Helpful Navigation Toolbar

Wednesday, March 19, 2014

Announcing OSX Live Response bash script (and updates to Windows Live Response too!)

Good news everyone!! After having some time the past couple of weeks to work on my Live Response automation project, I am happy to announce that a bash script, for running on OSX machines, is available in the latest download! The script focuses on gathering data from the following areas:

BasicInfo

  • date
  • hostname 
  • who 
  • ps auxwww (List of running processes)
  • mount  (Mounted_items)
  • diskutil list 
  • kextstat -l (Loaded kernel extensions)


UserInfo

  • /etc/passwd
  • /etc/group
  • .bash_history
  • .sh_history
  • AddressBookMe.plist


NetworkInfo
  • netstat -an
  • lsof -i 
  • scutil --dns 
  • netstat -rn
  • arp -an
  • ifconfig -a 
  • ifconfig -L
  • /etc/hosts.allow
  • Wifi connections
  • Firewall Configuration
  • NAT Configuration
  • SMB Configuration


PersistenceMechanisms
  • LaunchedLogInItems.plist
  • loginwindow.plist
  • User Launch Agents
  • System Startup Items
  • Library Startup Items
  • System Launch Agents
  • System Launch Daemons
  • Library Launch Agents
  • Library Launch Daemons
  • Application LogIn Items

Logs
  • copying all log files from /var/log/
  • copying all log files from /private/var/log/

The following steps is the methodology that I recommend to run ths script:
  1. Place the script on an external drive
  2. Insert drive to your OSX device
  3. Open Terminal
  4. cd to the device (for example, cd /Volumes/MORANHD01/LiveResponse/OSX_Live_Response)
  5. Run the bash script ("./OSX_Live_Response.sh")
  6. Profit!!

When the script is complete, it will hash the output of all of files (MD5 and SHA256) and store that in a separate text file for your viewing/parsing convenience. The script has not had the extensive testing that the Windows Live Response script (simply because I do not have access to a wide range of OSX systems) but in the testing that has occurred I (and others) have not encountered any issues. If you do, please let me know and I will try to update the script accordingly. If you also have suggestions and/or improvements to the script, please let me know that as well!!



Windows Live Response Update!!

I am also very happy to announce that I have modified the Windows Live Response script as well, it includes the latest version of PEStudio (8.12 as of 19 March 2014). In addition, the output of the script is also stored in a folder structure that makes going through the output a little easier and the collected data is also automatically hashed. I also changed the autorunsc command syntax to produce better results...more on that in my next blog post!




LiveResponseCollection-Cedarpelta.zip - download here 

MD5: 7bc32091c1e7d773162fbdc9455f6432
SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63
Updated: September 5, 2019





(NOTE: The original upload of the OSX script, version 1.3, had a pathing issue that was pointed out to me by Cristina Roura. The download link has changed, as the script has been updated to version 1.4 to fix this issue. It was an oversight on my part as I made the folder output the same for the Windows collection and the OSX collection, but forgot to update the pathing accordingly in the script itself. Also please notice, the hashes of the file have also changed. I am truly sorry for any inconvenience that this may have caused!) 



For the keen observers, you will note there is a "nix" folder in the Live Response zip file. My goal is to get a *nix version of the script working in the very near future so that way you can download the LiveResponse.zip file and have something to deal with any system you may encounter. I have several items on my "To Do" list regarding the script(s) but if you have any ideas or feedback please do not hesitate to let me know!




2 comments:

  1. Brian,

    I see lots of good work in your scripts, are you trusting the targets systems, commands (ipconfig, netstat, date, ect..) ?

    some people recommend using only trusted commands.



    ReplyDelete
  2. Hello Ben, thanks for your comment!

    For now, I am trusting the output of the system(s) the script runs on. My goal is to, eventually, bring all of that with me (like I did with WMIC) however, I haven't had the time to invest into making that happen yet. I actually mentioned that in my very first post:

    "My eventual goal is to include all of the executables themselves in this collection, so if for example "ipconfig.exe" has been replaced with a malicious executable, you don't have to worry about additional issues."

    It is definitely on my to-do list, but based off the rough roadmap for where I want to take it, it probably won't be happen for at least a few weeks or maybe months. I wish I had a better answer, time-table wise, but I unfortunately do not.

    ReplyDelete