Most of the IR that I do is within corporate production environments, so I can answer this with the tools I would use for Linux incident response, but there will be areas like Kernel Extensions that are MacOS-specific, which I don’t have IR experience in, and can’t speak to. Assume that sudo permissions are required for these. Also not that I’m not including commands to look for active user intrusions, just binary implantation like malware. Active human intrusion blows up the amount of places and things to check for, and for regular users who don’t have regulatory reporting requirements, you’re better off just restoring from a backup.
ps aux :
This lists all processes running under all users, not attached to a terminal session. This is a static list, unlike the live-updating list you get with top
lsof -b -c |-u | -p -R :
This lists open files. You can specify process names, PIDs, usernames, and more, to filter on. If you filter on PID, include the -R argument to get the parent process info for that process.
lsof -i :
This lists open files that have an active network port.
netstat -antv -p tcp : It’s important to note that on MacOS, netstat doesn’t perform like it does on Linux (e.g. it won’t give you process names), so you need to use the Mac-specific flags for it, and you’ll need to combine that with lsof or ps to get more info about the processes.
There is apparently also a tool made by Apple called sysdiagnose that you can run to basically do a large-scale debug dump of your system, including lots of data about applications and processes. I can’t claim any personal experience with this, but this guide (and part 2 here) go into using it to hunt for malware.
t3rmit3@beehaw.org 7 months ago
Most of the IR that I do is within corporate production environments, so I can answer this with the tools I would use for Linux incident response, but there will be areas like Kernel Extensions that are MacOS-specific, which I don’t have IR experience in, and can’t speak to. Assume that sudo permissions are required for these. Also not that I’m not including commands to look for active user intrusions, just binary implantation like malware. Active human intrusion blows up the amount of places and things to check for, and for regular users who don’t have regulatory reporting requirements, you’re better off just restoring from a backup.
ps aux: This lists all processes running under all users, not attached to a terminal session. This is a static list, unlike the live-updating list you get withtoplsof -b -c|-u|-p -R: This lists open files. You can specify process names, PIDs, usernames, and more, to filter on. If you filter on PID, include the-Rargument to get the parent process info for that process.lsof -i: This lists open files that have an active network port.netstat -antv -p tcp: It’s important to note that on MacOS, netstat doesn’t perform like it does on Linux (e.g. it won’t give you process names), so you need to use the Mac-specific flags for it, and you’ll need to combine that withlsoforpsto get more info about the processes.There is apparently also a tool made by Apple called
sysdiagnosethat you can run to basically do a large-scale debug dump of your system, including lots of data about applications and processes. I can’t claim any personal experience with this, but this guide (and part 2 here) go into using it to hunt for malware.renard_roux@beehaw.org 7 months ago
Thank you! I’ll save this, just in case! 😁🤘