Using Mac OSXCollector with Splunk

I admit, the first time I had the opportunity to switch my work PC to a Mac, I jumped at it. However, I quickly regretted it. I was in a management job that was largely a race against the clock to handle emails, create powerpoints and massage spreadsheets. The learning curve wasn’t fitting into my schedule.

However, in my next job, I had more opportunity to be technical and that’s where I fell in love with the Mac. It’s a great platform for technical work and don’t get me started on the multi-media, digital audio, wonderland that it is… But I digress!  We are here to talk about Mac Incident Response and OSXCollector.

When responding to a security incident we often want to quickly collect a wide array of data to verify the integrity of the targeted machine. This includes:

  • Volatile system state data (what’s the machine’s situation right now?). This is best handled by a memory forensics and/or interactive commands. My tools of choice if I have physical access to the computer are found: here.
  • Recent time-based data (what happened recently on this machine?). For this, we need logs, some system files, and other time-based artifacts.

The internet abounds with IR collection scripts that help answer these questions for victim Windows machines, but the field narrows when it comes to Macs. In such a narrow field OSXCollector (created by the DFIR ninjas at Yelp) stands out as one of the best.

It largely focuses on the historical data (what happened recently?), but it excels in that regard!

SO, HOW DO YOU WORK THIS THING?!

Running the collection is super simple!

screen-shot-2018-09-06-at-4-44-11-pm-e1536266704630.png

While OSXCollector pulls various system logs which are useful for incident response and forensics purposes, the main benefit of this tool is what it pulls together from the hundreds of plist files which OS X uses to record settings and historical events. You will find a rather large JSON file in the output directory which contains all this goodness. Your next task will be to figure out how to figure out what’s in there.

TARGETED SEARCHING

If you have a particular indicator (e.g. suspicious domain name, malicious filename, etc), you can simply use strings/grep/findstr to search the JSON file for it. Here are some examples (NOTE: I use GnuWin32 on Windows OS, so the quotes may be different than normal unix syntax):

  • Report all unique SHA1s:
    • cat osxcollect-2018_07_10-16_18_28.json | jq .sha1? | sort | uniq -c
    • jq select(.osxcollector_section==\”kext\”).osxcollector_bundle_id osxcollect-2018_07_10-16_18_28.json | grep -v null | more

FIND EVIL EXPLORATION

If you aren’t sure what you’re looking for (e.g. the case calls for checking for unauthorized software or anomalies which could be malware persistence mechanisms) you will want to be familiar with the structure of the data in the JSON file.

DATA-VIZ

While grep and JQ are handy for JSON, I don’t think anyone will argue they are user-friendly. I am lucky enough to have access to a Splunk instance which allows more than 500MB of data per day (the limit on the free version). Splunk likes JSON and this particular JSON file does very well with Splunk’s automatic parsing logic. So I like to put the JSON file in there to look around. If you have access to an ELK Stack this may be another good option. I used Splunk’s Sankey Key visualization to start to help me get a feel for what kinds of data are in this gigantic file.

Screen Shot 2018-09-07 at 2.55.58 PM

As you can see, there are two high-level categories: osxcollector_section and osxcollector_subsection. There are various “subsection” fields within each of the “sections” and a few “subsections” which appear in multiple “sections.”

The appearance of the graph might differ somewhat based on the behavior of the subject user (e.g. this user appears to have not used Chrome very much. If they were a heavy Chrome user, we might see a thicker like for Chrome and perhaps a line from Chrome to the “Downloads” block in the middle.

Note the “Mail” section was omitted because there are no subsections and it blew up the graph because it was really large. However, it is a treasure trove of information about emails which is likely to be important in many IR situations.

 

The following simple Splunk query built the graph above. 
SplunkFu: source=“*osxcollect-2018_07_10-16_18_28.json” | stats count by osxcollector_section osxcollector_subsection

Now that we understand the basic structure and boundaries of this data, let’s try a few queries. Below are the best ones I have found to start poking around and hopefully find strange/suspicious items.

SAMPLE SPLUNK QUERIES

Startups

  • launch_agents
    • osxcollector_section=startup | stats count by  label program
  • Login Items
    • osxcollector_section=startup osxcollector_subsection=login_items
  • Scripting_additions
    • osxcollector_section=startup osxcollector_subsection=scripting_additions| stats count by file_path

Accounts and Applications

Application Install History

osxcollector_subsection=install_history* osxcollector_section=applications | table displayName processName date| SORT – date

 

All Installed Apps

osxcollector_subsection=install_history* osxcollector_section=applications processName!=softwareupdated | dedup displayName | table displayName | SORT displayName

Recent items by Username

osxcollector_section=accounts osxcollector_subsection=recent_items |stats count by document_name osxcollector_username
osxcollector_subsection=recent_items recent_type=* | table application_name document_name host_name host_url recent_type server_name

Downloads

  • osxcollector_section=downloads OR osxcollector_subsection=downloads | table osxcollector_section osxcollector_subsection  file_path referrer sha1 signature_chain{}sourcetypexattr-wherefrom{}downloads | table url site_url tab_url tab_referrer_url referrer current_path

     

  • LSQuarantineOriginURLString
    • osxcollector_section=quarantines| stats count by LSQuarantineOriginURLString
  • LSQuarantineDataURLString
    • osxcollector_section=quarantines| stats count by  LSQuarantineDataURLString

Browser Artifacts

  • Chrome Search Terms
    • osxcollector_table_name=keyword_search_terms| stats count by term osxcollector_section osxcollector_username
  • Chrome autofill Addresses:
    • osxcollector_section=chrome  osxcollector_subsection=web_data    osxcollector_table_name=autofill_profiles | table street_address zipcode state
  • FireFox TypedUrls
    • osxcollector_table_name=moz_places typed=1| stats count by url
  • Firefox Favicons
    • osxcollector_subsection=history osxcollector_table_name=moz_favicons url=”*” | stats count by url

       

  • FireFox WebAppStore
    • osxcollector_subsection=webapps_store| stats count by scope
  • FireFox Form History
    • osxcollector_subsection=formhistory| stats count by fieldname value
  • Multi-Browser History
    • osxcollector_subsection=history | TABLE url visit_duration visit_time visit_count title current_path mime_type site_url tab_referrer_url target_path term
  • Multi-Browsers Local Storage
    • osxcollector_subsection=localstorage OR osxcollector_subsection=local_storage key=”2FTXlE.chosenVariants” | rex “(?:[^ \n]* ){9}\w+/\w+_(?P<dom>[a-z]+\.[a-z]+\.[a-z]+)“                             <<<<this regex needs some help>>>>
  • Multi-Browser Extensions
    • NOT “Not Found” (osxcollector_subsection=addons OR osxcollector_subsection=extension OR osxcollector_subsection=extensions OR osxcollector_subsection=extension_files)

A few other odds and ends

  • Search Terms
    • osxcollector_table_name=keyword_search_terms | stats count by term osxcollector_section osxcollector_subsection
  • Web_data
    • osxcollector_subsection=web_data | TABLE favicon_url short_name suggest_url url image_url new_tab_url alternate_url originating_url keyword value value_lower
  • All events with URLs
    • LSQuarantineDataURLString=* OR LSQuarantineOriginURLString=* OR alternate_urls=* OR favicon_url=* OR image_url=* OR image_url_post_params=* OR instant_url=* OR new_tab_url=* OR suggest_url=* OR url=* OR url_rank=*

Hopefully, this gives you an idea of the power of OSXCollector and a few shortcuts to getting started with analysis. Please comment with suggestions, corrections, or other feedback. Thanks!

One thought on “Using Mac OSXCollector with Splunk

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s