Most of the IR that I do is within corporate production environments, so I can answer this with the tools I would use for Linux incident response, but there will be areas like Kernel Extensions that are MacOS-specific, which I don’t have IR experience in, and can’t speak to. Assume that sudo permissions are required for these. Also not that I’m not including commands to look for active user intrusions, just binary implantation like malware. Active human intrusion blows up the amount of places and things to check for, and for regular users who don’t have regulatory reporting requirements, you’re better off just restoring from a backup.
ps aux
: This lists all processes running under all users, not attached to a terminal session. This is a static list, unlike the live-updating list you get withtop
lsof -b -c
|-u
|-p -R
: This lists open files. You can specify process names, PIDs, usernames, and more, to filter on. If you filter on PID, include the-R
argument to get the parent process info for that process.lsof -i
: This lists open files that have an active network port.netstat -antv -p tcp
: It’s important to note that on MacOS, netstat doesn’t perform like it does on Linux (e.g. it won’t give you process names), so you need to use the Mac-specific flags for it, and you’ll need to combine that withlsof
orps
to get more info about the processes.
There is apparently also a tool made by Apple called sysdiagnose
that you can run to basically do a large-scale debug dump of your system, including lots of data about applications and processes. I can’t claim any personal experience with this, but this guide (and part 2 here) go into using it to hunt for malware.
renard_roux@beehaw.org 10 months ago
Thank you! I’ll save this, just in case! 😁🤘