lundi 24 octobre 2016

New version of Checkout4Mac (0.2)


Checkout4Mac for what ? 

How to quickly detect recent physical activities on your Mac OS X system? How to detect if someone attempted or succeeded to get an access to your Mac let in your hotel room during your dinner or party ? Just in analysing the system logs and files access dates with bash commands (like grep, find, ls, stat, awk, etc.) ... 

Proof of Concept in Python, CheckOut4Mac, has been developed in order to automate the search and identify malicious activities from 3 questions:
  • When did you leave your hotel room ? eg.: 22/6 
  • At what time did you leave your hotel room ? eg: 22 
  • How long time did you leave your hotel room ? eg: 2 
Several artefacts are exploited to answer to the question and you can check that manually:  http://sud0man.blogspot.fr/2015/05/artefacts-for-mac-os-x.html#2 
or automatically with a POC: https://github.com/sud0man/checkout4mac

HOME MENU



INTERACTIVE MENU





NON-INTERACTIVE MENU


EXTRACTED ACTIVITIES in normal mode


EXTRACTED ACTIVITIES in verbose mode



WHICH ACTIVITIES ARE EXTRACTED ?

[]STARTUP ACTIVITIES

[]SESSION ACTIVITIES

[]PHYSICAL CONNECTION ACTIVITIES

[]ESCALATION PRIVILEGES ACTIVITIES

[]APPLICATIONS ACTIVITIES





[]PERSISTENCE ACTIVITIES

[]NETWORK ACTIVITIES