Stat Mac OS X Also
- Detailed stats and health information for your MacBook's battery -AWARDED MACWORLD 'MAC GEM' - The Best Battery Health App With Battery Health, you can easily see all the important information about your MacBook's battery, such as current charge level, battery capacity, power usage, number of times it has been charged and much more.7 for Windows, Linux or macOS. 10 cannot be used on Windows XP or earlier. Stat(filename) stsize stresults6 file. 8 and Python 2.Stat reports the standard Unix dates, last access time, last modification time, and inode change time (which is often mistaken for creation time). Mac OS X also maintains the file creation time, and it's accessible using the GetFileInfo command: $ GetFileInfo -d.
Say Hello to SysdiagnoseWith that out of the way, let’s set about collecting some initial information. The machine is still powered on, and we have the necessary credentials (and authority) to examine the machine fully. Has there been lateral movement, has data been exfiltrated, has there been system manipulation? Are there other indicators of attack or compromise that we haven’t yet discovered? These are the questions that we want to set out to answer as quickly as possible in order to protect the business.Let’s assume for the purposes of our scenario, then, that an employee has brought us a machine after discovering and removing a malware infection. This is quite a different process from what we will cover here, which is more akin to a SOC team investigation to determine what an intruder or a malware infection may have done that has not already been logged by detection software.
There are a bunch of command line options you can specify (see man sysdiagnose page), but for our purposes we will just run it in vanilla mode. Here’s an image showing just some of the data that it collects.What’s even nicer, from the point of convenience, is that if you have physical access to the machine you can kickoff the report simply by pressing this keychord: Control-Option-Command-Shift-PeriodIf you get it right, you’ll see the display briefly flash indicating that the process has begun.If using the keychord is a problem for any reason, head over to the Terminal app. But for that reason, it’s ideal for our purposes, too. Apple wrote it for macOS beta testers as a means of collecting just about everything they could ever want to know about a Mac when investigating OS bug reports. You could invest quite some time writing your own custom scripts to collect that and other information (we’ll do a bit of custom script writing later in this series), but if you have direct access to the machine you can save yourself a lot of work by leveraging the built-in sysdiagnose tool provided by Apple.The sysdiagnose tool was not designed for security or incident response purposes.
Yes, there’s a lot of juicy stuff in there: everything from a full ps to netstat, kextstat, system_profiler, top, Wifi scans and much, much more.When working with large amounts of text files I like to use BBEdit, which offers many useful functions for quickly searching and manipulating multiple files. Copy it off to your local machine, then double-click it to unpack it and have a quick scroll through what’s been collected. Exploring Files Collected by SysdiagnoseWhen sysdiagnose has finished, it’ll pop a Finder window showing you the compressed result.
Timestamps like this 587381138.016775May look like Unix epoch timestamps (that is, seconds since ), but if you try to convert them using Unix epoch time you’ll get nonsense dates. In here, you’ll find useful stuff such as CachedWindows.txt, which might tell you a little about the user’s recent activity (although much more to come on that in the following post!).Also, take a look at dockextras.txt file, which may include info on things like the last time the user connected to Facetime, Messages and a bunch of other apps.Before we move on, a note about the timestamps you see here, as you’ll encounter these elsewhere in macOS logs. You should see useful things like Install.log and InstallHistory.plist among many other goodies.Still in the logs subfolder, find the folder SystemExp, descend into that and open up the folder named “Dock” (followed by a date and timestamp). When the project view opens up, scroll down to the logs folder in BBEdit’s Sidebar, click the disclosure triangle and scroll down again. Of course, if you have your own way of working with large sets of files, that’s fine, too.If you have BBEdit in the Dock, grab the sysdiagnose parent folder in the Finder and drag and drop it on top of the BBEdit Dock icon.
These are dumps of the databases held by Launch Services and contain detailed information about every application that has been available to the user.Let’s walk through a practical example of how we might use this information to learn more about an infection.If you scroll through lsregister-0.txt, you’ll notice each record has a path field and many have a CFBundleIdentifier field. This file contains a lot of useful data about currently running applications, but even more useful for incident response – when we’re likely faced with a situation where malware has been and gone – is to look in the two files below, the admin (501) and root (0) dumps of lsregister. Click on it to load it into the main editor window. Finding Traces of Malicious ActivityJust below the logs folder you should see a file lsappinfo.txt. We remove the fraction of a second and just deal with the whole integer, like so:That returns the more human-friendly date of Tue 16:25:37 +07 from the Cocoa timestamp. To convert them, add the difference between Unix and Cocoa start dates in seconds (that’s a fixed integer of 978307200) and use the date command line utility with the -r switch.
Using BBEdit’s Multi-File Search function (Shift-Command-F), we can rapidly search through all the files collected by sysdiagnose for this identifier and see what else is known about it.Add the identifier to the “Find” field and choose “Frontmost project” from the “Search in:” panel below. We’ll start with the bottom one, since that kind of bundle identifier is a non-standard pattern rarely used by legitimate software. There’s a bunch of commodity adware/PUP programs, but the ones in red are particularly interesting.Let’s see what more we can find out about them. The highlighted ones will stand out to anyone familiar with macOS malware.
It looks very much like a variant of OSX.Shlayer. After trying searches on VirusTotal and other public search engines, the teamID led us to a Russian-language stackoverflow post.It turns out that the developer signature was used to sign an “app” that was in fact a Bash script bundled in an Application wrapper. But further investigation on the machine shows no evidence the application still exists.
0 kommentar(er)
