Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

MacOS forensics and anti-forensics (DC Lviv 2019) presentation

O
OlehLevytskyi1

MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)

1 of 59
Download to read offline
Mac OS forensics and anti-forensics (tips and tricks)
Cyber security analyst with UD PowerShell anarchist MacOS malware analyst … and active linux user Contacts: /LeOleg /LeOleg97 Whoami
Step 1. Choose Topic. Ghidra
+ =
Step 1.5 Choose another topic
Step 2. Problem formulation Growth of market share: Growth of MacOS malware:
NOT Purpose of the presentation Mac Malware exists
Point of view Reverse engineering Malware analysis & forensics Digital forensics
What is computer forensics? Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
Anti Forensics
Current Mac OS security and AV engines state
I’m not kidding... Real life case… Real fake AV Price: 150 $
Mac Security mechanisms. Quarantine $ xattr -l $file <<< OSX.Adware.Genieo
Quarantine bypass Quarantine is only one time attribute. ^^^ OSX.PUA.InstallCore
Quarantine db and KMDItemWhereFroms $ sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* $ mdls -name kMDItemWhereFroms $file
Downloads information $ ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* $ mdls -name kMDItemWhereFroms $file Your browser knows everything about you: Safari: ~/Library/Safari/Downloads.plist Chrome: ~/Library/Application Support/Google/Chrome/*/DownloadMetadata
Downloads information covering tracks? $ sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'delete from LSQuarantineEvent' $ xattr -d com.apple.metadata:kMDItemWhereFroms $file $ xattr -w com.apple.metadata:kMDItemWhereFroms http://lol.com $file
Mac Security mechanisms. GateKeeper $ spctl -a $file $ codesign -dvvv $file ^^^ OSX.Adware.Pirrit $ pkgutil --check-signature $pkg
GateKeeper bypass 1) GateKeeper is only one time attribute too 2) Based on quarantine.
Mac Security mechanisms. XProtect 1) Only checks “quarantine” files 2) Small numbers of signatures 3) limited only on signature based analysis 4) Sometimes updates signatures
Signature based AV engines have no future Malware Samples (April 2019): OSX.Adware.Pirrit (2017 year):
TCC.db (Transparency, Consent, and Control)
System Integrity Protection ● protection of contents and file-system permissions of system files and directories; ● protection of processes against code injection, runtime attachment (like debugging) and DTrace; ● protection against unsigned kernel extensions ("kexts"). $ csrutil status “[any] piece of malware is one password or vulnerability away from taking full control of the device” Apple (c)
SIP bypass new technique using ssh Video link: https://youtu.be/UPr6R2BQUU4 ~/.ssh/authorized_keys scp $file :/$safari_extz_fold
Inventatisation. System info $ system_profiler -xml -detaillevel full >> system_info.spx Contains: ● Hardware information ● USB information ● Network information ● Firewall settings ● Mounted Volumes ● System Information ● Applications ● Kernel Extensions ● Log Data
General system info Network configurations: networksetup DNS configurations: scutil --dns Adapters: ifconfig File /etc/hosts Keychain configurations Who is logged: who or w Shares ~/.ssh/authorized_keys netstat lsof -i ~/.bash_history Local accounts: /etc/passwd Defaults instructions: https://github.com/ernw/hardening/blob/master/operatin g_system/osx/10.14/ERNW_Hardening_OS_X_Mojave. md ^^^ OSX.Malware.MaMi
Mac persistence Type Location Run on behalf of Login Item Apple menu > System Preferences > Users & Groups > Login Items or My.app/Contents/Library/LoginItems Currently logged in user User Agents ~/Library/LaunchAgents Currently logged in user Global Agents /Library/LaunchAgents Currently logged in user Global Daemons /Library/LaunchDaemons root or the user specified with the key UserName System Agents /System/Library/LaunchAgents Currently logged in user System Daemons /System/Library/LaunchDaemons root or the user specified with the key UserName Crontabs, login, logout hooks, login items...
Launch Agents/Daemons. What can be found there? <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.example.app</string> <key>Program</key> <string>/Users/Me/Scripts/example.sh</string> <key>RunAtLoad</key> <true/> </dict> </plist>
Not typical persistence example ^^^ OSX.Adware.MaxOfferDeals Compliant
Process exploration Johns-Mac:tmp johndoe$ ps aux | grep -i osascript johndoe 50813 2.5 0.3 2488260 6168 ?? R 11:22AM 0:00.04 /usr/bin/osascript -e if application "Safari" is running then 012011run script "tell application "Safari" to return URL of front document" 012end if Johns-Mac:tmp johndoe$ ps aux | grep -i osascript johndoe 50819 13.4 0.3 2489356 7276 ?? R 11:22AM 0:00.08 /usr/bin/osascript -e if application "Safari" is running then 012011run script "tell application "Safari" to return URL of front document" 012end if OSX.Adware.Pirrit
Stat LastAccessTime=$(date -u -r `stat -r "$Path"| cut -d" " -f9` +"%Y-%m-%d %T") LastModifiedTime=$(date -u -r `stat -r "$Path"| cut -d" " -f10` +"%Y-%m-%d %T") LastChangeTime=$(date -u -r `stat -r "$Path"| cut -d" " -f11` +"%Y-%m-%d %T")
MDLS Metadata list $ mdls -name $kMDItem $file: ● kMDItemWhereFroms ● kMDItemContentCreationDate ● kMDItemContentModificationDate ● kMDItemDateAdded ● kMDItemFSContentChangeDate ● kMDItemFSCreationDate
Recent places Remove Recent Places: $ defaults delete -g NSNavRecentPlaces 5 most recently accessed folders:
Recent items $ sfltool dump-storage ~/Library/Application Support/com.apple.sharedfilelist: ● com.apple.LSSharedFileList.FavoriteItems.sfl ● com.apple.LSSharedFileList.ProjectsItems.sfl ● com.apple.LSSharedFileList.RecentApplications.sfl ● com.apple.LSSharedFileList.RecentDocuments.sfl ● com.apple.LSSharedFileList.ApplicationRecentDocuments/com.apple.console.sfl ● com.apple.LSSharedFileList.ApplicationRecentDocuments/com.apple.ichat.sfl ● com.apple.LSSharedFileList.ApplicationRecentDocuments/com.apple.preview.sfl ● com.apple.LSSharedFileList.ApplicationRecentDocuments/com.apple.textedit.sfl ● com.apple.LSSharedFileList.ApplicationRecentDocuments/com.microsoft.vscode.sfl ...
Recent items
Diagnostic reports logs (10.13+) https://github.com/CrowdStrike/Forensics/tree/master/CoreAnalyticsParser $ /Library/Logs/DiagnosticReports/ |_ .core_analytics files $ /private/var/db/analyticsd/aggregates/ |_ .core_analytics files Presents program execution history
Application install history $ /usr/libexec/PlistBuddy -c "Print" /Library/Receipts/InstallHistory.plist Mounted drives during this session: $ /var/log/install.log
Time to eat pizza =)
Moving on ...
Mac Logs. What?
Mac Logs (upd 2020) https://www.mac4n6.com/
Mac Logs. What about script execution logging?
AppleScript malicious execution
Browser info What can be interesting there? ● History ● Extensions ● Downloads ● Last session ● Safari cache
Malicious profiles
Apple restricts access to multiple folders
Apple restricts access to Safari folder Well Done, Apple!
Wi-Fi connections /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist History of Wi-Fi connections, Wi-Fi connection type
Basic timeline creation $ mdfind '((kMDItemContentModificationDate > $time.now(-1440m)) && (kMDItemContentModificationDate < $time.now()))'
Timeline bypass?
.fseventd and Spotlight Spotlight is the name of the indexing system which comes built into macOS. It is responsible for continuous indexing of files and folders on all attached volumes. It keeps a copy of all metadata for almost every single file and folder on disk. Parser link: https://github.com/ydkhatri/spotlight_parser /.fseventsd is a log directory with files of "(F)ile (S)ystem (EVENTS), logged by the a (D)aemon", that basically monitor file system changes. Parser link: https://github.com/dlcowen/FSEventsParser
.fseventd and Spotlight Spotlight is the name of the indexing system which comes built into macOS. It is responsible for continuous indexing of files and folders on all attached volumes. It keeps a copy of all metadata for almost every single file and folder on disk. Parser link: https://github.com/ydkhatri/spotlight_parser /.fseventsd is a log directory with files of "(F)ile (S)ystem (EVENTS), logged by the a (D)aemon", that basically monitor file system changes. Parser link: https://github.com/dlcowen/FSEventsParser
Live monitoring Sysmon like monitoring tool: Xnumon:X https://github.com/droe/xnumon/tree/master
Live monitoring (upd 2020)
CmdReporter Splunk integration
All artifacts list (upd 2020) https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_ GNGpX8/edit#gid=1317205466
Where to find more information? Inspiration list ● Grr - Google Rapid Response: remote live forensics for incident response ● Osquery - SQL powered operating system instrumentation, monitoring, and analytics ● Objective see - https://objective-see.com/ ● Patrick Wardle - https://www.youtube.com/channel/UCfJ9rcyHeYzGbWFdEq9jVJA ● https://github.com/mathiasbynens/dotfiles/blob/master/.macos ● SANS courses ● https://www.mac4n6.com/ - great blog with great forensics articles ● https://www.cmdsec.com/ - great tool for security monitoring of MacOS based systems
Thanks for attending us

More Related Content

MacOS forensics and anti-forensics (DC Lviv 2019) presentation

  • 1. Mac OS forensics and anti-forensics (tips and tricks)
  • 2. Cyber security analyst with UD PowerShell anarchist MacOS malware analyst … and active linux user Contacts: /LeOleg /LeOleg97 Whoami
  • 3. Step 1. Choose Topic. Ghidra
  • 4. + =
  • 5. Step 1.5 Choose another topic
  • 6. Step 2. Problem formulation Growth of market share: Growth of MacOS malware:
  • 7. NOT Purpose of the presentation Mac Malware exists
  • 8. Point of view Reverse engineering Malware analysis & forensics Digital forensics
  • 9. What is computer forensics? Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
  • 12. Current Mac OS security and AV engines state
  • 13. I’m not kidding... Real life case… Real fake AV Price: 150 $
  • 14. Mac Security mechanisms. Quarantine $ xattr -l $file <<< OSX.Adware.Genieo
  • 15. Quarantine bypass Quarantine is only one time attribute. ^^^ OSX.PUA.InstallCore
  • 16. Quarantine db and KMDItemWhereFroms $ sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* $ mdls -name kMDItemWhereFroms $file
  • 17. Downloads information $ ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* $ mdls -name kMDItemWhereFroms $file Your browser knows everything about you: Safari: ~/Library/Safari/Downloads.plist Chrome: ~/Library/Application Support/Google/Chrome/*/DownloadMetadata
  • 18. Downloads information covering tracks? $ sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'delete from LSQuarantineEvent' $ xattr -d com.apple.metadata:kMDItemWhereFroms $file $ xattr -w com.apple.metadata:kMDItemWhereFroms http://lol.com $file
  • 19. Mac Security mechanisms. GateKeeper $ spctl -a $file $ codesign -dvvv $file ^^^ OSX.Adware.Pirrit $ pkgutil --check-signature $pkg
  • 20. GateKeeper bypass 1) GateKeeper is only one time attribute too 2) Based on quarantine.
  • 21. Mac Security mechanisms. XProtect 1) Only checks “quarantine” files 2) Small numbers of signatures 3) limited only on signature based analysis 4) Sometimes updates signatures
  • 22. Signature based AV engines have no future Malware Samples (April 2019): OSX.Adware.Pirrit (2017 year):
  • 24. System Integrity Protection ● protection of contents and file-system permissions of system files and directories; ● protection of processes against code injection, runtime attachment (like debugging) and DTrace; ● protection against unsigned kernel extensions ("kexts"). $ csrutil status “[any] piece of malware is one password or vulnerability away from taking full control of the device” Apple (c)
  • 25. SIP bypass new technique using ssh Video link: https://youtu.be/UPr6R2BQUU4 ~/.ssh/authorized_keys scp $file :/$safari_extz_fold
  • 26. Inventatisation. System info $ system_profiler -xml -detaillevel full >> system_info.spx Contains: ● Hardware information ● USB information ● Network information ● Firewall settings ● Mounted Volumes ● System Information ● Applications ● Kernel Extensions ● Log Data
  • 27. General system info Network configurations: networksetup DNS configurations: scutil --dns Adapters: ifconfig File /etc/hosts Keychain configurations Who is logged: who or w Shares ~/.ssh/authorized_keys netstat lsof -i ~/.bash_history Local accounts: /etc/passwd Defaults instructions: https://github.com/ernw/hardening/blob/master/operatin g_system/osx/10.14/ERNW_Hardening_OS_X_Mojave. md ^^^ OSX.Malware.MaMi
  • 28. Mac persistence Type Location Run on behalf of Login Item Apple menu > System Preferences > Users & Groups > Login Items or My.app/Contents/Library/LoginItems Currently logged in user User Agents ~/Library/LaunchAgents Currently logged in user Global Agents /Library/LaunchAgents Currently logged in user Global Daemons /Library/LaunchDaemons root or the user specified with the key UserName System Agents /System/Library/LaunchAgents Currently logged in user System Daemons /System/Library/LaunchDaemons root or the user specified with the key UserName Crontabs, login, logout hooks, login items...
  • 29. Launch Agents/Daemons. What can be found there? <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.example.app</string> <key>Program</key> <string>/Users/Me/Scripts/example.sh</string> <key>RunAtLoad</key> <true/> </dict> </plist>
  • 30. Not typical persistence example ^^^ OSX.Adware.MaxOfferDeals Compliant
  • 31. Process exploration Johns-Mac:tmp johndoe$ ps aux | grep -i osascript johndoe 50813 2.5 0.3 2488260 6168 ?? R 11:22AM 0:00.04 /usr/bin/osascript -e if application "Safari" is running then 012011run script "tell application "Safari" to return URL of front document" 012end if Johns-Mac:tmp johndoe$ ps aux | grep -i osascript johndoe 50819 13.4 0.3 2489356 7276 ?? R 11:22AM 0:00.08 /usr/bin/osascript -e if application "Safari" is running then 012011run script "tell application "Safari" to return URL of front document" 012end if OSX.Adware.Pirrit
  • 32. Stat LastAccessTime=$(date -u -r `stat -r "$Path"| cut -d" " -f9` +"%Y-%m-%d %T") LastModifiedTime=$(date -u -r `stat -r "$Path"| cut -d" " -f10` +"%Y-%m-%d %T") LastChangeTime=$(date -u -r `stat -r "$Path"| cut -d" " -f11` +"%Y-%m-%d %T")
  • 33. MDLS Metadata list $ mdls -name $kMDItem $file: ● kMDItemWhereFroms ● kMDItemContentCreationDate ● kMDItemContentModificationDate ● kMDItemDateAdded ● kMDItemFSContentChangeDate ● kMDItemFSCreationDate
  • 34. Recent places Remove Recent Places: $ defaults delete -g NSNavRecentPlaces 5 most recently accessed folders:
  • 35. Recent items $ sfltool dump-storage ~/Library/Application Support/com.apple.sharedfilelist: ● com.apple.LSSharedFileList.FavoriteItems.sfl ● com.apple.LSSharedFileList.ProjectsItems.sfl ● com.apple.LSSharedFileList.RecentApplications.sfl ● com.apple.LSSharedFileList.RecentDocuments.sfl ● com.apple.LSSharedFileList.ApplicationRecentDocuments/com.apple.console.sfl ● com.apple.LSSharedFileList.ApplicationRecentDocuments/com.apple.ichat.sfl ● com.apple.LSSharedFileList.ApplicationRecentDocuments/com.apple.preview.sfl ● com.apple.LSSharedFileList.ApplicationRecentDocuments/com.apple.textedit.sfl ● com.apple.LSSharedFileList.ApplicationRecentDocuments/com.microsoft.vscode.sfl ...
  • 37. Diagnostic reports logs (10.13+) https://github.com/CrowdStrike/Forensics/tree/master/CoreAnalyticsParser $ /Library/Logs/DiagnosticReports/ |_ .core_analytics files $ /private/var/db/analyticsd/aggregates/ |_ .core_analytics files Presents program execution history
  • 38. Application install history $ /usr/libexec/PlistBuddy -c "Print" /Library/Receipts/InstallHistory.plist Mounted drives during this session: $ /var/log/install.log
  • 39. Time to eat pizza =)
  • 42. Mac Logs (upd 2020) https://www.mac4n6.com/
  • 43. Mac Logs. What about script execution logging?
  • 45. Browser info What can be interesting there? ● History ● Extensions ● Downloads ● Last session ● Safari cache
  • 47. Apple restricts access to multiple folders
  • 48. Apple restricts access to Safari folder Well Done, Apple!
  • 50. Basic timeline creation $ mdfind '((kMDItemContentModificationDate > $time.now(-1440m)) && (kMDItemContentModificationDate < $time.now()))'
  • 52. .fseventd and Spotlight Spotlight is the name of the indexing system which comes built into macOS. It is responsible for continuous indexing of files and folders on all attached volumes. It keeps a copy of all metadata for almost every single file and folder on disk. Parser link: https://github.com/ydkhatri/spotlight_parser /.fseventsd is a log directory with files of "(F)ile (S)ystem (EVENTS), logged by the a (D)aemon", that basically monitor file system changes. Parser link: https://github.com/dlcowen/FSEventsParser
  • 53. .fseventd and Spotlight Spotlight is the name of the indexing system which comes built into macOS. It is responsible for continuous indexing of files and folders on all attached volumes. It keeps a copy of all metadata for almost every single file and folder on disk. Parser link: https://github.com/ydkhatri/spotlight_parser /.fseventsd is a log directory with files of "(F)ile (S)ystem (EVENTS), logged by the a (D)aemon", that basically monitor file system changes. Parser link: https://github.com/dlcowen/FSEventsParser
  • 54. Live monitoring Sysmon like monitoring tool: Xnumon:X https://github.com/droe/xnumon/tree/master
  • 57. All artifacts list (upd 2020) https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_ GNGpX8/edit#gid=1317205466
  • 58. Where to find more information? Inspiration list ● Grr - Google Rapid Response: remote live forensics for incident response ● Osquery - SQL powered operating system instrumentation, monitoring, and analytics ● Objective see - https://objective-see.com/ ● Patrick Wardle - https://www.youtube.com/channel/UCfJ9rcyHeYzGbWFdEq9jVJA ● https://github.com/mathiasbynens/dotfiles/blob/master/.macos ● SANS courses ● https://www.mac4n6.com/ - great blog with great forensics articles ● https://www.cmdsec.com/ - great tool for security monitoring of MacOS based systems