Investigating macOS endpoint Compromises: Key Indicators for Uncovering System Threats

Date:

Published on 5th February, 2022

By Sivaraju Kuraku

Introduction

In today’s digital landscape, the security of macOS systems is of paramount importance. As the sophistication of malware and other malicious activities increases, so does the need for robust investigative practices. Understanding where to look and what to look for can make the difference between a secure system and a compromised one. This article provides a comprehensive guide to key file paths and indicators of compromise in macOS systems, equipping users and administrators with the knowledge needed to detect and address potential threats.

Launch Agents and Daemons

Red Flags:

  • Unknown plist files
  • Random or obfuscated names
  • Executables in odd locations

What to Look For:

Malware often persists through launch agents and daemons. Inspect for software launching from non-standard locations or recent plist files unrelated to installed apps. Verify recent file modifications against known software installations.

Key Locations:

  • System-wide Launch Agents: /Library/LaunchAgents/
  • System-wide Launch Daemons: /Library/LaunchDaemons/
  • User-specific Launch Agents: ~/Library/LaunchAgents/
  • System Launch Daemons (Apple): /System/Library/LaunchDaemons/
  • User Launch Agents (Apple, deprecated): /System/Library/LaunchAgents/

Application Support and Scripts

Red Flags:

  • Files unrelated to any installed application
  • Hidden directories or files
  • Unexpected scripts in application support folders

What to Look For:

Check for newly added scripts or binaries, especially if hidden or in unknown application directories. Suspicious automation scripts not part of regular operations should be scrutinized.

Key Locations:

  • User Application Support: ~/Library/Application Support/
  • System Application Support: /Library/Application Support/

Cron Jobs and Periodic Tasks

Red Flags:

  • Unusual entries in user or system crontab
  • Tasks scheduled at odd times
  • Execution of unfamiliar scripts

What to Look For:

Investigate the frequency and nature of scheduled tasks. Any unfamiliar command or script warrants further examination to determine its purpose and origin.

Key Locations:

  • User Crontab: Use crontab -l
  • System-wide Crontab: /etc/crontab
  • Periodic Tasks: /etc/periodic/

Login and Startup Items

Red Flags:

  • Services or scripts running at login not configured by the user
  • Unknown applications in Startup Items

What to Look For:

Verify that each login item is intentionally configured to start at login. Any unknown or unexpected application warrants further investigation for persistence mechanisms.

Key Locations:

  • Login Items: System Preferences > Users & Groups > Login items
  • Startup Items (Deprecated): /Library/StartupItems/

Kernel Extensions and Profiles

Kernel Extensions:

  • Key Locations: /Library/Extensions/, /System/Library/Extensions (older macOS versions)

Profiles:

Red Flags:

  • Profiles controlling critical settings or installing certificates without user consent

What to Look For:

Examine each profile’s source and purpose. Unfamiliar profiles, especially those affecting security-sensitive settings or installing new certificates, should be investigated.

Browser Extensions, Cookies, and System Configuration

Browser Extensions and Cookies:

Red Flags:

  • Extensions or cookies from unknown sources
  • Broad permissions
  • Extensions installed without user consent

What to Look For:

Review developer information, required permissions, and functionality of each extension. For cookies, focus on those from unfamiliar domains.

Key Locations:

  • Safari, Chrome, and Firefox extension and profile directories

Gatekeeper and XProtect Configuration:

Red Flags:

  • Unauthorized changes to Gatekeeper or XProtect settings

What to Look For:

Ensure Gatekeeper allows apps only from identified developers and the App Store, and that XProtect is up to date.

System Investigation and Remediation Commands

Process Checks:

  • ps aux: Lists all running processes with detailed info
  • ps aux -o ppid: Displays processes along with their parent process ID
  • ps -l [PID]: Provides detailed information about a specific process
  • kill -9 [pid]: Forcefully terminates a process

Scheduled Tasks (CronTabs) Checks:

  • List Scheduled Tasks (Crontabs): crontab -l
  • List Scheduled Tasks for Specific User: sudo crontab -l -u [username]
  • List Scheduled Scripts: sudo ls -l /etc/periodic/daily/ /etc/periodic/weekly/ /etc/periodic/monthly/
  • Remove All Scheduled Tasks: crontab -r
  • Remove Scheduled Tasks for Specific User: sudo crontab -r -u [username]
  • Backup Scheduled Tasks: crontab -l > crontab_backup.txt
  • Backup Scheduled Tasks for Specific User: sudo crontab -l -u [username] > crontab_backup_[username].txt

Services (Launch Agents and Daemons) Management:

  • List All Services: launchctl list
  • Load a Service: launchctl load –force /path/to/plist
  • Unload a Service: launchctl unload /path/to/plist
  • Start a Service: launchctl start [service_name]
  • Stop a Service: launchctl stop [service_name]
  • Remove a Service: launchctl remove [service_name]

Network Connections Checks:

  • lsof -i: Lists all network connections
  • lsof -i | grep ESTABLISHED: Filters for established network connections
  • sudo lsof -i -P | grep -i “listen”: Shows processes listening on ports
  • netstat -an | Alternate command: netsat -a: Displays all network connections and listening ports
  • lsof -i | grep ESTABLISHED | awk ‘{print $9}’: Filters established network connections
  • kill -9 [pid]: Forcefully terminates a connection

User Sessions and Logs Management:

  • dscl . list /Users | grep -v ‘_’: Lists user accounts, excluding system users
  • dscl . -list /Groups | grep -v “^_”: Lists all groups, excluding system entities
  • sudo dscl . -delete /Users/Guest: Deletes a specified user account
  • ps aux | grep ‘username’: Lists all the processes currently running for a user named ‘username’
  • who or w: Displays who is currently logged in
  • last: Shows a record of user logins and logouts
  • Check system logs for errors and failures: log show –predicate ‘eventMessage contains “failed” OR eventMessage contains “error”‘ –last 24h
  • Check Unauthorized Login Attempts:
    • log show –predicate ‘(eventMessage contains “authentication” OR eventMessage contains “login”) AND eventMessage contains “failed”‘ –last 48h
    • log show –predicate ‘(eventMessage contains “authentication” OR eventMessage contains “login”) AND eventMessage contains “failed”‘ –start “2023-01-01” –end “2023-01-02”

Directory, File, and Volumes Inspection:

  • mkdir [directory_name]: Creates a new directory
  • mv [options] source destination: Moves or renames files or directories
  • find /Applications ~/Applications -iname “*.app”: Searches for applications in standard locations
  • find /Applications ~/Applications -iname “*.app” -mtime -3: Finds applications modified in the last 3 days
  • find /Applications ~/Applications -iname “*.app” -exec ls -ld {} ; | grep -v ‘root wheel’: Lists applications with their details
  • Cache Inspection: ls -la /System/Library/Caches/ ~/Library/Caches/
  • /Volumes: Investigate mounted filesystems, including external drives and disk images
  • tar -cvf /path/to/archive.tar /path/to/suspicious.app: Creates an archive file of a suspicious application
  • unzip [file.zip]: Extracts files from a ZIP archive
  • rm -r [directory]: Removes a directory and its contents recursively
  • rm -r -i [directory]: Interactively prompts for confirmation before deleting each file within a directory
  • sudo rm -rf /path/to/file: Forcefully removes a file or directory without asking for confirmation

Security Checks:

  • List Kernel Extensions: kextstat | grep -v com.apple
  • Check Installed Packages: pkgutil –packages
  • Verify Application Signatures: codesign -vvv /Applications/SomeApp.app
  • List Installed System Extensions: systemextensionsctl list
  • Monitor CPU and Memory Usage: top -o cpu
  • Check System Integrity Protection and Gatekeeper: csrutil status

Software Updates and Quarantine Flags Checks:

  • softwareupdate -l: Lists available software updates
  • softwareupdate -ia: Installs all available software updates
  • xattr -r ~/Downloads: Lists extended attributes of files in the Downloads folder

Blocking Malicious Sites on macOS

To block websites on a macOS system by editing the /etc/hosts file:

  1. Open Terminal
  2. Edit the Hosts File: sudo nano /etc/hosts
  3. Add Blocked Sites: 127.0.0.1 www.example.com (redirects the site to the local machine)
  4. Save and Exit: Press CTRL + X, then Y, and Enter
  5. Flush DNS Cache: sudo killall -HUP mDNSResponder

Conclusion

Investigating macOS system compromises requires a detailed understanding of where threats are likely to hide and what signs indicate their presence. By focusing on critical areas such as launch agents, daemons, application support folders, cron jobs, and kernel extensions, users can identify and mitigate risks effectively. Regular monitoring and maintenance, coupled with the best security practices, can significantly enhance the security posture of macOS systems, ensuring they remain resilient against evolving threats. With the right tools and vigilance, users can safeguard their systems from compromise and maintain a secure computing environment.

Share post:

Subscribe

Latest Article's

More like this
Related

Chris Childs: Crafting Fashion with Emotion, Authenticity, and Sustainability

USA – Chris Childs is more than just a fashion...

Berlin Art Award: A Valuable Opportunity for Artists

There are prestigious awards for authors, directors, actors, and...

Trump’s Ear Anointed (Jonathan Cahn) to be Cyrus II on Israeli Coin (Richard Ruhling)

Jonathan Cahn, best-selling author, Messianic Rabbi, says blood on...