Mac OS Incident Response Cheat-sheet
Just a brain dump of my notes for general Mac Os Incident Response and Forensics. Feel free to add any relevant notes in the comments or email them to me and I'll build this up accordingly.
Timestamps
On MacOS most logs are in Cocoa format timestamps. They're also bzip compressed.
Persistence
To hunt for persistence, one can look at:
Startup Items .plist file locations: OSX 10.4 +
/Library/LaunchDaemons -> System tasks on system run
/Library/LaunchAgents -> System tasks on any user login
/Users/your-username/Library/LaunchAgents -> System tasks on specific user login
The following commands will list launchd agents and Daemons
launchctl list;
launchtl unload XXXXOSX 10.4-
Library/StartupItems and /System/Library/StartupItems
kernel extensions
kextstat | grep -v com.apple
Cron job
crontab -l#!/bin/zsh
for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; donelogin script
Quarantine sqlitedb
/Users/<user>/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2xattributes
xattr -l "/Users/warsang/Documents/malware/helperd_installer33.app"
codesign -v /path/to/MyApp.appXPCProxy
Can be relevant of an xpc service running ( can be usesd to circumvent child process based detections)
Timestomp
touch -mt 202002101023 /Users/warsang/Library/Logs/systemlogdHide binary
chflags hidden /private/tmp/.WS21.tmpauthdb:
The authorizationdb in macOS defines rules around who can do which tasks in macOS (look for suspicious high privd process etc.)
/var/db/auth.db is what is used by authd
The SecurityAgent auth popup is triggered by an authdb IPC
App info
lsappinfo → gives last app that ran
lsmp gives ipc data
General syslogs
/private/var/log/DiagnosticMessages/
Can read these either from console:
$ open -a consoleOr using syslog:
$ syslog -f /var/log/DiagnosticMessages/2019.03.11.asl | head -20Apple System logs
/private/var/log/asl/
/var/log/asl.db ( OS > 10.5.6)
Apple Unified Log (OS > macOS 10.12) (https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/)
Unsafe API call to keep an eye on
https://objective-see.com/blog/blog_0x55.html
MDNS logs
Apple is annoying for DNS logs as you don't natively have a 1:1 correpsondence of dns logs to process. You need to enable the below for these to be recored
sudo log config --mode "private_data:on"
$ log stream --predicate 'process == "mDNSResponder"' --infoPassword Hash location MacOs
The hashes were in /var/db/shadow/hash/ in 10.6 and earlier, but they are stored in /var/db/dslocal/nodes/Default/users/username. plist in 10.7 and 10.8
sudo defaults read /var/db/dslocal/nodes/Default/users/warsang.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o -
Can crack using hashcat with https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2
All MACOS file downloads
SQLITEv3 DB
~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 on Lion
~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents on Snow Leopard after
Can also check extended attributes to get source of download
SrumDB equivalent for MACOS
netusage.sqlite and DataUsage.sqlite. These two databases contain very similar information – one is available in a backup (and file system dump) the other only in file system dumps.
/private/var/networkd/netusage.sqlite [19659004] Backup: / Wireless / Library / Databases /
/private/var/wireless/Library/Databases/DataUsage.sqlite
Check suspicious pkg
-> Can use Suspicious package app to see pre/postinstall scripts on packages etc. https://mothersruin.com/software/SuspiciousPackage/
Sample File
sample -- Profile a process during a time interval
sudo /usr/bin/sample <PID> -wait -mayDie -f out.txt
Forensic Artifact list and resources:
https://redcanary.com/blog/clipping-silver-sparrows-wings/ -> PlistBuddy persistence example