Forensics. Feel free to add any relevant notes in the comments or email them to me and I'll build this up accordingly. ### Timestamps On MacOS most logs are in Cocoa format timestamps. They're also bzip compressed. ### Persistence To hunt for persistence, one can look at: Startup Items .plist file locations:\ OSX 10.4 + * /Library/LaunchDaemons -> **System tasks on system run** * /Library/LaunchAgents -> **System tasks on any user login** * /Users/your-username/Library/LaunchAgents -> **System tasks on specific user login** The following commands will list launchd agents and Daemons ``` launchctl list; launchtl unload XXXX ``` OSX 10.4- * Library/StartupItems and /System/Library/StartupItems * kernel extensions `kextstat | grep -v com.apple` * Cron job ``` crontab -l ``` ``` #!/bin/zsh for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done ``` * login script Quarantine sqlitedb ``` /Users//Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 ``` xattributes ``` xattr -l "/Users/warsang/Documents/malware/helperd_installer33.app" ``` ``` codesign -v /path/to/MyApp.app ``` ### XPCProxy Can be relevant of an xpc service running ( can be usesd to circumvent child process based detections) ### Timestomp ``` touch -mt 202002101023 /Users/warsang/Library/Logs/systemlogd ``` ### Hide binary ``` chflags hidden /private/tmp/.WS21.tmp ``` ### authdb: The authorizationdb in macOS defines rules around who can do which tasks in macOS (look for suspicious high privd process etc.) * /var/db/auth.db is what is used by authd * The SecurityAgent auth popup is triggered by an authdb IPC ### App info * lsappinfo → gives last app that ran * lsmp gives ipc data ### General syslogs * /private/var/log/DiagnosticMessages/ Can read these either from console: ``` $ open -a console ``` Or using syslog: ``` $ syslog -f /var/log/DiagnosticMessages/2019.03.11.asl | head -20 ``` ### Apple System logs * /private/var/log/asl/ * /var/log/asl.db ( OS > 10.5.6) * Apple Unified Log (OS > macOS 10.12) ([https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/](https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/?ref=warsangs-hobby-blog.ghost.io)) Unsafe API call to keep an eye on [https://objective-see.com/blog/blog\_0x55.html](https://objective-see.com/blog/blog_0x55.html?ref=warsangs-hobby-blog.ghost.io) ### MDNS logs Apple is annoying for DNS logs as you don't natively have a 1:1 correpsondence of dns logs to process. You need to enable the below for these to be recored ``` sudo log config --mode "private_data:on" $ log stream --predicate 'process == "mDNSResponder"' --info ``` ### Password Hash location MacOs The hashes were in /var/db/shadow/hash/ in 10.6 and earlier, but they are stored in /var/db/dslocal/nodes/Default/users/username. plist in 10.7 and 10.8 * sudo defaults read /var/db/dslocal/nodes/Default/users/warsang.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o - * Can crack using hashcat with [https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2](https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2?ref=warsangs-hobby-blog.ghost.io) ### All MACOS file downloads SQLITEv3 DB \~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 on Lion \~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents on Snow Leopard after Can also check extended attributes to get source of download ### SrumDB equivalent for MACOS > netusage.sqlite and DataUsage.sqlite. These two databases contain very similar information – one is available in a backup (and file system dump) the other only in file system dumps. * /private/var/networkd/netusage.sqlite \[19659004] Backup: / Wireless / Library / Databases / * /private/var/wireless/Library/Databases/DataUsage.sqlite ### Check suspicious pkg -> Can use Suspicious package app to see pre/postinstall scripts on packages etc. [https://mothersruin.com/software/SuspiciousPackage/](https://mothersruin.com/software/SuspiciousPackage/?ref=warsangs-hobby-blog.ghost.io) ### Sample File sample ***--*** Profile a process during a time interval * sudo /usr/bin/sample \ -wait -mayDie -f out.txt ### Forensic Artifact list and resources: * [https://github.com/ForensicArtifacts/artifacts/blob/main/data/macos.yaml](https://github.com/ForensicArtifacts/artifacts/blob/main/data/macos.yaml?ref=warsangs-hobby-blog.ghost.io) * [https://digital-forensics.sans.org/summit-archives/2012/analysis-and-correlation-of-macintosh-logs.pdf](https://digital-forensics.sans.org/summit-archives/2012/analysis-and-correlation-of-macintosh-logs.pdf?ref=warsangs-hobby-blog.ghost.io) * [https://labs.sentinelone.com/macos-incident-response-part-1-collecting-device-file-system-data/](https://labs.sentinelone.com/macos-incident-response-part-1-collecting-device-file-system-data/?ref=warsangs-hobby-blog.ghost.io) * [https://github.com/pstirparo/mac4n6](https://github.com/pstirparo/mac4n6?ref=warsangs-hobby-blog.ghost.io) * [https://redcanary.com/blog/clipping-silver-sparrows-wings/](https://redcanary.com/blog/clipping-silver-sparrows-wings/?ref=warsangs-hobby-blog.ghost.io) -> PlistBuddy persistence example * [https://apple.stackexchange.com/questions/356445/how-do-i-decode-the-contents-of-apple-system-logs-in-var-log-diagnosticmessages](https://apple.stackexchange.com/questions/356445/how-do-i-decode-the-contents-of-apple-system-logs-in-var-log-diagnosticmessages?ref=warsangs-hobby-blog.ghost.io)