Let’s explore the common file system artifacts investigators need to check during incident response (IR).
----------------------------------------------------------------------------------------------
1. Commonly Abused Files for Persistence
Attackers often target shell initialization files to maintain persistence by modifying the user’s environment, triggering scripts, or executing binaries.
Zsh Shell Artifacts (macOS default shell since Catalina)
Global Zsh Files:
/etc/zprofile: Alters the shell environment for all users, setting variables like $PATH. Attackers may modify it to run malicious scripts upon login.
/etc/zshrc: Loads configuration settings for all users. Since macOS Big Sur, this file gets rebuilt with system updates.
/etc/zsh/zlogin: Runs after zshrc during login and often used to start GUI tools.
User-Specific Zsh Files: Attackers may also modify individual user shell files located in the user’s home directory (~):
~/.zshenv (optional)
~/.zprofile
~/.zshrc
~/.zlogin
~/.zlogout (optional)
User History
~/.zsh_history
~/.zsh_sessions (directory)
These files are loaded in sequence during login, giving attackers multiple opportunities to run malicious code.
Note :During IR collection it is advised to check all the files (including ~/.zshenv & ~/.zlogout if they are present) to check for signs of attacker activity
----------------------------------------------------------------------------------------------
2. User History Files
Tracking a user’s shell activity can provide valuable insights during an investigation. The .zsh_history file logs the commands a user entered into the shell. By default, this file stores the last 1,000 commands, but the number can be configured via SAVEHIST and HISTSIZE in /etc/zshrc.
Important Note: The history file is only written to disk when the session ends. During live IR, make sure active sessions are terminated to capture the latest data.
Potential Manipulation: Attackers may selectively delete entries or set SAVEHIST and HISTSIZE to zero, preventing commands from being logged.
Another place to check is the .zsh_sessions directory. This folder stores session and temporary history files, which may contain overlooked data.
----------------------------------------------------------------------------------------------
3. Bash Equivalents
For systems where Bash is in use (either as an alternative shell or legacy setup), investigators should review the following files, which serve the same purpose as their Zsh counterparts:
~/.bash_history
~/.bash_profile
~/.bash_login
~/.profile
~/.bashrc
~/.bash_logout
Attackers can modify these files to achieve persistence or hide their activity.
----------------------------------------------------------------------------------------------
4. Installed Shells
It's not uncommon for users to install other shells. To verify which shells are installed, check the /etc folder, and look at the user's home directory for history files. If multiple shells have been installed, you may find artifacts from more than one shell.
----------------------------------------------------------------------------------------------
5. Key File Artifacts for User Preferences
macOS stores extensive configuration data in each user’s
~/Library/Preferences
Some of these files are particularly useful during an investigation.
Browser Downloads:
Quarantine Information: Found in the
com.apple.LaunchServices.QuarantineEventsV*
SQLite database, this file logs information about executable files downloaded from the internet, including URLs, email addresses, and subject lines.
Recently Accessed Files:
macOS Mojave and earlier:
com.apple.RecentItems.plist.
macOS Big Sur and later:
com.apple.shared.plist
Finder Preferences:
com.apple.finder.plist
file contains details on how the Finder app is configured, including information on mounted volumes.
Keychain Preferences:
com.apple.keychainaccess.plist
file logs keychain preferences and the last accessed keychain, which can provide clues about encrypted data access.
Investigation Note: Be aware that attackers can modify or delete these files, and they may not always be present.
----------------------------------------------------------------------------------------------
macOS Common Persistence Mechanisms
Attackers use various strategies to maintain persistence on macOS systems, often exploiting system startup files or scheduled tasks.
1. Startup Files
Attackers frequently modify system or user initialization files to add malicious scripts or commands. These files are read when the system or user session starts, making them a common target.
2. Launch Daemon (launchd)
The launchd daemon controls services and processes triggered during system boot or user login. While it’s used by legitimate applications, attackers can exploit it by registering malicious property list (.plist) files or modifying existing ones to point to malicious executables.
Investigating launchd on a Live System:
You can use the launchctl command to list all the active jobs:
launchctl list
This command will show:
PID: Process ID of running jobs.
Status: Exit status or the signal that terminated the job (e.g., -9 for a SIGKILL).
Label: Name of the task, sourced from the .plist file that created the job.
Investigating launchd on Disk Images:
The launchd process is owned by root and normally runs as PID1 on a system. It is the only process which can’t be killed while the system is running. This allows it to create jobs that can run as a range of user accounts. Jobs are created by property list (plist) files in specific locations, which point to executable files. The launchd
process reads the plist and launches the file with any arguments or instructions as set in the plist.
To analyze launchd in a system image or offline triage:
Privileged Jobs: Check these folders for startup tasks that run as root or other users:
/Library/LaunchAgents: Per-user agents for all logged-in users, installed by admins.
/Library/LaunchDaemons: System-wide daemons, installed by admins.
/System/Library/LaunchAgents: Apple-provided agents for user logins.
/System/Library/LaunchDaemons: Apple-provided system-wide daemons.
User Jobs: Jobs specific to individual users are stored in:
/Users/(username)/Library/LaunchAgents
3. Cron Tasks
Similar to Linux systems, cron manages scheduled tasks in macOS. Attackers may create cron jobs that trigger the execution of malicious scripts at regular intervals.
----------------------------------------------------------------------------------------------
Workflow for Analyzing Launchd Files
When investigating launchd persistence, use this methodical approach:
Check for Unusual Filenames: Look for spelling errors, odd filenames, or files that imitate legitimate names. Start in the /Library/LaunchAgents and /Library/LaunchDaemons folder.
Sort by Modification Date: If you know when the incident occurred, sort the .plist files by modification date to find any changes made around the attack.
Analyze File Contents: Check the Program and ProgramArguments keys in each .plist file. Investigate any executables they point to.
Validate Executables: Confirm if the executables are legitimate by checking their file hashes or running basic forensic analysis, such as using the strings command or full reverse engineering.
----------------------------------------------------------------------------------------------
Final Thoughts
When investigating a macOS system, checking these file system artifacts is crucial. From shell initialization files that may be altered for persistence to history files that track user activity, these files provide a window into the state of the system. By examining user preferences and quarantine data, and Persistence Mechanisms you can further uncover potential signs of compromise or abnormal behavior.
Akash Patel
Comments