How to quickly detect recent physical activities on your Mac OS X system? How to detect if someone attempted or succeeded to get an access to your Mac let in your hotel room during your dinner or party ? Just in analysing the system logs and files access dates with bash commands (like grep, find, ls, stat, awk, etc.) ...
Proof of Concept in Python, CheckOut4Mac, has been developed in order to automate the search and identify malicious activities from 3 questions:
- When did you leave your hotel room ? eg.: 22/6
- At what time did you leave your hotel room ? eg: 22
- How long time did you leave your hotel room ? eg: 2
or automatically with a POC: https://github.com/sud0man/checkout4mac
HOME MENU
INTERACTIVE MENU
NON-INTERACTIVE MENU
EXTRACTED ACTIVITIES in verbose mode
[]STARTUP ACTIVITIES
[]SESSION ACTIVITIES
[]PHYSICAL CONNECTION ACTIVITIES
[]ESCALATION PRIVILEGES ACTIVITIES
[]PERSISTENCE ACTIVITIES
HOME MENU
INTERACTIVE MENU
NON-INTERACTIVE MENU
EXTRACTED ACTIVITIES in verbose mode
[]STARTUP ACTIVITIES
[]SESSION ACTIVITIES
[]PHYSICAL CONNECTION ACTIVITIES
[]ESCALATION PRIVILEGES ACTIVITIES
[]PERSISTENCE ACTIVITIES