top of page

Investigating macOS Persistence :macOS stores extensive configuration data in: Key Artifacts, Launch Daemons, and Forensic Strategies"


 Let’s explore the common file system artifacts investigators need to check during incident response (IR).


----------------------------------------------------------------------------------------------


1. Commonly Abused Files for Persistence

Attackers often target shell initialization files to maintain persistence by modifying the user’s environment, triggering scripts, or executing binaries.


Zsh Shell Artifacts (macOS default shell since Catalina)

  1. Global Zsh Files:


    • /etc/zprofile: Alters the shell environment for all users, setting variables like $PATH. Attackers may modify it to run malicious scripts upon login.

    • /etc/zshrc: Loads configuration settings for all users. Since macOS Big Sur, this file gets rebuilt with system updates.

    • /etc/zsh/zlogin: Runs after zshrc during login and often used to start GUI tools.


  2. User-Specific Zsh Files: Attackers may also modify individual user shell files located in the user’s home directory (~):

    • ~/.zshenv (optional)

    • ~/.zprofile

    • ~/.zshrc

    • ~/.zlogin

    • ~/.zlogout (optional)


    User History

    • ~/.zsh_history

    • ~/.zsh_sessions (directory)

These files are loaded in sequence during login, giving attackers multiple opportunities to run malicious code.


Note :During IR collection it is advised to check all the files (including ~/.zshenv & ~/.zlogout if they are present) to check for signs of attacker activity

----------------------------------------------------------------------------------------------


2. User History Files

Tracking a user’s shell activity can provide valuable insights during an investigation. The .zsh_history file logs the commands a user entered into the shell. By default, this file stores the last 1,000 commands, but the number can be configured via SAVEHIST and HISTSIZE in /etc/zshrc.


  • Important Note: The history file is only written to disk when the session ends. During live IR, make sure active sessions are terminated to capture the latest data.

  • Potential Manipulation: Attackers may selectively delete entries or set SAVEHIST and HISTSIZE to zero, preventing commands from being logged.


Another place to check is the .zsh_sessions directory. This folder stores session and temporary history files, which may contain overlooked data.


----------------------------------------------------------------------------------------------


3. Bash Equivalents

For systems where Bash is in use (either as an alternative shell or legacy setup), investigators should review the following files, which serve the same purpose as their Zsh counterparts:


  • ~/.bash_history

  • ~/.bash_profile

  • ~/.bash_login

  • ~/.profile

  • ~/.bashrc

  • ~/.bash_logout


Attackers can modify these files to achieve persistence or hide their activity.


----------------------------------------------------------------------------------------------


4. Installed Shells

It's not uncommon for users to install other shells. To verify which shells are installed, check the /etc folder, and look at the user's home directory for history files. If multiple shells have been installed, you may find artifacts from more than one shell.

----------------------------------------------------------------------------------------------


5. Key File Artifacts for User Preferences

macOS stores extensive configuration data in each user’s

~/Library/Preferences

Some of these files are particularly useful during an investigation.


Browser Downloads:

  • Quarantine Information: Found in the


com.apple.LaunchServices.QuarantineEventsV*

SQLite database, this file logs information about executable files downloaded from the internet, including URLs, email addresses, and subject lines.


Recently Accessed Files:

  • macOS Mojave and earlier:

com.apple.RecentItems.plist.
  • macOS Big Sur and later:

com.apple.shared.plist 

Finder Preferences:

com.apple.finder.plist 

file contains details on how the Finder app is configured, including information on mounted volumes.


Keychain Preferences:

 com.apple.keychainaccess.plist 

file logs keychain preferences and the last accessed keychain, which can provide clues about encrypted data access.

Investigation Note: Be aware that attackers can modify or delete these files, and they may not always be present.

----------------------------------------------------------------------------------------------


macOS Common Persistence Mechanisms

Attackers use various strategies to maintain persistence on macOS systems, often exploiting system startup files or scheduled tasks.


1. Startup Files

Attackers frequently modify system or user initialization files to add malicious scripts or commands. These files are read when the system or user session starts, making them a common target.


2. Launch Daemon (launchd)

The launchd daemon controls services and processes triggered during system boot or user login. While it’s used by legitimate applications, attackers can exploit it by registering malicious property list (.plist) files or modifying existing ones to point to malicious executables.


Investigating launchd on a Live System:

You can use the launchctl command to list all the active jobs:

launchctl list

This command will show:

  • PID: Process ID of running jobs.

  • Status: Exit status or the signal that terminated the job (e.g., -9 for a SIGKILL).

  • Label: Name of the task, sourced from the .plist file that created the job.


Investigating launchd on Disk Images:

The launchd process is owned by root and normally runs as PID1 on a system. It is the only process which can’t be killed while the system is running. This allows it to create jobs that can run as a range of user accounts. Jobs are created by property list (plist) files in specific locations, which point to executable files. The launchd

process reads the plist and launches the file with any arguments or instructions as set in the plist.


To analyze launchd in a system image or offline triage:


  • Privileged Jobs: Check these folders for startup tasks that run as root or other users:

/Library/LaunchAgents: Per-user agents for all logged-in users, installed by admins.
/Library/LaunchDaemons: System-wide daemons, installed by admins.
/System/Library/LaunchAgents: Apple-provided agents for user logins.
/System/Library/LaunchDaemons: Apple-provided system-wide daemons.

  • User Jobs: Jobs specific to individual users are stored in:

/Users/(username)/Library/LaunchAgents

3. Cron Tasks

Similar to Linux systems, cron manages scheduled tasks in macOS. Attackers may create cron jobs that trigger the execution of malicious scripts at regular intervals.


----------------------------------------------------------------------------------------------


Workflow for Analyzing Launchd Files

When investigating launchd persistence, use this methodical approach:


  1. Check for Unusual Filenames: Look for spelling errors, odd filenames, or files that imitate legitimate names. Start in the /Library/LaunchAgents and /Library/LaunchDaemons folder.

  2. Sort by Modification Date: If you know when the incident occurred, sort the .plist files by modification date to find any changes made around the attack.

  3. Analyze File Contents: Check the Program and ProgramArguments keys in each .plist file. Investigate any executables they point to.

  4. Validate Executables: Confirm if the executables are legitimate by checking their file hashes or running basic forensic analysis, such as using the strings command or full reverse engineering.

----------------------------------------------------------------------------------------------


Final Thoughts

When investigating a macOS system, checking these file system artifacts is crucial. From shell initialization files that may be altered for persistence to history files that track user activity, these files provide a window into the state of the system. By examining user preferences and quarantine data, and Persistence Mechanisms you can further uncover potential signs of compromise or abnormal behavior.


Akash Patel



29 views0 comments

Comments


bottom of page