- Network:
tcpdump
- Whireshark
- LuLu
- OS X:
- Check general logs:
~/Library/Logs/*
- CoreAnalytics (>= OS X 10.13):
/Library/Logs/DiagnosticReports/
- Emond logs for persistence:
/Library/Logs/EventMonitor/
- CoreAnalytics (>= OS X 10.13):
ls -ltr ~/Library/LaunchAgents/*.plist
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump
(dump registered file handlers)- Certificates:
spctl --assess -v --type install <file>
codesign -dvvv <file>
- Check general logs:
- Filesystem:
- Process:
lsappinfo
:lsappinfo -v -all processlist
(process list)lsappinfo -v info <bundleID>
lsappinfo metainfo
_(shows meta information of session, combine it with all for all sessions)
- procMonitor
- Task Explorer
ps
- Peripherals monitoring:
Last active
July 25, 2018 14:14
-
-
Save cedriczirtacic/652f5209eb2f9bdddc3f88bff603096e to your computer and use it in GitHub Desktop.
Cheatsheet based on Patrick Wardle's talk: "Offensive Malware Analysis: Dissecting OSX FruitFly"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment