How We Worklet: IR Scripting

Incident response is hard. There are a million things you need to identify, locate, and grab from an infected machine. And attackers can use various tactics, techniques, and procedures (TTPs) to compromise a system or enterprise. On top of that, there are a ton of tools and commands you can use to identify malicious activity. Where to start?

In this video, Automox's Marina Liang shares an Incident Response Scripting Worklet that serves as a jumping-off point for grabbing relevant output that an incident responder (or the one-person IT shop who wears a lot of hats) can investigate. Follow along to learn how to automate this task to free up time for the responders on your team.

Video Transcript:

Hi. Welcome to the second installment of this is How We Worklet. My name is Marina Lang. I am a Senior Security Engineer here at Automox. Um, previously I was a threat analyst and a threat researcher for an EDR vendor. And today we're going to dive into a Worklet that I wrote that focuses on uh gathering IR data for macOS.

So first off, I'm just gonna go ahead and walk through what this Worklet does and go through each line of code and then I'll show you a quick demo. So, let's go ahead and get started.

So you'll see it in your console um as a Worklet, but for now, I have it as a test policy. It is called macOS by our Worklet. Alright. And here we’ll go through a quick synopsis.

So, you have a couple of options on how to run this. So in my mind, you'd run an ad hoc if you had any, you know malware outbreak or any incidents or triage of a suspected infected macOS laptop, you could actually extend this to run on a daily basis if you want very detailed logging. Um just to have a baseline. So what the script is doing is it's looking for processes running network telemetry, browser history, various logs, and databases. So, you could have it as a very granular baselining on a daily basis.

Keep in mind it is a lot of logs. So, how I have designed it is just for the ad hoc. Hey, you know, and user x might have downloaded malware um or some incident happened on this machine so I'm going to run it but you can schedule it so if you do um have it scheduled you can totally change this up. I have it um If it already ran you don't need to run it again but you're welcome the change of the logic here. It does create timestamps per run that way in the same text file, you'll see the different um dates and times and then the output of various commands.

So, for the actual meat and potatoes of the script, you have the remediation code. Um Keep in mind that this will not be the end, all be all of all possible artifacts. Right? Um depending on where the investigation takes you you might have to look at other folders, look at other logs, or look in other products um for that data but this should serve as a good starting point for your investigation. And I wrote that little nice disclaimer there also um it will extract. I'm sorry. It will zip up the relevant output files in a zip format for your extraction.

Okay. So, first off because Automox runs as root, I have it set to look for the current logged in user since we'll be looking at user directories for some of these files um some output into Automox when you're running this you'll mostly see the um any errors and any logging in the audit log after, you run the actual work light, which I'll show you afterward.

So here, um we're looking at the date. Right, just for our own note-taking um what are logged-in users currently to that machine. So if there's, you know, some strange um guest account and they're logged in, that could be something suspicious. We're looking at all the demons on this machine, We're also looking to see log-in frequency, so maybe, you know, Sally logs into this machine uh 10 times. And then all of a sudden we see like guest account logged in yesterday, right, when the um incident occurred, that'd be something to investigate what are the currently running processes.

Um, you can totally slice and dice this further, but looking for any anomalous names, Attackers do like to masquerade themselves as a seemingly benign process or an OS-specific process. So it would be helpful to look for processes that are running from suspicious paths or from alternate paths.

So, let's just say you have a Mac-specific executable um and it's supposed to be out of a certain directory. So looking for anything outside of that directory um could be, you know, the attacker masquerading to try to evader defenses. So here just parses out those processes and prints them for you and adds them to a text file as for network telemetry. Um, we are looking at your config a net stat of your current network snapshot and LSOF, and of course, your art tables to see. Um, It would be actually really interesting if you did run this on a regular basis like daily et cetera to see when entries were added to your ARP table. You would see like, you know today it was something, and the next day the entry was added right? So it would be able to triangulate that bash history, This is great.

Um, it just shows all the commands that we run to keep in mind unfortunately if the attacker is still active and they didn't like to exit the terminal or their session then I'm pretty sure the history isn't saved so it does um have its downfall there but still super helpful. Um If they did exit their session or their terminal you could still capture glimpses of the commands that they ran here. We're just looking at miscellaneous security key chains um and trust settings, There could be some valuable information there.

Um, here I decided to pinpoint specific environment variables. You can totally just dump all of them. Um, I thought the path variable and also um the deliberate insert libraries so if for those that are unaware um these are kind of similar to the equivalent of LD preload on Linux.

So there are no entries here by default. So if they exist that is highly suspicious and definitely requires Investigation, other persistence mechanisms um we're looking at a Cron tab. Right. We're looking at tasks or at jobs um looking at any of the drivers. the text drivers here. I'm looking for anything outside of Apple drivers because I think that's super interesting. You could have 3rd party um text drivers pop up but that's subject to further investigation. If you don't want to limit it, then obviously you don't have to use this crap statement I used here and just output all of them. Yeah.

And I mentioned it here, Hidden files. This is a great way for attackers to hide themselves. Right? So if a lay end-user just went to the finder, they would not see these files pop up, they would have to run um additional commands to see it. Usually, they're prefixed by like a period um to hide themselves. Keep in mind I just put just a placeholder directory, you can change this to whatever directories are in question. Okay, there are a ton of logs. Um, this script doesn't grab all of the logs.

There's a great tool called Syst Diagnose that will it takes a little while but it'll grab the relevant logs um off of your apple machines so you can feel free to use that. But here's some I'm grabbing some of the system logs and various other logs. Okay, so we're looking at browsers, I did not grab every single possible browser but I went for the usual suspects. Um Safari just because it's on your Mac out of the box, we're pulling the history DB and the downloads P list on google chrome.

Um, so I read that in order for google chrome to fully have this data that we're looking for, you actually do have to exit from it in order to grab this. So here I have a warning to the admin that we will have to kill off google chrome. Um, I'll give you 10 seconds so you can change this to longer, but it will automatically kill it for you.

And then here we're pulling the history information which is super valuable to see what the user browsed in case they did download malicious software from a specific euro. Um, you can navigate to that. I have a similar logic for Brave right? It's a chromium-based browser and um let me explain this. So within Brave, there's a directory per extension.

So it might look like gobbledygook because it's not like oh this is the adblocker extension. No, it's like some um very unique. I think it's an uh unique ID. So, I found that if you just take that ID and append it to in a URL that I figured out it will redirect you to the actual um the extension you are all where they downloaded from. So here I just have this uh piped to talk and the variable of the extension 90 appended to this URL so it's in this text file so you can peruse all the extensions they had installed on Brave and they can figure out in case they downloaded a malicious extension. Right? It's fake or compromised, helpful information.

Okay. Firefox. So the most interesting I think from a forensic perspective um file is the places dot sequel light file um, so I'm copying that again I put here if you want to look at all of the things you're welcome to do that. Um but I think the place is not equal, it is the best first place to look.

Okay, so that's a lot of information. What I'm doing here is zipping up all this data. We're compressing that and it will be named computer name and timestamp dot zip and this will output it to um your desktop so you can go ahead and grab it there and have your analysts have your SOC team take a look.

So this is super straightforward to run. Um and before I forget um when I was writing this Worklet I kind of was writing it from scratch and a friend turned me to this macOS IR book written by Jeron Bradley. So I borrowed this part from his script so shout out to him. His book was super helpful. I had to speed read it in time to finish writing this Worklet.

Cool. So let's go ahead and um show you what it does. For the purposes of this demo, I won't have it kill off my browsers because I need to preserve it but I ran it right before and Sorry about that. If we go to... please.

The second macOS I Worklet and then your policy activity log. So this is my machine. Um, I added some helpful tidbits, right? So running the IR collection, enumerating users, statement information, running processes so it just gives you an output of everything it's doing, right? It gives you a warning.

You have 10 seconds to exit chrome or brave and then it creates a zip of the gathered data. Um So from here let me just go ahead and pivot to my desktop. Okay so you can see on my desktop there is a zip of all the relevant data. So if I expand this um here I extracted it you can see here's all the information. So the system logs my browser information, my brave extensions. I can run through a couple of these. So here I pulled all the system logs off my machine. Ah, you can see I don't have any brave extensions here. Um, history files for chrome places dot sequel, light Safari. Here's the history DB, downloads, p list, etcetera. Right?

And then like text files for the various um commands that we ran. So this is great. You can just go ahead and concisely grab all that information off of this machine and you're good to go to start your investigation on this mapquest. So I hope you found this helpful. Um
I actually have a background more on Windows.

So it was a fun and tiring challenge to figure out how to run all these commands on back to look
for all the different um, places that we can gather IR information, all the different persistence mechanisms on macOS. So definitely a work in progress. This is the one. Um, if you have any suggestions, I'd be happy to hear them as well. Um, but I hope you found this helpful. Um, it's a great way to automate grabbing this information off of a machine, especially during an incident. Right?

You'll be kind of in a panic mode and you might not remember Specific commands or specific directories. So this is a great starting point. It takes, you know, 30 seconds to pull all this information, and then you can go ahead and extract that from the machine and then start parsing away um, in probably future versions.

Right? Since this is the one, I'd probably add additional parsing to pull out interesting artifacts. But it's definitely a time saver. Instead of having, you know, 23 analysts looking at this data, you can just Have one analyst click run and then pull that information within 30 seconds. So thanks for tuning in and um hope to see you at the next This is How we Worklet. Thank you.