With the last 10 years Apple has been positioning itself as a major contender to the Microsoft Operating system in the workforce. Many companies have a mixed environment with both Apple and Windows products. Catering more resources to the other can put companies at a disadvantage when it comes to triaging an incident. When responding to incidents within an OSX / MacOS environment, there may be quite a few challenges for administrators to overcome. Considering the documentation is limited within this scope, we have put together some scripts to help lessen the gap for incident responders in MacOS.
Network Defense Solutions, Inc. has developed a set of scripts and, tools that can be utilized for artifact collection and incident response. It is estimated that companies do not know they have sustained until approximately 380 days after a breach! Don't be one of those companies. With the tools and scripts we've developed obtaining the information you need to discern whether your systems have suffered a breach is easier than you think. All our scripts categorize the information you need by user, and artifact collected. If you require assistance with collecting evidence on a system that has been affected by a potential breach please
To review other operating system Incident Response Tools, please see the Incident Response Home Page For more information
Artifact Collection
The incident response scripts that we have put together will search the filesystem, running applications, ports and IP addresses and if possible the connections in which your system has made to other machines. Additionally, our scripts will also search for files and list them (complete with hashes) for each user on the system to help an administrator or, IR team identify items with too many permissions and areas that a user may have had over-reach.
Additionally your interfaces will be scrutinized as well as routes and other network details. From this incident responders can then attempt to determine if the system has been affected (sniffing, routing, last logins, etc) if malicious traffic has traversed the environment(s).
Please note. When running this script you will need to configure a pen drive and set your environment variable to the path of the bin files on the thumb drive. Running these scripts on the suspect / affected system may procure invalid results!
Artifact Collection Information
-
Network Artifact Collection
Information collected about your network includes: Card state (promisc), routing table(s), full card listing, hosts file, and netstat. Additional details include, ssh known hosts, netstat foreign address listing only, last logged in users, search logs for SSH/FTP and other remote access.
-
File System Collection
This portion of the artifact collection process aims to obtain files that have too many permissions, stick-bits and, SUIG/GUID permissions. The script will also search for files created by users of the system (both hidden and users within the /etc/passwd file). The tools also search for files created within the last 30 days from when the script was run. Items found within the scan phases also dump full path, file information and an MD5 hash so incident responders may look up the hashes to determine if any of them are known to be malicious*.
-
User Collection
The incident response script will poll all details about your users (directories, etc/passwd file) and re-create their folder hierarchy. Any users found within the standard /users/ folder will then be checked against the /etc/passwd file. The script will also detect hidden user accounts (e.g: .evil) and compare that to the listings of users. Once the script detects the users on the given system the script will then scan: bash history, shh known_hosts, last time those users were logged on, authentication attempts within the log files (SSH/FTP, etc.). Additional information will also be all files owned by the user complete with path and hashes as well as hashes within the Desktop, Documents and Downloads.
-
Running Processes
The incident response script will then attempt to obtain all the open files, processes from netstat and compare them to the information within /proc if they are communicating with foreign addresses. The script will also log the date/time of when the information has been found as well. Process information will also be tracked back to the binary that is running in an attempt to obtain the hash of the file that is in question.
-
Full Collection
Incident responders may also opt-in to selecting all menu items to be scanned within the system. This will include the details above, as well as other over-lapping details such as kernel logs and the installed KEXT files.
Please be advised that while this script is free to utilize, it is not intended to be free for commercial usage! If you would like pricing information, please feel free to use the contact form below.
For help and support utilizing the script please see: Incident Response Script KB Article Or, you may also review the Incident response script page at: Linux Incident Response KB Article
If you feel that your system has been affected by malware, or you need assistance with Incident Response for your desktop or server environment please feel free to fill out the Incident Response request form below:
Need assistance with Incident Response? We're here to help!