40
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 11 Feb 2024
40 points (100.0% liked)
Technology
37739 readers
565 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
Most of the IR that I do is within corporate production environments, so I can answer this with the tools I would use for Linux incident response, but there will be areas like Kernel Extensions that are MacOS-specific, which I don't have IR experience in, and can't speak to. Assume that sudo permissions are required for these.
Also note that I'm not including commands to look for active user intrusions (e.g. ssh keys, new users, sudoer edits, etc), just binary implantation like malware. Active human intrusion blows up the amount of places and things to check for, and for regular users who don't have regulatory reporting requirements, you're better off just restoring from a backup.
ps aux
: This lists all processes running under all users, not attached to a terminal session. This is a static list, unlike the live-updating list you get withtop
lsof -b -c
|-u
|-p -R
: This lists open files. You can specify process names, PIDs, usernames, and more, to filter on. If you filter on PID, include the-R
argument to get the parent process info for that process.lsof -i
: This lists open files that have an active network port.netstat -antv -p tcp
: It's important to note that on MacOS, netstat doesn't perform like it does on Linux (e.g. it won't give you process names), so you need to use the Mac-specific flags for it like these, and you'll need to combine that withlsof
orps
to get more info about the processes.There is apparently also a tool made by Apple called
sysdiagnose
that you can run to basically do a large-scale debug dump of your system, including lots of data about applications and processes. I can't claim any personal experience with this, but this guide (and part 2 here) go into using it to hunt for malware.