Fast 4n6 in macOS

ENTER THE MAC4N6_VOL 2 FAST 4N6 IN MACOS V.1.0() kasasagi

https://padawan-4n6.hatenablog.com/

https://www.sans.org/security-resources/posters/dfir/windows-forensic-analysis-japanese-translation-185

• Mac4n6+<.4<5;07<0'%" ü6(+:.038 &)=3*6(-5#2=:9+< ü4*0- !$&6(056,;</1-$'! üHigh Sierra'!

• Mac • macOS
• • &

MAC3.5602/ ,* • Windows#+# % →Windows+#3.5602/ + % → )*&)*%
+7 T2124# → Mac7 $ UNIX"(7 !'-…

• Mac4n6 üSarah Edwards (@iamevltwin) → https://www.mac4n6.com/
üYogesh Khatri (@SwiftForensics) → https://www.swiftforensics.com/ üMac4n6(Macadmins) → https://github.com/pstirparo/mac4n6 üObejective-see → https://objective-see.com/index.html üBlackbag blog → https://www.blackbagtech.com/index.php/blog üSentinelOne → https://www.sentinelone.com/blog/ üFocus Systems( ) → https://cyberforensic.focus- s.com/knowledge/articles_detail/ Mac4n6#0*$,"&+-(+1 https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw- CfxHLOW_GNGpX8/edit#gid=1317205466 MAC,%./')& !

MAC4N6 TOOLS • Free tool ü Mac-apt(https://github.com/ydkhatri/mac_apt) ü $$
$! # $! ü Black Light ü RECON LAB ü AXOM # üMac "

• Mac • macOS
• • &

• 8QDMJ496*$7 6TBEY1+A ,3 #4& THZ[LOJ →7KES]NIWXPD8THZ[LOJ4 \RXC]L7@?> →TBMRTHZ[LOJ4,3$UYFGC<,)TBEYA2+0</?1+ !QDMJ(<
=-EV]L (684$9,6*3; PC94)?:<.,3'*5%) 8THZ[LOJ TBMRTHZ[LOJ QDMJ8 "TBEY8 TBMRTHZ[LOJ59^()

SbN UbM # XFMTXJ`aLPK=D( %) '=#<!; XFI_=@ * =
47-;- XFI_= #>80;-* 46XFI_E V\bZa^bOY_< 5C* (NI[]IaQb_E5C >22/+Timeline=→csv; :?= ,9-.<;C) csvBtxt;:=8 "1 3D6XFI_= SbN(A41>NI[]Ia)E @7;GKRHWRHE5* $&PC =#PC $&PC =#PC ( )

N[J O[I ! MACOS6<''' $;!:9 RDGY;>( =25+9+ RDGY; !<6.9+( 24RDGYC
PV[TZX[KSY: 3A( (JGUWGZL[YC3A <00-)Timeline;→csv9 8=; *7+,:9A) csv@txt98;6 / 1B4RDGY; N[J(?2/<JGUWGZ)C >59EHMFQMFC3( "#PC ;!PC "#PC ;!PC 0;OJ[Z;L[Y- + % &

• Mac • macOS
• • &

,=F; <FD • .=F; <FD"3")#3&*/! → https://github.com/Yelp/osxcollector → https://github.com/CrowdStrike/automactc
→ https://github.com/Broctets-and-Bytes/Darwin/blob/master/Darwin- Collector.sh • @68D2 /,3 • +41,3=F; )/,$?F:1! • +41=7E9>C)@68D5 '($4, .) .?F: <FDmac_apt)?F:)#, • +41ABC/- '($4, .)'%40OSXPmem,+5 Ghttps://github.com/ydkhatri/mac_apt

OSL 9TSIP • SIP(System Integrity Protection)9-#7 <*A →OS X El
Capitan ':)SIP6 ;BA%8>@)&9IJNQ PGRM=Mac9App8: "(5<EHKJ5.7+8734+A →49PDFRC 1A8: "(2057/SIP9-#7 <*A →9macOS Catalina26)SIP8>@8/9(-,0?B4+A !T https://support.apple.com/ja-jp/HT204899 https://applech2.com/archives/201910-apple-update-sip-rootless-conf-on-macos-1015-catalina.html :csrutil status5$5.A

• SIP(System Integrity Protection)6 →Mac>CRFIE@W+"5commnd+R>+4(:+ UAMUXQXJ>.); →! 6TXG?UG?PLSX':DXOKV>.); →$csrutil
disable%2BNWJ>.$Successfully%2*<<8OK# -6# → ",;2PQU6 7 =<; 936csrutil status1disable24/0&<8SIP6 HXD 6YSIP

06. % • 06. /64*) HDD#"* #/64*'( →python%Ver.$ (/64$&( /usr/bin/python2.7*
() →+365-*( • SIP(02,41)!%#"$/64%*

&1# %1-'*$'(AUTOMACTC) 0Getekeeper 0bash 0),! 0/"'1- 0mru( (-) 0known host
0user 0(- 0*. ,+ 0*. ,+ 0lsof 0netstat csv

%0:7%!")* (* • Sysdiagnose →4-85:3%$&*macOS'./16 Sysdiagnose+# ,9.2938/59/&( % +* #"*
→ sudo sysdiagnose" +/var/tmp&"* ;https://www.sentinelone.com/blog/macos-incident-response-part-1-collecting-device-file-system-data/

SYSDIAGNOSEOUTPUT ps, netstat,top PC

KYF • 3N?EL2*%6+<>$;:8:K@EBWQV1# - );'.%35(# →N?AVCEJRNSYDTXMUAOT2GHPFilevault20/ )4&'.%":
%";2-(# →17;09IYV2 Macquistion!7 ReconImager!0/=);'.% ,:#

• Mac • Mac OSX
• • &

%/3,$4 • macOS! '3-(0&*.(0&)1"2+)$ →'3-(0&*.%/3, $$ → # $
4

ATT&CK • ")#%)&($')$ → Windows(cyberkillchainATT&CK!) Initial
Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact https://attack.mitre.org/matrices/enterprise/macos/

#)%$!' • #)%*&" → #+ # +( # #(,) #
(+) , )

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access
Discovery Lateral Movement Collection Command and Control Exfiltration Impact HOW • Windows: run key .job e.t.c macOS: Launch agent Ligin Items e.t.c

Discovery Lateral Movement Collection Command and Control Exfiltration Impact ATT&CK !MACOS ! • ATT&CK

Discovery Lateral Movement Collection Command and Control Exfiltration Impact ATT&CK,-(MACOS %-)&+$'*# ! • macOS "

Discovery Lateral Movement Collection Command and Control Exfiltration Impact INITIAL ACCESS • Initial Access & Excution → doc

INITIAL ACCESS & EXCUTION doc % () •
doc MRU(Most Recent Used) • SpotlightdbkMDItemWhereFroms# % • Gatekeeperdb % • !&$" (CoreAnalytics)

Spearphishing Attachment),doc<67=5 • doc 5 MRU(Most Recent Used)$3 →0+.Automactc1.;>8);>9
→/'4%MRU/.sfl1.plist()*"#2#, )mac- &("4 →path: !4.)URL1;>9:>=5 MACOS.MRU ? https://www.mac4n6.com/blog/2016/7/10/new-script-macmru-most-recently-used-plist-parser https://github.com/mac4n6/macMRU-Parser

Spearphishing Attachmentdoc ! • doc MRU(Most Recent Used) →Automactcoutput
MACOSMRU MRU ! !

Spearphishing Attachment&'doc51280 • Spotlight)db-kMDItemWhereFroms640%51280" →macOS(*spotlight( !/# ')64
. →kMDItemWhereFroms*-$+/#5128(!/. →/.Spotlight-V100/Store-V2/<UUID>/store.db (10.13-*793(,DB !/+" ~/Library/Metadata/CoreSpotlight/index.spotlightV3/store.db) SPOTLIGHT)DB(64)

spotlight_parser.py →spotlight_parser.pyoutput SPOTLIGHT (DB) https://github.com/ydkhatri/spotlight_parser

SPOTLIGHTDB() Live mdls spotlight (disk(apfs container) mac
mount )

# # SPOTLIGHTDB( ) Livemdfind" spotlight ! →mdfind –onlyin
/ -name “kMDItemWhereForems == * /kMDItemWhereForems ! # #

Airdrop#'$ "$# & & SPOTLIGHT# (DB) & #'$
!% # AirDrop

GATEKEEPERDB(QUARANTINE EVENTS) InternetApps

• Parse SQLite db 3.x →path: /Users/[user]/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 →Automactcoutput Quarantine
Quarantine GATEKEEPERDB(QUARANTINE EVENTS) Airdrop

$(&% (COREANALYTICS) • Windows SRAM)!#" → )!#"
→$' → !% →Path: /Library/Logs/DiagnosticReports/*.core_analytics /private/var/db/analyticsd/aggregates/[GUID-like names]

• AutmactcCoreAnalyticsParser.py)0& →#+/'& "! ($,*.0, " Process processUptime +/%-,
(COREANALYTICS) 1 https://github.com/CrowdStrike/Forensics/tree/master/CoreAnalyticsParser https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new- artifact-of-execution-on-macos-10-13/

Discovery Lateral Movement Collection Command and Control Exfiltration Impact PERSISTENCE • Persistence →

• →Windowsrun keyMac OSX startup"!
→ Launch Agents → ~/Library/LaunchAgents/*.plist → /Library/LaunchAgents/*.plist → /System/Library/LaunchAgents/*.plist → Launch Daemons → /Library/LaunchDaemons/*.plist → /System/Library/LaunchDaemons/*.plist → Login Items → ~/Library/Application Support/ com.apple.backgroundtaskmanagementagent/backgrounditems.btm PERSISTENCE #https://www.sentinelone.com/blog/how-malware-persists-on-macos/

• Plist' Windows*@567>*, ( ;23?)!0%/ →plist+Windows'(.)"%/(xml, binary) → +9=9=(plist'+-() →
Plist(-open4<A8&(Xcode1$%) →/Library/LaunchAgents/*1xcode&"# →+open –a xcode /Library/LaunchAgents/* ;23?*Full:6 PERSISTENCEBLAUNCH AGENTS & DAEMONSC

• Autmactc →Autmactcoutput PERSISTENCE (plist)

• NSKeyArchhiver Plist$" !Plist,(). → path:~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm →plist ' &#open*-/+(xcode)(GUI
") →"%' 2 https://www.mac4n6.com/blog/2016/1/1/manual- analysis-of-nskeyedarchiver-formatted-plist-files-a-review-of-the-new-os-x-1011- recent-items PERSISTENCE0BACKGROUNDITEMS.BTM1

• $AppleScript%$ → https://pastebin.com/TJGTr9af →Live%" %$app&$ (+-(/*,').$#!
) PERSISTENCE0BACKGROUNDITEMS.BTM1

BQ14;O7T5PD8SHJ;G • am^5Pem]JA:@7SRAutomactcAam^U:@- spotlight_parser.py DCFem[U:@ /Xl^md`b *5P>)JS=fVXj0M/! "% DC69S@ 2RfVXj0U:@KJ:N3.
• <FgjYZWFE "9S@2RfVXjM- im\F"(_YlkmcMhmj)DCU&I@KJ:N3( (&) • :2fVXjU#?8=PgjYZW$U:J:N3(, &) • <FgjYZWF "(spotlighth^E "M "+61R)E 9S=fVXjM D"F'U:J:N3(, &) JBL

Fast 4n6 in macOS

Fast 4n6 in macOS

More Decks by kasasagi

Other Decks in Technology

Featured

Transcript