Cheatsheet based on Patrick Wardle's talk: "Offensive Malware Analysis: Dissecting OSX FruitFly"

macos_monitoring.md

macOS X malware behavior monitoring (quick cheatsheet)

• Network:
  • tcpdump
  • Whireshark
  • LuLu
• OS X:
  • Check general logs: ~/Library/Logs/*
    • CoreAnalytics (>= OS X 10.13): /Library/Logs/DiagnosticReports/
    • Emond logs for persistence: /Library/Logs/EventMonitor/
  • ls -ltr ~/Library/LaunchAgents/*.plist
  • /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump (dump registered file handlers)
  • Certificates:
    • spctl --assess -v --type install <file>
    • codesign -dvvv <file>
• Filesystem:
  • fs_usage
• Process:
  • lsappinfo:
    • lsappinfo -v -all processlist (process list)
    • lsappinfo -v info <bundleID>
    • lsappinfo metainfo _(shows meta information of session, combine it with all for all sessions)
  • procMonitor
  • Task Explorer
  • ps
• Peripherals monitoring:
  • OverSight
  • sniffMK

(talk slides)