Skip to main content

MacOS Security

Read plist files​

sudo plutil -p </path/to/file.plist>

Quarantine events​

List all files downloaded from Internet (it works with browsers but not with wget, curl...).

sqlite3 </Users/user/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2> 'select LSQuarantineAgentName, LSQuarantineDataURLString, date(LSQuarantineTimeStamp + 978307200, "unixepoch") as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp' | sort -u | grep '|' --color

Install history​

List applications with date of installation.

plutil -p /Library/Receipts/InstallHistory.plist

Most Recently Used (MRU)​

ls -lah <'/users/user/Library/Application Support/com/apple/sharedfilelist/'>
ls -lah </users/user/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/>

Command line history​

cat /Users/*/.zsh_sessions/*
cat /private/var/root/.bash_history
cat /Users/*/.zsh_history

Check application​

sudo plutil -p /var/db/locationd/clients.plist | ack --passthru 'Bundlepath'

Admin group​

sudo plutil -p /private/var/db/dslocal/nodes/Default/groups/admin.plist

Low hanging fruit persistence locations​

# start up / login items
/var/db/com.apple.xpc.launchd/disabled.*.plist
/System/Library/StartupItems

# cronjobs / like scheduled tasks 
/private/var/at/tabs/
/usr/lib/cron/jobs/ 

# loads of places for annoying persistence amongst daemons
/System/Library/LaunchDaemons/*.plist
/System/Library/LaunchAgents/*.plist 

# executed when a zsh in spawned
~/.zshrc

FleetDM - OSQuery​

ATC​

config:
  options:
    disable_audit: false
    disable_events: false
    pack_delimiter: /
    host_identifier: uuid
    logger_tls_period: 10
    audit_allow_config: true
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/osquery/log
    distributed_interval: 10
    disable_endpointsecurity: false
    audit_allow_process_events: true
    distributed_tls_max_attempts: 3
  decorators:
    load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
overrides:
  platforms:
    darwin:
      auto_table_construction:
        slack_cookie:
          path: /Users/%/Library/Application Support/Slack/Cookies
          query: 'SELECT host_key, value, encrypted_value FROM cookies'
          columns:
            - host_key
            - value
            - encrypted_value
        quarantine_items:
          path: >-
            /Users/%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
          query: >-
            SELECT LSQuarantineEventIdentifier as id, LSQuarantineAgentName as
            agent_name, LSQuarantineAgentBundleIdentifier as
            agent_bundle_identifier, LSQuarantineTypeNumber as type,
            LSQuarantineDataURLString as data_url,LSQuarantineOriginURLString as
            origin_url, LSQuarantineSenderName as sender_name,
            LSQuarantineSenderAddress as sender_address, LSQuarantineTimeStamp
            as timestamp from LSQuarantineEvent
          columns:
            - id
            - type
            - agent_name
            - agent_bundle_identifier
            - timestamp
            - sender_name
            - sender_address
            - origin_url
            - data_url
        tcc_user_entries:
          path: /Users/%/Library/Application Support/com.apple.TCC/TCC.db
          query: 'SELECT service, client, last_modified FROM access'
          columns:
            - service
            - client
            - last_modified
        tcc_system_entries:
          path: /Library/Application Support/com.apple.TCC/TCC.db
          query: 'SELECT service, client, last_modified FROM access'
          columns:
            - service
            - client
            - last_modified
command_line_flags: {} # requires Fleet's osquery installer