Mac OS X Live Forensics 104
Hey All. Welcome back to another update in Mac OS X Live Forensics Tips and Tricks!
First, I really wanted to let you know about a great command line tool I recently came across: fs_usage
fs_usage reports all system calls and seg faults from the filesystem in real time, which means it can used much like the popular Windows' sysinternals tool, filemon, which monitors reads and writes to the filesystem. This tool can be a godsend for monitoring the execution of a single process and how it touches the file system.
So if malware can write to the file system, there are few places it could write to, which would enable it to persist on reboot. Thus, this time we are going to talk about Mac OS X malware persistence, and a few other cool tools to help your OS X live response. If your unfamiliar with malware persistence, there are a lot of great talks out there and this should be considered background theory going into this article. Mac OS X is interesting because there are numerous legacy linux auto-start options, a few Windows-like options, as well as a bunch of OS X specific auto-start options. The following persistence options are pretty well documented, but if there are a few I have missed please feel free to add them to the comments! With that, let's jump right into it, the following are various locations in the Mac OS X file system that are used for auto-starting execution:
Low Level Boot Persistence:
First, I really wanted to let you know about a great command line tool I recently came across: fs_usage
fs_usage reports all system calls and seg faults from the filesystem in real time, which means it can used much like the popular Windows' sysinternals tool, filemon, which monitors reads and writes to the filesystem. This tool can be a godsend for monitoring the execution of a single process and how it touches the file system.
So if malware can write to the file system, there are few places it could write to, which would enable it to persist on reboot. Thus, this time we are going to talk about Mac OS X malware persistence, and a few other cool tools to help your OS X live response. If your unfamiliar with malware persistence, there are a lot of great talks out there and this should be considered background theory going into this article. Mac OS X is interesting because there are numerous legacy linux auto-start options, a few Windows-like options, as well as a bunch of OS X specific auto-start options. The following persistence options are pretty well documented, but if there are a few I have missed please feel free to add them to the comments! With that, let's jump right into it, the following are various locations in the Mac OS X file system that are used for auto-starting execution:
Low Level Boot Persistence:
- patch the boot.efi file
- Install malicious EFI components
Kernel Extensions:
- /Library/Extensions/
- /System/Library/Extensions/
Launch Deamons:
- /Library/LaunchDaemons/
- /System/Library/LaunchDaemons/
Launch Agents:
- ~/Library/LaunchAgents/
- /Library/LaunchAgents/
- /System/Library/LaunchAgents/
Startup Items:
- /Library/StartupItems/
- /System/Library/StartupItems/
Login Hooks:
- /private/var/root/Library/Preferences/com.apple.loginwindow.plist
Login Items:
- ~/Library/Preferences/com.apple.loginitems.plist
- [application].app/Contents/Library/LoginItems/
Login Items per Sandboxed Apps:
- /private/var/db/launchd.db/com.apple.launchd.peruser.501/overrides.plist
XPC Services:
- [application].app/Contents/XPCServices/
- /System/Library/XPCServices/
Re-opened Apps:
- ~/Library/Preferences/ByHost/com.apple.loginwindow.[hardware UUID].plist
rc.common:
- /etc/rc.common
launchd.conf:
- /etc/launchd.conf
Cron:
- crontab -l
Shell:
- ~/.profile
- ~/.bashrc
- /etc/profile
- /etc/bashrc
- /etc/cshrc
- /etc/cshlogin
- /etc/ttys
Depreciated:
- ~/.MacOSX/environment.plist
- /Library/Preferences/com.apple.SystemLoginItems.plist
So not surprisingly, these items are pretty hard to detect, due to the sheer amount of places you have to look to makes sure you've covered all of the locations. Luckily, there is a really useful python script called knockknock, that will show you all of the startup items you have enabled on your machine. By default it's output excludes apple signed binaries and known benign startup items, thus you can output all potentially malicious autostart applications by simply issuing: python knockknock.py
However if you want to see all of your autostart items, issue: python knockknock.py -a -w
However if you want to see all of your autostart items, issue: python knockknock.py -a -w
Enjoy All!! And let me know in the comments if you find any interesting applications on your device that are enabled to auto-start!