MacOS 入侵排查和应急响应 2024-10-03 04:57:55 Steven Xeldax > 上篇是关于linux入侵排查和应急响应的思路( https://xeldax.top/article/linux_incident_response )但对于终端而言windows和mac同样需要有一套对应排查SOP,本文主要从终端层面上mac的角度进行分析,mac对于windows和linux而言安全性做的相对来说比较好,对于C2和恶意软件也相对少一些,但攻击面方向其实差不多,排查的角度也可以从之前linux的文章借鉴。 [TOC] # MacOS 入侵检测排查 ## 基本信息收集: - 系统信息: - sw_vers:显示操作系统版本信息 - system_profiler SPSoftwareDataType:查看系统软件信息。 - system_profiler SPHardwareDataType:查看硬件信息。 - 用户账户: - dscl . list /Users:列出所有用户账户 - dscl . -read /Users/<username>:查看特定用户的详细信息 - 网络配置: - ifconfig:查看网络接口配置信息 - networksetup -listallhardwareports:列出所有网络接口及端口信息。 ## 日志层面分析 - 系统日志: - log show --last 1d:显示最近一天的系统日志。 - 安全日志: - cat /var/log/secure.log:查看安全相关日志。 ## 进程层面分析: - 进程监控: - ps -ax:列出所有进程。 - top -o cpu:显示CPU占用最高的进程。 - 进程行为: - sudo opensnoop:监控文件系统活动。 - sudo tcpdump -i en0 -n -s 0 -w /tmp/capture.pcap:抓取网络数据包。 ## 文件层面分析: - 文件完整性: - md5、sha256sum:计算文件的哈希值,检查文件完整性。 - 恶意文件扫描: - clamscan:使用ClamAV进行恶意文件扫描 ## 网络层面分析: - 网络流量监控: - tcpdump:抓取和分析网络数据包。 - 端口扫描: - nmap:进行端口扫描。 - 网络访问控制: - pfctl:管理Packet Filter(PF)防火墙。 这些命令和工具可以帮助您在MacOS主机上进行入侵排查和安全分析。请注意,在使用这些命令时,确保您有适当的权限并了解其用途,以避免对系统造成不必要的影响。 ## 关键目录和文件 ``` 1. 关键目录 Applications/:应用程序的默认文件夹 Library/:包含 OS X 文件和支持的操作系统项目,用于系统全局功能并适用于所有用户 System/:为 OS X 系统文件保留,包含系统设置和系统功能等项目 Users/:本地用户的主文件夹。还将有一个 "Public" 文件夹,用于在用户之间共享文件 etc 或 private/etc/:配置和其他系统文件 private/sbin/:提供给管理员使用的 Linux-styled的二进制文件 var/ 或 private/var:重要数据文件、日志文件等所在目录 Volumes/:已挂载的设备,例如硬盘、CD、DMG 和 USB 驱动器 2. 系统文件 操作系统版本 /System/Library/CoreServices/SystemVersion.plist 时区 /Library/Preferences/.GlobalPreferences.plist 语言 /Library/Preferences/.GlobalPreferences.plist MAC地址 /private/var/log/daily.out 启动文件夹 /Library/LaunchAgents/ /Library/LaunchDaemons/ /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ 系统偏好应用程序 /Library/PreferencePanes/ 防火墙 /Library/Preferences/com.apple.alf.plist 蓝牙 /Library/Preferences/com.apple.Bluetooth.plist 键盘 /Library/Preferences/com.apple.HIToolbox.plist 最近用户登录 /Library/Preferences/com.apple.loginwindow.plist 最近更新信息 /Library/Preferences/com.apple.SoftwareUpdate.plist Time Machine 最后备份,最旧备份,快照编号 /Library/Preferences/com.apple.TimeMachine.plist /private/var/db/com.apple.TimeMAchine.SnapshotDates.plist 打印机 /Library/Preferences/org.cups.printers.plist Airport - Remembered Network /Library/Preferences/SystemConfiguration(s)/com.apple.airport.preferences.plist 最后睡眠时间 /Library/Preferences/SystemConfiguration(s)/com.apple.PowerManagement.plist 网络接口名称 /Library/Preferences/SystemConfiguration(s)/NetworkInterfaces.plist 网络信息 /Library/Preferences/SystemConfiguration(s)/preferences.plist 主机名 /Library/Preferences/SystemConfiguration(s)/preferences.plist VMWare Fusion Network /Library/Preferences/VMWare Fusion/networking Keychains /Library/Keychains/ /System/Keychains/ 主机文件 /private/etc/hosts Path /private/etc/paths DNS /private/etc/resolv.conf 用户信息 # 可以查找password、name、uid、gid等信息 /private/var/db/dslocal/nodes/[user].plist 组信息 /private/var/db/dslocal/nodes/[group].plist * admin.plist for admin user * staff.plist for root user 休眠文件 /private/var/vm/sleepimage Swap文件 /private/var/vm/swapfile[x] 已安装打印机 /Library/Printers/ /Library/Printers/InstalledPrinters.plist 3. 用户PROFILE 用户默认文件夹 删除的文件 (Trash bin): ~/.Trash/ 桌面文件: ~/Desktop/ Document文件夹 (default): ~/Documents/ Download文件夹 (default): ~/Downloads/ Library配置和设置: ~/Library/ Movies文件夹 (default): ~/Movies/ Music文件夹 (default): ~/Music/ 共享文件夹: ~/Public Bash 命令历史 ~/bash_history SSH连接信息 ~/.ssh/known_hosts App访问通讯录的设置 ~/Library/Application Support/com.apple.TCC/TCC.db 应用程序崩溃时间戳 ~/Library/Application Support/CrashReporter/[App]_[GUID].plist 崩溃计数 ~/Library/Application Support/User_Crash_History_[GUID].plist 通知中心 ~/Library/Application Support/NotificationCenter/[GUID].db 沙盒容器 ~/Library/Containers/ Keychains (用户) ~/Library/Keychains/ ~/Library/Keychains/login.keychain ~/Library/Keychains/metadata.keychain ~/Library/Keychains/[XXXX].keychain LaunchAgents(用户) ~/Library/LaunchAgents/[App].plist Quicktime - 在线多媒体的 URL ~/Library/Caches/Quicktime/downloads/TOC.plist Recent文件夹 ~/Library/Preferences/com.apple.finder.plist 语言 ~/Library/Preferences/.GlobalPreferences.plist AppStore - 可用更新 ~/Library/Preferences/com.apple.appstore.plist Recent磁盘映像 (ISO/DMG) ~/Library/Preferences/com.apple.DiskUtility.plist Dock ~/Library/Preferences/com.apple.dock.plist Dashboard - gadget/widget ~/Library/Preferences/com.apple.dashboard.plist Recent信息 ~/Library/Preferences/com.apple.recentitems.plist 调度程序 ~/Library/Preferences/com.apple.scheduler.plist 屏幕保护程序 ~/Library/Preferences/com.apple.screensaver.plist Finder 侧边栏 ~/Library/Preferences/com.apple.sidebarlists.plist Spaces ~/Library/Preferences/com.apple.spaces.plist 打印机 ~/Library/Printers/ Connected iDevices a) 设备类型 b) 上次连接时间戳 c) 固件版本 d) 序列号和 IMEI ~/Library/Preferences/com.apple.iPod.plist Connected storage ~/Library/Preferences/com.apple.sidebarlists.plist Recent Documents # Preview ~/Library/Preferences/com.apple.Preview.plist # Quicktime ~/Library/Preferences/com.apple.QuickTimePlayerX.LSSharedFileList.plist # Console ~/Library/Preferences/com.apple.Console.LSSharedFileList # Textedit ~/Library/Preferences/com.apple.TextEdit.LSSharedFileList.plist RSS订阅服务 ~/Library/PubSub/Database/Database.sqlite3 ~/Library/PubSub/Clients.plist ~/Library/PubSub/Feeds/ Download Quarantine Events ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 4. 日志文件 应用防火墙 /private/var/log/appfirewall.log /private/var/log/appfirewall.log.[x].bz2 系统日志 /private/var/log/asl/YYYY.MM.DD.U[XX].asl /private/var/log/DiagnosticMessages/YYYY.MM.DD.asl /private/var/log/install.log /private/var/log/install.log.[x].bz2 /private/var/log/opendirectoryd.log /private/var/log/opendirectoryd.log.[x].bz2 /private/var/log/system.log /private/var/log/system.log.[x].bz2 /private/var/log/vnetlib /private/var/log/weekly.out /private/var/log/zzz.log 关机/启动日志 /private/var/log/com.apple.xpc.launchd/launchd.log /private/var/log/com.apple.launchd/launchd-shutdown.system.log 系统配置信息 /private/var/log/install.log a. wirelessconnection b. registered country and city c. firmware version at logged time d. created username e. Install apps 磁盘状态 /private/var/log/daily.out MAC address/ 网络状态 /private/var/log/daily.out USB设备连接 # 查找 "USBMSC" /private/var/log/System.log 开机时间 # 查找"BOOT_TIME" /private/var/log/System.log 关机时间 # 查找 "SHUTDOWN_TIME" /private/var/log/System.log 用户日志 ~/Library/Logs/AMRestore.txt ~/Library/Logs/appstore.log ~/Library/Logs/DiagnosticReports/ ~Library/Logs/SMSMigrator/SMSMigrator.log ~/Library/Logs/sync/syncservices.log ~/Library/Logs/Ubiquity/[User]/ubiquity-digest.log ~/Library/Logs/Ubiquity/[User]/ubiquity.log 光盘刻录日志 ~/Library/Logs/DiskRecording.log 磁盘Utility日志 ~/Library/Logs/DiskUtility.log 文件系统日志 ~/Library/Logs/fsck_hfs.log VMWare ~/Library/Logs/VMWare ~/Library/Logs/VMWare Fusion/ ``` # MacOS 主机应急响应 ## MacOS 主机应急响应工具 自带 sysdiagnose 工具 jamf aftermath 工具 https://github.com/jamf/aftermath ## MacOS取证速查 ``` 1. 系统信息收集 收集基本系统信息 system_profiler SPHardwareDataType system_profiler SPSoftwareDataType sw_vers 收集网络信息 ifconfig -a netstat -rn netstat -an 2. 用户和权限信息 列出当前登录用户 who w last 列出系统中的所有用户和组 dscl . list /Users dscl . list /Groups 列出特定用户的详细信息 dscl . read /Users/<username> 3. 进程和服务信息 列出当前运行的进程 ps aux top -l 1 -n 0 查看启动项和加载的服务 launchctl list 4. 文件和目录信息 查找最近修改的文件 find / -type f -mtime -7 列出特定目录的内容 ls -alR /path/to/directory 5. 日志文件 查看系统日志 log show --info --predicate 'process == "kernel"' --start '<start_date>' --end '<end_date>' 查看应用程序日志 log show --info --predicate 'subsystem == "com.apple.security"' --start '<start_date>' --end '<end_date>' 6. 网络活动分析 列出打开的网络连接 lsof -i 查看活动网络连接及其进程信息 netstat -anp tcp 7. 内存和磁盘使用情况 查看内存使用情况 vm_stat 查看磁盘使用情况 df -h du -sh /path/to/directory 8. 安全和隐私设置 查看系统防火墙状态 sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode 查看系统完整性保护状态 csrutil status 9. 数据导出 导出文件系统快照 tmutil localsnapshot 创建系统报告 sudo sysdiagnose 10. 常用工具 Third-Party Tools - KnockKnock : 用于查找持久性组件(如启动项、内核扩展等)。 - OSQuery : 用于收集和查询系统信息的跨平台工具。 - KextViewr : 用于查看已加载的内核扩展。 11. 恢复和响应 隔离可疑进程 sudo kill -STOP <pid> 终止恶意进程 sudo kill -9 <pid> 12. 关键系统文件检查 检查hosts文件 cat /etc/hosts 检查系统启动文件 cat /etc/rc.common cat /etc/rc.local cat /etc/launchd.conf 13. 浏览器历史记录 查看Safari浏览器历史记录 sqlite3 ~/Library/Safari/History.db "SELECT * FROM history_items" 查看Chrome浏览器历史记录 sqlite3 ~/Library/Application\ Support/Google/Chrome/Default/History "SELECT * FROM urls" 14. 最近打开的文件和应用 查看最近打开的文件 defaults read com.apple.recentitems 查看最近使用的应用 ls -lt ~/Library/Containers/com.apple.Preview/Data/Library/Autosave\ Information/ 15. 系统配置和偏好设置 列出系统偏好设置 defaults read 查看网络共享设置 defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server 16. 打印队列和任务 查看打印队列 lpstat -t 列出计划任务(crontab) crontab -l 17. 文件完整性检查 计算文件的SHA256哈希值 shasum -a 256 /path/to/file 检查关键系统文件的完整性 sudo cmp /usr/bin/sudo /usr/bin/sudo.bak 18. 安全事件日志 查看安全事件日志 log show --predicate 'eventMessage contains "Authentication"' --info 查看特定用户的登录历史 last -F <username> 19. 磁盘和文件系统 列出磁盘和分区信息 diskutil list 检查文件系统使用情况 du -ah /path/to/directory | sort -rh | head -n 10 20. 网络配置和连接 查看网络接口配置 networksetup -listallhardwareports 列出所有网络服务 networksetup -listallnetworkservices 21. 环境变量和系统配置 查看系统环境变量 printenv 检查系统启动配置 nvram -p 22. 应用程序信息 列出已安装的应用程序 ls /Applications 获取特定应用的详细信息 mdls /Applications/Example.app 23. 关键系统事件 查看电源事件日志 pmset -g log 查看休眠和唤醒日志 pmset -g log | grep -e " Sleep " -e " Wake " 24. 加密和安全设置 检查FileVault状态 fdesetup status 查看系统关键链(Keychain)信息 security list-keychains security dump-keychain 25. 内核扩展和驱动 列出已加载的内核扩展 kextstat 查看特定内核扩展的信息 kextstat | grep -i <extension_name> 26. 蓝牙和无线网络信息 查看蓝牙设备信息 system_profiler SPBluetoothDataType 查看无线网络信息 system_profiler SPAirPortDataType 27. 安全补丁和更新状态 查看已安装的安全补丁 softwareupdate --history 检查系统更新状态 softwareupdate --list 28. 打开端口和防火墙配置 列出所有打开的端口 sudo lsof -i -P -n | grep LISTEN 查看防火墙配置 sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps 29. 文件系统审计和监控 启用文件系统监控(使用fs_usage) sudo fs_usage 查看文件系统活动日志 log show --predicate 'eventMessage contains "file"' --info 30. 共享和远程访问 查看共享服务状态 sudo launchctl list | grep -i "smb\|afp\|nfs" 检查远程登录和远程管理设置 sudo systemsetup -getremotelogin sudo systemsetup -getremoteappleevents sudo systemsetup -getcomputernames 31. 系统资源使用 查看CPU使用情况 sar -u 1 5 查看内存使用情况 vm_stat 32. 检查挂载点和磁盘使用 列出当前挂载点 mount 查看特定挂载点的使用情况 df -h /Volumes/<VolumeName> 33. 系统审计日志 查看审计日志配置 sudo cat /etc/security/audit_control 查看审计日志 sudo praudit /var/audit/current 34. 应用和用户活动监控 使用活动监视器查看系统资源 open /Applications/Utilities/Activity\ Monitor.app 使用Console应用查看系统日志 open /Applications/Utilities/Console.app 35. 检查系统完整性保护(SIP) 查看SIP状态 csrutil status 36. 检查EFI和固件信息 查看EFI版本 system_profiler SPHardwareDataType | grep 'Boot ROM Version' 查看固件版本 system_profiler SPHardwareDataType | grep 'SMC Version (system)' 37. 电源管理和电池信息 查看电池信息 system_profiler SPPowerDataType 查看电源管理设置 pmset -g 38. 检查系统错误报告 列出最近的系统错误报告 ls -lt /Library/Logs/DiagnosticReports/ 查看特定错误报告 cat /Library/Logs/DiagnosticReports/<report_name> 39. 系统启动日志 查看启动日志 log show --predicate 'eventMessage contains "boot"' --info 40. 系统时钟和时间设置 查看当前时间设置 systemsetup -gettimezone systemsetup -getusingnetworktime 检查时间同步状态 ntpdate -q 41. 检查VPN和代理设置 查看VPN配置 scutil --nc list 查看代理设置 scutil --proxy 42. 检查应用程序权限 查看应用程序访问权限 tccutil list 43. 查看进程环境变量 列出进程的环境变量 ps eww <pid> 44. 检查应用程序日志 查看应用程序特定日志 log show --predicate 'subsystem == "<subsystem_name>"' --info 45. 收集硬件监控信息 查看温度传感器信息 sudo powermetrics --samplers smc | grep -i "CPU die temperature" 查看风扇速度 sudo powermetrics --samplers smc | grep -i "Fan" 46. 使用内建工具监控系统 启动系统活动监视器 sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.syslogd.plist 47. 检查共享文件夹 列出所有共享文件夹 sudo sharing -l 48. 收集无线网络扫描结果 扫描周围的无线网络 sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s 49. 收集外部设备信息 列出所有连接的USB设备 system_profiler SPUSBDataType 列出所有连接的Thunderbolt设备 system_profiler SPThunderboltDataType ``` ``` 速查命令 1. 用户排查 dscl . list /Users UniqueID dscl . list /Users UniqueID | grep -v ^_ 2. 端口排查 netstat -na | egrep 'LISTEN|ESTABLISHED' netstat -A -a -l -n -v # Active网络连接 netstat -n -r -a -l # 路由表信息 lsof -i 3. 网络排查 # 查看详细网络信息 plutil -p /Library/Preferences/SystemConfiguration/preferences.plist # 查看代理配置 scutil --proxy 4. 进程排查 ps -axo user,pid,ppid,%cpu,%mem,start,time,command lsappinfo list 5. 计划任务查看 守护进程服务文件路径 plist按照如下优先级排列(由高到低): /System/Library/LaunchDaemons # 由Mac OS X定义的守护进程任务项 /System/Library/LaunchAgents # 由Mac OS X为用户定义的任务项 /Library/LaunchDaemons # 由管理员定义的守护进程任务项 /Library/LaunchAgents # 由管理员为用户定义的任务项 ~/Library/LaunchAgents # 由用户自己定义的任务项,接触最多 crontab命令 crontab [-u user] file crontab [-u user] [ -e | -l | -r ] -u user:用来设定某个用户的crontab服务; file:file是命令文件的名字,表示将file做为crontab的任务列表文件并载入crontab。 -e:编辑某个用户的crontab文件内容。如果不指定用户,则表示编辑当前用户的crontab文件。 -l:显示某个用户的crontab文件内容,如果不指定用户,则表示显示当前用户的crontab文件内容。 -r:从/var/spool/cron目录中删除某个用户的crontab文件,如果不指定用户,则默认删除当前用户的crontab文件。 -i:在删除用户的crontab文件时给确认提示。 # 查看当前用户定时任务 crontab -l launchctl命令 launchctl 通过配置文件指定执行周期和任务,不同于 crontab,launchctl 的最小时间间隔是 1s。plist 文件存放路径为 /Library/LaunchAgents 或 /Library/LaunchDaemons cd ~/Library/LaunchAgents launchctl load com.test.launchctl.plist # 加载任务 launchctl unload com.felink.gitmirror.plist # 卸载任务 launchctl start ccom.test.launchctl.plist # 立即执行 launchctl stop ccom.test.launchctl.plist # 停止任务 6. 临时/共享目录 $ ls -al /Users/Shared $ ls -al /private/tmp $ ls -al $TMPDIR 7. shells文件 ~/.bash_profile # 如果存在,登录shell时读取一次 ~/.bash_login # 如果存在,如果.bash_profile不存在,则读取一次 ~/.profile # 如果存在,上面两个不存在则读取一次 /etc/profile # 只有在以上都不存在时才读取 ~/.bashrc # 如果存在,每次启动新的 shell 时读取 ~/.bash_logout # 如果存在,在登录 shell 退出时读取 8. DB数据查看 $ sqlite3 /path to db/ .dump $ sqlite3 /path to db/ .tables $ sqlite3 /path to db/ 'select * from [tablename]' $ sqlite3 /path to db/ .schema # 隐藏数据库查看: Apple 将一些数据库隐藏在 /var/folders/ 文件夹中。当登录为给定用户,可以利用 DARWIN_USER_DIR 环境变量访问 $ cd $(getconf DARWIN_USER_DIR) 9. plist文件查看 plutil -p system.plist ``` ## 一键脚本 ``` #!/bin/bash #ensure that the script is being executed as root if [[ $EUID -ne 0 ]]; then echo 'Incident Response Script needs to be executed as root!' exit 1 fi originalUser=`sh -c 'echo $SUDO_USER'` echo "Collecting data as root escalated from the $originalUser account" #insert company message here explaining the situation cat << EOF ----------------------------------------------------------------------- COLLECTING CRITICAL SYSTEM DATA. PLEASE DO NOT TURN OFF YOUR SYSTEM... ----------------------------------------------------------------------- EOF echo "Start time-> `date`" #Create a pf rule to block all network access except for access to file server over ssh quarentineRule=/etc/activeIr.conf echo "Writing quarentine rule to $quarentineRule" serverIP=192.168.1.111 cat > $quarentineRule << EOF block in all block out all pass in proto tcp from $serverIP to any port 22 EOF #load the pfconf rule and inform the user there is no internet access pfctl -f $quarentineRule 2>/dev/null pfctl -e 2>/dev/null if [ $? -eq 0 ]; then echo "Quarentine Enabled. Internet access unavailable" fi echo "Running system commands..." #set up variables IRfolder=collection logFile=$IRfolder/collectlog.txt mkdir $IRfolder touch $logFile #redirect errors exec 2> $logFile systemCommands=$IRfolder/sysCalls #create output directory mkdir $systemCommands #basic system info systemInfo=$systemCommands/sysInfo.txt #create file touch $systemInfo #echo ---command name to be used---; use command; append a blank line echo ---date--- >> $systemInfo; date >> $systemInfo; echo >> $systemInfo echo ---hostname--- >> $systemInfo; hostname >> $systemInfo; echo >> $systemInfo echo ---uname -a--- >> $systemInfo; uname -a >> $systemInfo; echo >> $systemInfo echo ---sw_vers--- >> $systemInfo; sw_vers >> $systemInfo; echo >> $systemInfo echo ---nvram--- >> $systemInfo; nvram >> $systemInfo; echo >> $systemInfo echo ---uptime--- >> $systemInfo; uptime >> $systemInfo; echo >> $systemInfo echo ---spctl --status--- >> $systemInfo; spctl --status >> $systemInfo; echo >> $systemInfo echo --bash --version--- >> $systemInfo; bash --version >> $systemInfo; echo >> $systemInfo #collect who-based data whoInfo=$systemCommands/whoInfo.txt touch $whoInfo echo ---ls -la /Users--- >> $whoInfo; ls -la /Users >> $whoInfo; echo >> $whoInfo echo ---whoami--- >> $whoInfo; whoami >> $whoInfo; echo >> $whoInfo echo ---who--- >> $whoInfo; who >> $whoInfo; echo >> $whoInfo echo ---w--- >> $whoInfo; w >> $whoInfo; echo >> $whoInfo echo ---last--- >> $whoInfo; last >> $whoInfo; echo >> $whoInfo #collect user info userInfo=$systemCommands/userInfo.txt echo ---Users on this system--- >>$userInfo; dscl . -ls /Users >> $userInfo; echo >> $userInfo #for each user dscl . -ls /Users | egrep -v ^_ | while read user do echo *****$user***** >> $userInfo echo ---id \($user\)--- >>$userInfo; id $user >> $userInfo; echo >> $userInfo echo ---groups \($user\)--- >> $userInfo; groups $user >> $userInfo; echo >> $userInfo echo ---finger \($user\) --- >> $userInfo; finger -m $user >> $userInfo; echo >> $userInfo echo >> $userInfo echo >> $userInfo # find a way to provide printenv done #Collect network-based info networkInfo=$systemCommands/networkInfo.txt touch $networkInfo echo ---netstat--- >> $networkInfo; netstat >> $networkInfo; echo >> $networkInfo echo ---netstat -ru--- >> $networkInfo; netstat -ru >> $networkInfo; echo >> $networkInfo echo ---networksetup -listallhardwareports--- >> $networkInfo; networksetup -listallhardwareports >> $networkInfo; echo >> $networkInfo echo ---lsof -i--- >> $networkInfo; lsof -i >> $networkInfo; echo >> $networkInfo echo ---arp -a--- >> $networkInfo; arp -a >> $networkInfo; echo >> $networkInfo echo security dump-trust-settings >> $networkInfo; security dump-trust-settings >> $networkInfo; echo >> $networkInfo #collect process-based info processInfo=$systemCommands/processInfo.txt touch $processInfo echo ---ps aux--- >> $processInfo; ps aux >> $processInfo; echo >> $processInfo echo ---lsof--- >> $processInfo; lsof >> $processInfo; echo >> $processInfo #collect startup-based info startupInfo=$systemCommands/startupInfo.txt touch $startupInfo echo ---launchctl list--- >> $startupInfo; launchctl list >> $startupInfo; echo >> $startupInfo echo ---atq--- >> $startupInfo; atq >> $startupInfo; echo >> $startupInfo #crontab will be collected later from /usr/lib/cron/<usernames> #collect driver-based info driverInfo=$systemCommands/driverInfo.txt touch $driverInfo echo ---kextstat--- >> $driverInfo; kextstat >> $driverInfo; echo >>$driverInfo #collect hard drive info hardDriveInfo=$systemCommands/hardDriveInfo.txt touch $hardDriveInfo echo ---diskutil list--- >> $hardDriveInfo; diskutil list >> $hardDriveInfo; echo >>$hardDriveInfo echo ---df -h--- >> $hardDriveInfo; df -h >> $hardDriveInfo; echo >> $hardDriveInfo echo ---du -h--- >> $hardDriveInfo; du -h >> $hardDriveInfo; echo >> $hardDriveInfo #Collecting file system data #!/bin/bash #collect artifiacts mkdir artifacts #collect the audit logs #mkdir artifacts/audit #ditto /var/audit artifacts/audit declare -a directories=( #list dirs to collect here. Don't include a slash at the end of the dir "/var/audit" ) declare -a files=( "/var/log/system.log" "/var/log/accountpolicy.log" "/var/log/apache2/access_log" "/var/log/apache2/error_log" "/var/log/opendirectoryd.log" "/var/log/secinitd" "/var/log/wifi.log" "/var/log/alf.log" "/var/log/appstore.log" "/var/log/authd.log" "/var/log/commerce.log" "/var/log/hdiejectd.log" "/var/log/install.log" "/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist" "/etc/kcpassword" "/etc/sudoers" "/etc/hosts" "/etc/resolv.conf" "/private/var/log/fsck_hfs.log" "/private/var/db/launchd.db/com.apple.launchd/overrides.plist" "/Library/Logs/AppleFileService/AppleFileServiceError.log" "/var/log/appfirewall.log" ) declare -a userFiles=( #these are user files paths without the ~ at the beginning. The home directories will be concated later "Library/Preferences/com.apple.finder.plist" "Library/Preferences/com.apple.recentitems.plist" "Library/Preferences/com.apple.loginitems.plist" "Library/Logs/DiskUtility.log" "Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2" ) #collect files for x in "${files[@]}" do ditto "$x"* artifacts done #collect user files for each user dscl . -ls /Users | egrep -v ^_ | while read user do for x in "${userFiles[@]}" do fileLocation="/Users/$user/$x" echo "Trying to ditto $fileLocation" if [ -f $fileLocation ]; then ditto "$fileLocation"* artifacts fi done done #collect dirs for x in "${directories[@]}" do dirname=`echo "$x" | awk -F "/" '{print $NF}'` echo created "$dirname" from "$x" mkdir artifacts/"$dirname" ditto "$x" artifacts/"$dirname" done #ASEP COLLECTION echo "Collecting system ASEPS" #the $IRfolder variable was assigned in our original script ASEPS=$IRfolder/aseps mkdir $ASEPS ditto /System/Library/LaunchDaemons $ASEPS/systemLaunchDaemons ditto /System/Library/LaunchAgents $ASEPS/systemLaunchAgents ditto /Library/LaunchDaemons $ASEPS/launchDaemons ditto /Library/LaunchAgents $ASEPS/launchAgents #ditto <user entry> #collect crontabs and set permissions so that the analyst can read the results ditto /usr/lib/cron/tabs/ $ASEPS/crontabs; #collect at tasks ditto /private/var/at/jobs/ $ASEPS/atTasks #collect plist overrides ditto /var/db/launchd.db $ASEPS/overrides; #collect StartupItems ditto /etc/rc* $ASEPS/ ditto /Library/StartupItems/ $ASEPS/ ditto /System/Library/StartupItems/ $ASEPS/systemStartupItems #collect Login/Logout Hooks ditto /private/var/root/Library/Preferences/com.apple.loginwindow.plist $ASEPS/loginLogouthooks #collect launchd configs #file may or may not exist ditto /etc/launchd.conf $ASEPS/launchdConfs/ #copy user specific data for each user dscl . -ls /Users | egrep -v ^_ | while read user do ditto /Users/$user/Library/LaunchAgents $ASEPS/$user-launchAgents ditto /Users/$user/Library/Preferences/com.apple.loginitems.plist $ASEPS/$user-com.apple.loginitems.plist; ditto /Users/$user/.launchd.conf $ASEPS/launchdConfs/$user-launchd.conf done #copy kext files in the extension directories ditto /System/Library/Extensions $ASEPS/systemExtensions ditto /Library/Extensions $ASEPS/extensions #create a function that will scan all files in a directory using codesign codesignDirScan(){ for filename in $1/*; do codesign -vv -d $filename &>tmp.txt; if grep -q "not signed" tmp.txt; then cat tmp.txt >> $ASEPS/unsignedKexts.txt fi done rm tmp.txt } #run a codesign scan on all kext files codesignDirScan /System/Library/Extensions codesignDirScan /Library/Extensions #collect browser history echo "Copying Web Data..." dscl . -ls /Users | egrep -v ^_ | while read user do #check for and copy Safari data #Safari is pretty much garenteed to be installed echo "Looking for /Users/$user/Library/Safari" if [ -d "/Users/$user/Library/Safari/" ]; then plutil -convert xml1 /Users/$user/Library/Safari/History.plist -o "$user"_safariHistory.plist plutil -convert xml1 /Users/$user/Library/Safari/Downloads.plist -o "$user"_safariDownloads.plist #plutil -p "/Users/$user/Library/Safari/History.plist" > "$user"_safariHistory.plist #plutil -p "/Users/$user/Library/Safari/Downloads.plist" > "$user"_safariDownloads.plist #grab the sqlite3 version of the history if you prefer ditto "/Users/$user/Library/Safari/Downloads.plist" "$user"_safariDownloads.db fi #check for and copy Chrome data if [ -d "/Users/$user/Library/Application Support/Google/Chrome/" ]; then ditto "/Users/$user/Library/Application Support/Google/Chrome/Default/History" "$user"_chromeHistory.db fi #check for and copy firefox data #there should only be one profile inside the Profiles directory if [ -d "/Users/$user/Library/Application Support/Firefox/" ]; then for PROFILE in /Users/$user/Library/Application\ Support/Firefox/Profiles/*; do ditto "$PROFILE/places.sqlite" "$user"_firefoxHistory.db done fi #check for and copy Opera data if [ -d "/Users/$user/Library/Application Support/com.operasoftware.Opera/" ]; then ditto "/Users/$user/Library/Application Support/com.operasoftware.Opera/History" "$user"_operaHistory.db fi done #create a zip file of all the data in the current directory #this will always be the last thing we do. Do not add code below this section through this book echo "Archiving Data" cname=`scutil --get ComputerName | tr ' ' '_'` now=`date +"_%Y-%m-%d"` ditto -k --zlibCompressionLevel 5 -c . $cname$now.zip ``` ``` https://download.xeldax.top/MacOS_IR/macos应急响应脚本.zip ``` # 参考资料 ``` https://l0n9w4y.cc/posts/33221/#0xFF-Reference https://m.freebuf.com/articles/web/405123.html https://github.com/Yelp/osxcollector https://www.sentinelone.com/wp-content/uploads/2017/06/SentinalOne_macOS_Threat_Hunting_and_Incident_Response_A_Complete_Guide_17032020-1.pdf https://objective-see.org/tools.html https://github.com/jipegit/OSXAuditor https://www.loobins.io/ https://davidkoepi.wordpress.com/category/mac-forensics/ ```
