Hipster DFIR on OSX - BSidesCincy

Hipster DFIR on OSX - BSidesCincy

My update on Hipster DFIR on OSX given at BSidesCincy.

Ded29c7918dce50c65131df03c769004?s=128

Scott J. Roberts

May 21, 2016
Tweet

Transcript

  1. Hipster DFIR on OSX Incident Response Tools So Cool You've

    Never Heard of Them
  2. Who Am I? GitHub Since 2012 DFIR Since 2006 Mac

    User Since 1989 Curious Since 1983
  3. My First Computer…

  4. Trust me! SOC’d Intel’d & DFIR’d @ Symantec Mandiant +

    Vigilant
  5. DFIR @ GitHub

  6. No Hipsters WERE HARMED MAKING THIS PRESENTATION…

  7. - The Problems - Core OSX Concepts - Tools -

    Built In - General Purpose - Free Security Tools - Paid Security Tools - Resources Roadmap
  8. Getting Started

  9. Why Bother?

  10. None
  11. None
  12. None
  13. None
  14. Market Share From MacRumors.com

  15. Support is… “Meh”

  16. On vs. On

  17. A Bit About

  18. Problems Location, Platform, & Attitude

  19. Problems Location, Platform, & Attitude Challenges

  20. Location

  21. Challenge: No Hands On

  22. ~99% OSX On the Desktop Platform

  23. ~100% Linux In the Datacenter Platform

  24. Challenge: Limited Tools

  25. Attitude Trust, Openness, & Transparency

  26. Challenge: No Draconian Tactics

  27. Bonus! We ❤ Open Source…

  28. Concepts You’ll Need

  29. Next* NS*

  30. Its Unix w/ Windows And OSX

  31. Plists

  32. Property lists organize data into named values and lists of

    values using several Core Foundation types: CFString, CFNumber, CFBoolean, CFDate, CFData, CFArray, and CFDictionary. These types give you the means to produce data that is meaningfully structured, transportable, storable, and accessible, but still as efficient as possible.
  33. Binary*, XML, & JSON * Almost always the binary…

  34. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN”

    "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Year Of Birth</key> <integer>1965</integer> <key>Pets Names</key> <array/> <key>Picture</key> <data>PEKBpYGlmYFCPA==</data> <key>City of Birth</key> <string>Springfield</string> <key>Name</key> <string>John Doe</string> <key>Kids Names</key> <array> <string>John</string> <string>Kyra</string> </array> </dict> </plist>
  35. None
  36. Mach-O

  37. PKGs DMGs + Apps App Store Scripts

  38. HFS+

  39. XAttr

  40. Kexts

  41. GateKeeper MRT & XProtect

  42. Persistance Mechanisms

  43. Persistance Mechanisms - cron jobs - Yup… just like basic

    Linux cron - No admin necessary
  44. Persistance Mechanisms - cron jobs - kexts - OSX’s kernal

    extensions/modules - Needs admin privileges to install, but can do almost anything… - Defaults to: /System/Library/Extensions
  45. Persistance Mechanisms - cron jobs - kexts - launchdaemons -

    The “common” way for admin level binaries to persist across reboots - launchd is the first process and kicks off launch agents & daemons - Described by plist lauchd item
  46. Persistance Mechanisms - cron jobs - kexts - launchdaemons -

    Startup Items - Deprecated… but still works! - Requires startup script & a plist in: - /Library/StartupItems - /System/Library/StartupItems - Starts up with operating system
  47. Persistance Mechanisms - cron jobs - kexts - launchdaemons -

    Startup Items - Login Items - The “common” way for desktop userland applications to start up - User specific - User configurable without admin rights
  48. Persistance Mechanisms - cron jobs - kexts - launchdaemons -

    Startup Items - Login Items - Login/Logout Hooks - Deprecated… but still works! - User specific - Just writes the script to execute to com.apple.loginwindow.plist and specify either LoginHook or LogoutHook
  49. Persistance Mechanisms - OSX “helps” you out and automatically re-opens

    applications at startup - Persists lost of state, like browser tabs in Safari & Chrome and docs in Pages - Defaults to On in 10.10 - cron jobs - kexts - launchdaemons - Startup Items - Login Items - Login/Logout hooks - Re-opened Applications
  50. Tools

  51. Alerting Triage Forensics Malware Reporting

  52. Linux Tools Are Usable Mostly…

  53. VM Support is Awesome VMWare Fusion, VirtualBox, Docker, Vagrant etc

  54. Built In Tools That Make Life Easier

  55. /var/log

  56. Console

  57. Activity Monitor

  58. Xcode & DTrace

  59. Xcode - Apple’s Developer Suite - Development - Debugging -

    Instruments - Debugging & Monitoring with Dtrace - Commandline Tools
  60. netstat & lsof

  61. awk/sed/grep

  62. python, ruby, & Shell

  63. Non Security Tools You Should Install

  64. HomeBrew & Cask

  65. ./jq - JSon q - CSV

  66. None
  67. None
  68. None
  69. Apple Remote Desktop

  70. Open Source Tools That Make me ☺

  71. OSXCollector - Zero dependency OSX live response tool - Built

    by the security team at Yelp based on OSXAuditor - Copies key system state and log files for off host analysis - Built in filters for quickly identifying common patterns
  72. None
  73. None
  74. - Host instrumentation for OSX & Linux - Exposes the

    operating system as a series of SQLite tables - Framework that allows lots of customization but needs integration Written by this handsome devil: Facebook’s @marpaia (& @theopolis) osquery
  75. None
  76. - Remote Forensics & Host Sweeping Tool - Cross Platform:

    OSX & Linux (& Windows) - Add in Rekall (MemForensics) & ForensicArtifacts.com - Great API & Easy PoC
  77. None
  78. - “The” OSS Memory Forensics Tool - Tons of Plugins

    (including OSX specific) to look for different data structures and techniques - Worth the time to get setup ahead of time
  79. $ python vol.py --info | grep mac_ mac_arp - Prints

    the arp table mac_check_syscalls - Checks to see if system call table entries are hooked mac_check_sysctl - Checks for unknown sysctl handlers mac_check_trap_table - Checks to see if system call table entries are hooked mac_dead_procs - Prints terminated/de-allocated processes mac_dmesg - Prints the kernel debug buffer mac_dump_maps - Dumps memory ranges of processes mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images mac_ifconfig - Lists network interface information for all devices mac_ip_filters - Reports any hooked IP filters mac_list_sessions - Enumerates sessions mac_list_zones - Prints active zones mac_ls_logins - Lists login contexts mac_lsmod - Lists loaded kernel modules mac_lsof - Lists per-process opened files mac_machine_info - Prints machine information about the sample mac_mount - Prints mounted device information mac_netstat - Lists active per-process network connections mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext) mac_pgrp_hash_table - Walks the process group hash table mac_pid_hash_table - Walks the pid hash table mac_print_boot_cmdline - Prints kernel boot arguments mac_proc_maps - Gets memory maps of processes mac_psaux - Prints processes with arguments in user land (**argv) mac_pslist - List Running Processes mac_pstree - Show parent/child relationship of processes mac_psxview - Find hidden processes with various process listings mac_route - Prints the routing table mac_tasks - List Active Tasks mac_trustedbsd - Lists malicious trustedbsd policies mac_version - Prints the Mac version mac_vfs_events - Lists Mac VFS Events mac_volshell - Shell in the memory image mac_yarascan - A shell in the mac memory image
  80. Yara - Malware centric Pattern Matching - Disk & Network

    - Highly Integratabtle rule leverage_a { meta: author = "earada@alienvault.com" version = "1.0" description = "OSX/Leverage.A" date = "2013/09" strings: $a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F" $a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:" $a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'" $script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'" $script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'" $script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'" $properties = "serverVisible \x00" condition: all of them } OSX/Leverage Rule from AlienVault }
  81. ELK - 3 services = 1 Log management platform -

    High effort/high reward - Take a look at Yelp’s ElastAlert
  82. None
  83. FIR - “FIR (Fast Incident Response) is an cybersecurity incident

    management platform designed with agility and speed in mind” - Entity extraction & autolinking to common data sites - Minimal (in a good way) but comprehensive
  84. None
  85. KnockKnock

  86. Paid Security Tools I Like & Use

  87. Paterva Maltego - Infrastructure Reconnaissance Tool? - Network Visualization &

    Analysis Tool? - Mash Up & Pivot Tool! - LEARN TO WRITE YOUR OWN TRANSFORMS!!!!
  88. None
  89. None
  90. Hopper - A Mac Dissassembler and Binary Analysis Tool -

    Somewhat dev focused - Somewhat security focused - Great Value!
  91. Other Tools - The Sleuth Kit & Autopsy - Traditional

    Forensics - Wireshark & tcpdump - Network Monitoring - 0xED - Hex Editor
  92. Resources

  93. People - @blackbagtech - @dinodaizovi - @iamevltwin - @mikearpaia -

    @osquery - @osxreverser - @patrickwardle - @robtlee - @sansforensics - @synack
  94. Sites https://reverse.put.as/ http://www.mac4n6.com/ http://www.thesafemac.com/ https://objective-see.com/

  95. Books - OS X Incident Response - Mac OS X

    and iOS Internals - Mac Hacker's Handbook - iOS Hacker's Handbook
  96. Courses SANS FOR518: Mac Forensic Analysis

  97. Hardening - http://iase.disa.mil/stigs/os/mac/Pages/mac-os.aspx - https://github.com/google/santa/ - https://www.usenix.org/conference/lisa13/os-x-hardening- securing-large-global-mac-fleet - https://github.com/drduh/OS-X-Yosemite-Security-and-

    Privacy-Guide
  98. Conclusion

  99. Concepts - PLists, Mach-O, HFS+, Kexts, Gate Keeper, & XProtect

    - Get Started: OSXCollector, ./jq, & FIR - Advance To: osquery, GRR, Yara, Maltego, & Hopper
  100. GitHub Security Is Growing!! - DFIR - Logging - IAM

  101. Thanks & Questions???

  102. None