SlideShare a Scribd company logo

OSXCollector: Automated forensic evidence collection & analysis for OS X (BruCON 0x07)

Jakub "Kuba" Sendor
Jakub "Kuba" Sendor

We use Macs a lot at Yelp, which means that we see our fair share of Mac-specific security alerts. Host based detectors will tell us about known malware infestations or weird new startup items. Network based detectors see potential C2 callouts or DNS requests to resolve suspicious domains. Sometimes our awesome employees just let us know, “I think I have like Stuxnet or conficker or something on my laptop.” When alerts fire, our incident response team’s first goal is to “stop the bleeding” – to contain and then eradicate the threat. Next, we move to “root cause the alert” – figuring out exactly what happened and how we’ll prevent it in the future. One of our primary tools for root causing OS X alerts is OSXCollector. OSXCollector (https://github.com/Yelp/OSXCollector) is an open source forensic evidence collection and analysis toolkit for OS X. It was developed in-house at Yelp to automate the digital forensics and incident response (DFIR) our crack team of responders had been doing manually.

Software
1 of 47
Download to read offline
Jakub (Kuba) Sendor @jsendor OSXCollector Automated forensic evidence collection & analysis for OS X
@jsendor whoami ● Joined Yelp security team in July 2014. ● Mostly involved in malware incident response. ● Also working on automating our security processes. ● Previously worked at SAP in Sophia Antipolis (France) in the Security & Trust research group. ● Graduated in 2011 from AGH University of Science and Technology in Kraków (Poland) and Telecom ParisTech/Institut Eurecom (France).
@jsendor Yelp’s Mission: Connecting people with great local businesses.
@jsendor Yelp Stats: As of Q2 2015 83M 3268%83M
@jsendor >3k employees, most of them using Macs
@jsendor
@jsendor
@jsendor
@jsendor https://github.com/Yelp/osxcollector OSXCollector is an open source forensic evidence collection & analysis toolkit for Mac OS X
@jsendor OSXCollector is easy to run 1 Python file 0 dependencies $ sudo osxcollector.py --id DelayedHedgehog Wrote 35394 lines. Output in DelayedHedgehog-2015_01_20-19_38_38.tar.gz $
@jsendor The output is JSON JSON is beautiful. JSON is easy to manipulate. { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] }
@jsendor OS X stores lots of data in SQLite DBs # Dump a sqlite DB in a dozen lines of code with connect(sqlite_db_path) as conn: conn.cursor.execute('SELECT * from sqlite_master WHERE type = "table"') table_names = [table[2] for table in tables.fetchall()] for table in table_names: rows = conn.cursor.execute('SELECT * from {0}'.format(table_name)) column_descriptions = [col[0] for col in conn.cursor.description] for row in rows.fetchall(): record = dict([(key, val) for key, val in zip(column_descriptions, row)])
@jsendor plist == property list sometimes binary, sometimes plain text $ /usr/libexec/PlistBuddy -c print shell.plist Dict { ProgramArguments = Array { /usr/libexec/rshd } Sockets = Dict { Listeners = Dict { SockServiceName = shell } } Disabled = true Label = com.apple.rshd SessionCreate = true inetdCompatibility = Dict { Wait = false } } $ cat ssh.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0 //EN" "http://www.apple.com/DTDs/PropertyList-1.0. dtd"> <plist version="1.0"> <dict> <key>Disabled</key> <true/> <key>Label</key> <string>com.openssh.sshd</string> <key>Program</key> <string>/usr/libexec/sshd-keygen- wrapper</string> <key>ProgramArguments</key> <array> <string>/usr/sbin/sshd</string> <string>-i</string> BINARY UTF-8
@jsendor OSXCollector uses Foundation Foundation is a nice Objective-C wrapper. import Foundation # Look! Incredibly long objc style function names! plist_nsdata, error_message = Foundation.NSData.dataWithContentsOfFile_options_error_( plist_path, Foundation.NSUncachedRead, None) # Seriously, incredibly long function names! plist_dict, _, _ = Foundation.NSPropertyListSerialization. propertyListFromData_mutabilityOption_format_errorDescription_( plist_nsdata, Foundation.NSPropertyListMutableContainers, None, None)
@jsendor Forensic Collection OS System Info Applications Web Browser Info Kernel Extensions Quarantines Email Info Downloads Startup Items Groups & Accounts
@jsendor Common keys in entries path, hashes, timestamps, signature chain, ... { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] }
@jsendor Startup items run on boot Malware running at startup is basically game over. { "osxcollector_section": "startup", "osxcollector_subsection": "launch_agents", "md5": "dbd251d8a6e4da2419d75f5b18cf5078", "sha1": "bbb8016ad1026aea499fd47e21ffeb95f9597aca", "sha2": "9c89666fd071abd203f044ab7b3fd416decafe4468ff2e20a50b6d72f94809e2", "file_path": "/Library/Application Support/GPGTools/uuid-patcher", "ctime": "2014-12-05 16:52:00", "mtime": "2014-11-30 15:49:40", "osxcollector_plist": "/System/Library/LaunchDaemons/ssh.plist", "program": "/usr/libexec/sshd-keygen-wrapper", "label": "com.openssh.sshd", "signature_chain": [], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", } PRETTY PRETTY!
@jsendor Timestamps are important in forensics Timestamps get stored in a lot of ways. OSXCollector normalizes them. { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] } VERY NORMALIZED
@jsendor Hashes are still important in forensics { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] } STILL USEFUL
@jsendor Quarantines track downloaded content They live forever in a plist. { "osxcollector_section": "quarantines", "osxcollector_username": "jsendor", "LSQuarantineAgentName": "Google Chrome", "LSQuarantineAgentBundleIdentifier": "com.google.Chrome", "LSQuarantineDataURLString": "https://cachefly.alfredapp.com/Alfred_2.5.1_308.zip", "LSQuarantineEventIdentifier": "6FA87446-1249-4578-83E4-4BBCF7AEA4A3", "LSQuarantineOriginURLString": "http://www.alfredapp.com/", "osxcollector_db_path": "/Users/ivanlei/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2", "osxcollector_table_name": "LSQuarantineEvent", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "LSQuarantineTimeStamp": "2014-12-05 14:40:33" }
@jsendor xattr-wherefrom No need to search around in browser history. { .. "md5": "0b984ecc39d5b33e4f6a81ade4e8dbf1", "xattr-quarantines": [ "0001;5541127e;Google Chrome;63B2C485-1F64-4ADE-A95C-72F7087FA172" ], "signature_chain": [], "xattr-wherefrom": [ "http://trojans.evildownloads.com/Trojan.app", "http://trojans.evildownloads.com/latest-trojans/" ], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "file_path": "/Users/jdoe/Downloads/Trojan.app", } THIS IS BAAAD
@jsendor OS X doesn't care if startups and kext are signed But I kinda do, so OSXCollector lists the signature chain. { "osxcollector_section": "startup", "osxcollector_subsection": "launch_agents", "md5": "dbd251d8a6e4da2419d75f5b18cf5078", "sha1": "bbb8016ad1026aea499fd47e21ffeb95f9597aca", "sha2": "9c89666fd071abd203f044ab7b3fd416decafe4468ff2e20a50b6d72f94809e2", "file_path": "/Library/Application Support/GPGTools/uuid-patcher", "ctime": "2014-12-05 16:52:00", "mtime": "2014-11-30 15:49:40", "osxcollector_plist": "/System/Library/LaunchDaemons/ssh.plist", "program": "/usr/libexec/sshd-keygen-wrapper", "label": "com.openssh.sshd", "signature_chain": [], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", } SWELL!
@jsendor Forensic collection is hard work. Forensic analysis is fun. Part science, part art.
@jsendor Manual analysis with grep and jq works pretty well grep a time window only urls in a time window grep a single user $ cat foo.json | grep ' 2014-01-01 11:3[2-8]' $ cat foo.json | grep '2014-01-01 11:3[2-8]' | jq 'select( has("url")).url' $ cat INCIDENT32.json | jq 'select( .osxcollector_username=="jsendor")|.'
@jsendor
@jsendor We can automate this! step 1: analyze step 2: ??? step 3: profit $ python -m osxcollector.output_filters.analyze -i osxcolletor_output.json == Very Readable Output Bot == Let's see what's up with this machine. Well, here's some domains OpenDNS wouldn't recommend. ... - quarantines LSQuarantineDataURLString: "http://d2.genieo.com/im/partners/webpic2/installgenieo. dmg?campaign=wbpc_1&download_browser=Chrome" LSQuarantineTimeStamp: "2014-04-30 15:26:13" opendns-categorization: {"status": 0, "content_categories": ["Adware"], "suspicious": True, "security_categories": []} opendns-security: {"dga_score": -6.35631605112, "rip_score": 0.0, "asn_score": 0.0, "securerank2": -0.00813742053751, "attack": "", "prefix_score": 0.0, "found": True, "threat_type": ""} opendns-link: "https://investigate.opendns.com/domain-view/name/w.genieo.com/view" ... - firefox history last_visit_date: "2015-01-11 23:44:56" url: "http://dl.pspvideosdownload.com/lp/?appid=12…" vtdomain-domain: "dl.pspvideosdownload.com" vtdomain-detections: {"undetected_referrer_samples": 0, "detected_downloaded_samples": 2, "detected_referrer_samples": 0, "detected_urls": 100, "detected_communicating_samples": 0, "undetected_communicating_samples": 0}
@jsendor Enter OSXCollector Output Filters
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor find domains filter a lot of filters add a single piece of info { "url": "https://biz.yelp.com" } { "url": "https://biz.yelp.com", "osxcollector_domains": [ "biz.yelp.com", "yelp.com" ] }
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor check blacklist filter Match any key. Regex or exact match. Built in smarts for turning domains into regex. { "url": "https://www.evil.com", "osxcollector_domains": [ "www.evil.com", "evil.com" ] } { "url": "https://www.evil.com", "osxcollector_domains": [ "www.evil.com", "evil.com" ], "osxcollector_blacklist": [ "domains" ] } domain_blacklist.txt evil.com streaming-football.com downloads.com
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor VirusTotal hash lookup filter API output filter base does the heavy lifting. Support for rate limits & response caching issues10s of requests at once. { "sha1": "99005b68295c202fd359b46c" } { "sha1": "99005b68295c202fd359b46c", "osxcollector_vthash": { "response_code": 200, "positives": 36, "total": 52, } }
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor OpenDNS related domains filter Judge domains by the company they keep. Domains related to suspicious domains are usually suspicious themselves. { "url": "https://www.evil.com", } { "url": "https://www.evil.com", "osxcollector_related": { "domains": [ "double-evil.com", "free-lunch.org", "torrent-malware.net" ] } }
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor OpenDNS domain reputation filter Premium Cyber Threat Intel (CTI) { "url": "https://www.evil.com", } { "url": "https://www.evil.com", "osxcollector_opendns": { "domain": "evil.com", }, "security": { "found": true, "dga_score": -3, "securerank2": -23, "asn_score": -57, "prefix_score": -62, "rip_score": -99, } } }
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor Recommend next steps This whole things started with just a few clues. Now look what I found. - downloads downloads ctime: "2015-02-02 12:15:14" file_path: "/Users/jdoe/Downloads/screenshot.scr" mtime: "2015-01-16 19:20:06" xattr-quarantines: ["0001;54b95657;Googlex20Chrome;162C4043-647D-44A8-83C2-2B1F69C7861F"] xattr-wherefrom: ["https://evildownloads. com/docs/securesc/5552qjr0llks3i1r65nm9vjn073v4ahg/82mfdn9k8qmvmo3ta2vja6hta3iink5i/1421431200000/002186363 34715341180/12229357981017199890/0B-HDNU1GNnRAVjBtYlBqdVFrT2s? e=download&h=01562916784096941731&nonce=850uav3g55qiu&user=12229357981017199890&hash=78ffvfobh7rreq0bj86hqf hb7i8eq92l", ""] related-files: ["screenshot.scr"] Nothing hides from Very Readable Output Bot If I were you, I'd probably update my blacklists to include: domain: "evildownloads.com" That might just help things, Skippy!
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor Threat Intel API https://github.com/Yelp/threat_intel Query Threat Intel Feeds:
@jsendor Call OpenDNS API endpoints from threat_intel.opendns import InvestigateApi investigate = InvestigateApi(<INVESTIGATE-API-KEY-HERE>, cache_file_name="/tmp/cache.opendns.json") domains = ["google.com", "baidu.com", "bibikun.ru"] investigate.security(domains) { "baidu.com": { "found": true, "dga_score": 0, "rip_score": 0, .. } }
@jsendor ElastAlert http://engineeringblog.yelp.com/
@jsendor https://github.com/Yelp/osxcollector Lemme know if you use it. Send pull requests.
Questions? Let's talk! kuba@yelp.com @jsendor We are hiring! visit yelp.com/careers
@jsendor This slide is intentionally left blank.

Recommended

Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
Synack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
Chris Gates
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
 

Recommended

Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
Synack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
Chris Gates
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
Rakesh Kachhadiya
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Invoke-DOSfuscation
Invoke-DOSfuscationInvoke-DOSfuscation
Invoke-DOSfuscation
Daniel Bohannon
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Cris Holdorph
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
Аліна Шепшелей
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
Friendcaster log
Friendcaster logFriendcaster log
Friendcaster log
tahani alharbi
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
RootedCON
 
Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
George Mihailov
 
Cosmos, Big Data GE Implementation
Cosmos, Big Data GE ImplementationCosmos, Big Data GE Implementation
Cosmos, Big Data GE Implementation
FIWARE
 
Stream processing and Norikra
Stream processing and NorikraStream processing and Norikra
Stream processing and NorikraSATOSHI TAGOMORI
 
Collect, summarize and notify of OpenStack's log
Collect, summarize and notify of OpenStack's logCollect, summarize and notify of OpenStack's log
Collect, summarize and notify of OpenStack's log
NTT Communications Technology Development
 
How to Make Norikra Perfect
How to Make Norikra PerfectHow to Make Norikra Perfect
How to Make Norikra Perfect
SATOSHI TAGOMORI
 
Cep 소개 - for developers
Cep 소개 - for developersCep 소개 - for developers
Cep 소개 - for developers
Juhyeon Lee
 
Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知
Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知
Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知
daisuke-a-matsui
 
Norikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LT
Norikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LTNorikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LT
Norikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LT
Masahiro Nagano
 
fluent-plugin-norikra #fluentdcasual
fluent-plugin-norikra #fluentdcasualfluent-plugin-norikra #fluentdcasual
fluent-plugin-norikra #fluentdcasual
SATOSHI TAGOMORI
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
Synack
 

More Related Content

What's hot

Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
Rakesh Kachhadiya
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Invoke-DOSfuscation
Invoke-DOSfuscationInvoke-DOSfuscation
Invoke-DOSfuscation
Daniel Bohannon
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Cris Holdorph
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
Аліна Шепшелей
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
Friendcaster log
Friendcaster logFriendcaster log
Friendcaster log
tahani alharbi
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
RootedCON
 
Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
George Mihailov
 
Cosmos, Big Data GE Implementation
Cosmos, Big Data GE ImplementationCosmos, Big Data GE Implementation
Cosmos, Big Data GE Implementation
FIWARE
 

What's hot (14)

Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Invoke-DOSfuscation
Invoke-DOSfuscationInvoke-DOSfuscation
Invoke-DOSfuscation
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
Friendcaster log
Friendcaster logFriendcaster log
Friendcaster log
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
 
Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
 
Cosmos, Big Data GE Implementation
Cosmos, Big Data GE ImplementationCosmos, Big Data GE Implementation
Cosmos, Big Data GE Implementation
 

Viewers also liked

Stream processing and Norikra
Stream processing and NorikraStream processing and Norikra
Stream processing and NorikraSATOSHI TAGOMORI
 
Collect, summarize and notify of OpenStack's log
Collect, summarize and notify of OpenStack's logCollect, summarize and notify of OpenStack's log
Collect, summarize and notify of OpenStack's log
NTT Communications Technology Development
 
How to Make Norikra Perfect
How to Make Norikra PerfectHow to Make Norikra Perfect
How to Make Norikra Perfect
SATOSHI TAGOMORI
 
Cep 소개 - for developers
Cep 소개 - for developersCep 소개 - for developers
Cep 소개 - for developers
Juhyeon Lee
 
Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知
Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知
Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知
daisuke-a-matsui
 
Norikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LT
Norikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LTNorikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LT
Norikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LT
Masahiro Nagano
 
fluent-plugin-norikra #fluentdcasual
fluent-plugin-norikra #fluentdcasualfluent-plugin-norikra #fluentdcasual
fluent-plugin-norikra #fluentdcasual
SATOSHI TAGOMORI
 

Viewers also liked (7)

Stream processing and Norikra
Stream processing and NorikraStream processing and Norikra
Stream processing and Norikra
 
Collect, summarize and notify of OpenStack's log
Collect, summarize and notify of OpenStack's logCollect, summarize and notify of OpenStack's log
Collect, summarize and notify of OpenStack's log
 
How to Make Norikra Perfect
How to Make Norikra PerfectHow to Make Norikra Perfect
How to Make Norikra Perfect
 
Cep 소개 - for developers
Cep 소개 - for developersCep 소개 - for developers
Cep 소개 - for developers
 
Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知
Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知
Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知
 
Norikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LT
Norikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LTNorikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LT
Norikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LT
 
fluent-plugin-norikra #fluentdcasual
fluent-plugin-norikra #fluentdcasualfluent-plugin-norikra #fluentdcasual
fluent-plugin-norikra #fluentdcasual
 

Similar to OSXCollector: Automated forensic evidence collection & analysis for OS X (BruCON 0x07)

Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
Synack
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
Sebastien Gioria
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
Ibrahim Baliç
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
BGA Cyber Security
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
Rishi Bhargava
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 
TIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by stepTIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by step
The Incredible Automation Day
 
iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side Analysis
Aadarsh N
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
Ricardo L0gan
 
HTML5 on Mobile
HTML5 on MobileHTML5 on Mobile
HTML5 on Mobile
Adam Lu
 
Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014
University of Toronto Libraries - Information Technology Services
 
stackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure driftstackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure drift
NETWAYS
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Jakub "Kuba" Sendor
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
soft-shake.ch
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
DevSecCon
 
Original slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkOriginal slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talk
Aarti Parikh
 

Similar to OSXCollector: Automated forensic evidence collection & analysis for OS X (BruCON 0x07) (20)

Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
TIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by stepTIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by step
 
iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side Analysis
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
HTML5 on Mobile
HTML5 on MobileHTML5 on Mobile
HTML5 on Mobile
 
Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014
 
stackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure driftstackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure drift
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
Original slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkOriginal slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talk
 

More from Jakub "Kuba" Sendor

To boldly go where no one has gone before: life after the DevSecOps transform...
To boldly go where no one has gone before: life after the DevSecOps transform...To boldly go where no one has gone before: life after the DevSecOps transform...
To boldly go where no one has gone before: life after the DevSecOps transform...
Jakub "Kuba" Sendor
 
DevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
DevSecOps: The Final Frontier? Building Secure Software in an Agile OrganizationDevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
DevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
Jakub "Kuba" Sendor
 
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
Jakub "Kuba" Sendor
 
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
Jakub "Kuba" Sendor
 
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
Jakub "Kuba" Sendor
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
Jakub "Kuba" Sendor
 

More from Jakub "Kuba" Sendor (6)

To boldly go where no one has gone before: life after the DevSecOps transform...
To boldly go where no one has gone before: life after the DevSecOps transform...To boldly go where no one has gone before: life after the DevSecOps transform...
To boldly go where no one has gone before: life after the DevSecOps transform...
 
DevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
DevSecOps: The Final Frontier? Building Secure Software in an Agile OrganizationDevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
DevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
 
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
 
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
 
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
 

Recently uploaded

OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
aymanquadri279
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Envertis Software Solutions
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 

Recently uploaded (20)

OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 

OSXCollector: Automated forensic evidence collection & analysis for OS X (BruCON 0x07)

  • 1. Jakub (Kuba) Sendor @jsendor OSXCollector Automated forensic evidence collection & analysis for OS X
  • 2. @jsendor whoami ● Joined Yelp security team in July 2014. ● Mostly involved in malware incident response. ● Also working on automating our security processes. ● Previously worked at SAP in Sophia Antipolis (France) in the Security & Trust research group. ● Graduated in 2011 from AGH University of Science and Technology in Kraków (Poland) and Telecom ParisTech/Institut Eurecom (France).
  • 3. @jsendor Yelp’s Mission: Connecting people with great local businesses.
  • 4. @jsendor Yelp Stats: As of Q2 2015 83M 3268%83M
  • 5. @jsendor >3k employees, most of them using Macs
  • 9. @jsendor https://github.com/Yelp/osxcollector OSXCollector is an open source forensic evidence collection & analysis toolkit for Mac OS X
  • 10. @jsendor OSXCollector is easy to run 1 Python file 0 dependencies $ sudo osxcollector.py --id DelayedHedgehog Wrote 35394 lines. Output in DelayedHedgehog-2015_01_20-19_38_38.tar.gz $
  • 11. @jsendor The output is JSON JSON is beautiful. JSON is easy to manipulate. { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] }
  • 12. @jsendor OS X stores lots of data in SQLite DBs # Dump a sqlite DB in a dozen lines of code with connect(sqlite_db_path) as conn: conn.cursor.execute('SELECT * from sqlite_master WHERE type = "table"') table_names = [table[2] for table in tables.fetchall()] for table in table_names: rows = conn.cursor.execute('SELECT * from {0}'.format(table_name)) column_descriptions = [col[0] for col in conn.cursor.description] for row in rows.fetchall(): record = dict([(key, val) for key, val in zip(column_descriptions, row)])
  • 13. @jsendor plist == property list sometimes binary, sometimes plain text $ /usr/libexec/PlistBuddy -c print shell.plist Dict { ProgramArguments = Array { /usr/libexec/rshd } Sockets = Dict { Listeners = Dict { SockServiceName = shell } } Disabled = true Label = com.apple.rshd SessionCreate = true inetdCompatibility = Dict { Wait = false } } $ cat ssh.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0 //EN" "http://www.apple.com/DTDs/PropertyList-1.0. dtd"> <plist version="1.0"> <dict> <key>Disabled</key> <true/> <key>Label</key> <string>com.openssh.sshd</string> <key>Program</key> <string>/usr/libexec/sshd-keygen- wrapper</string> <key>ProgramArguments</key> <array> <string>/usr/sbin/sshd</string> <string>-i</string> BINARY UTF-8
  • 14. @jsendor OSXCollector uses Foundation Foundation is a nice Objective-C wrapper. import Foundation # Look! Incredibly long objc style function names! plist_nsdata, error_message = Foundation.NSData.dataWithContentsOfFile_options_error_( plist_path, Foundation.NSUncachedRead, None) # Seriously, incredibly long function names! plist_dict, _, _ = Foundation.NSPropertyListSerialization. propertyListFromData_mutabilityOption_format_errorDescription_( plist_nsdata, Foundation.NSPropertyListMutableContainers, None, None)
  • 15. @jsendor Forensic Collection OS System Info Applications Web Browser Info Kernel Extensions Quarantines Email Info Downloads Startup Items Groups & Accounts
  • 16. @jsendor Common keys in entries path, hashes, timestamps, signature chain, ... { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] }
  • 17. @jsendor Startup items run on boot Malware running at startup is basically game over. { "osxcollector_section": "startup", "osxcollector_subsection": "launch_agents", "md5": "dbd251d8a6e4da2419d75f5b18cf5078", "sha1": "bbb8016ad1026aea499fd47e21ffeb95f9597aca", "sha2": "9c89666fd071abd203f044ab7b3fd416decafe4468ff2e20a50b6d72f94809e2", "file_path": "/Library/Application Support/GPGTools/uuid-patcher", "ctime": "2014-12-05 16:52:00", "mtime": "2014-11-30 15:49:40", "osxcollector_plist": "/System/Library/LaunchDaemons/ssh.plist", "program": "/usr/libexec/sshd-keygen-wrapper", "label": "com.openssh.sshd", "signature_chain": [], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", } PRETTY PRETTY!
  • 18. @jsendor Timestamps are important in forensics Timestamps get stored in a lot of ways. OSXCollector normalizes them. { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] } VERY NORMALIZED
  • 19. @jsendor Hashes are still important in forensics { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] } STILL USEFUL
  • 20. @jsendor Quarantines track downloaded content They live forever in a plist. { "osxcollector_section": "quarantines", "osxcollector_username": "jsendor", "LSQuarantineAgentName": "Google Chrome", "LSQuarantineAgentBundleIdentifier": "com.google.Chrome", "LSQuarantineDataURLString": "https://cachefly.alfredapp.com/Alfred_2.5.1_308.zip", "LSQuarantineEventIdentifier": "6FA87446-1249-4578-83E4-4BBCF7AEA4A3", "LSQuarantineOriginURLString": "http://www.alfredapp.com/", "osxcollector_db_path": "/Users/ivanlei/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2", "osxcollector_table_name": "LSQuarantineEvent", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "LSQuarantineTimeStamp": "2014-12-05 14:40:33" }
  • 21. @jsendor xattr-wherefrom No need to search around in browser history. { .. "md5": "0b984ecc39d5b33e4f6a81ade4e8dbf1", "xattr-quarantines": [ "0001;5541127e;Google Chrome;63B2C485-1F64-4ADE-A95C-72F7087FA172" ], "signature_chain": [], "xattr-wherefrom": [ "http://trojans.evildownloads.com/Trojan.app", "http://trojans.evildownloads.com/latest-trojans/" ], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "file_path": "/Users/jdoe/Downloads/Trojan.app", } THIS IS BAAAD
  • 22. @jsendor OS X doesn't care if startups and kext are signed But I kinda do, so OSXCollector lists the signature chain. { "osxcollector_section": "startup", "osxcollector_subsection": "launch_agents", "md5": "dbd251d8a6e4da2419d75f5b18cf5078", "sha1": "bbb8016ad1026aea499fd47e21ffeb95f9597aca", "sha2": "9c89666fd071abd203f044ab7b3fd416decafe4468ff2e20a50b6d72f94809e2", "file_path": "/Library/Application Support/GPGTools/uuid-patcher", "ctime": "2014-12-05 16:52:00", "mtime": "2014-11-30 15:49:40", "osxcollector_plist": "/System/Library/LaunchDaemons/ssh.plist", "program": "/usr/libexec/sshd-keygen-wrapper", "label": "com.openssh.sshd", "signature_chain": [], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", } SWELL!
  • 23. @jsendor Forensic collection is hard work. Forensic analysis is fun. Part science, part art.
  • 24. @jsendor Manual analysis with grep and jq works pretty well grep a time window only urls in a time window grep a single user $ cat foo.json | grep ' 2014-01-01 11:3[2-8]' $ cat foo.json | grep '2014-01-01 11:3[2-8]' | jq 'select( has("url")).url' $ cat INCIDENT32.json | jq 'select( .osxcollector_username=="jsendor")|.'
  • 26. @jsendor We can automate this! step 1: analyze step 2: ??? step 3: profit $ python -m osxcollector.output_filters.analyze -i osxcolletor_output.json == Very Readable Output Bot == Let's see what's up with this machine. Well, here's some domains OpenDNS wouldn't recommend. ... - quarantines LSQuarantineDataURLString: "http://d2.genieo.com/im/partners/webpic2/installgenieo. dmg?campaign=wbpc_1&download_browser=Chrome" LSQuarantineTimeStamp: "2014-04-30 15:26:13" opendns-categorization: {"status": 0, "content_categories": ["Adware"], "suspicious": True, "security_categories": []} opendns-security: {"dga_score": -6.35631605112, "rip_score": 0.0, "asn_score": 0.0, "securerank2": -0.00813742053751, "attack": "", "prefix_score": 0.0, "found": True, "threat_type": ""} opendns-link: "https://investigate.opendns.com/domain-view/name/w.genieo.com/view" ... - firefox history last_visit_date: "2015-01-11 23:44:56" url: "http://dl.pspvideosdownload.com/lp/?appid=12…" vtdomain-domain: "dl.pspvideosdownload.com" vtdomain-detections: {"undetected_referrer_samples": 0, "detected_downloaded_samples": 2, "detected_referrer_samples": 0, "detected_urls": 100, "detected_communicating_samples": 0, "undetected_communicating_samples": 0}
  • 28. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 29. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 30. @jsendor find domains filter a lot of filters add a single piece of info { "url": "https://biz.yelp.com" } { "url": "https://biz.yelp.com", "osxcollector_domains": [ "biz.yelp.com", "yelp.com" ] }
  • 31. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 32. @jsendor check blacklist filter Match any key. Regex or exact match. Built in smarts for turning domains into regex. { "url": "https://www.evil.com", "osxcollector_domains": [ "www.evil.com", "evil.com" ] } { "url": "https://www.evil.com", "osxcollector_domains": [ "www.evil.com", "evil.com" ], "osxcollector_blacklist": [ "domains" ] } domain_blacklist.txt evil.com streaming-football.com downloads.com
  • 33. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 34. @jsendor VirusTotal hash lookup filter API output filter base does the heavy lifting. Support for rate limits & response caching issues10s of requests at once. { "sha1": "99005b68295c202fd359b46c" } { "sha1": "99005b68295c202fd359b46c", "osxcollector_vthash": { "response_code": 200, "positives": 36, "total": 52, } }
  • 35. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 36. @jsendor OpenDNS related domains filter Judge domains by the company they keep. Domains related to suspicious domains are usually suspicious themselves. { "url": "https://www.evil.com", } { "url": "https://www.evil.com", "osxcollector_related": { "domains": [ "double-evil.com", "free-lunch.org", "torrent-malware.net" ] } }
  • 37. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 38. @jsendor OpenDNS domain reputation filter Premium Cyber Threat Intel (CTI) { "url": "https://www.evil.com", } { "url": "https://www.evil.com", "osxcollector_opendns": { "domain": "evil.com", }, "security": { "found": true, "dga_score": -3, "securerank2": -23, "asn_score": -57, "prefix_score": -62, "rip_score": -99, } } }
  • 39. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 40. @jsendor Recommend next steps This whole things started with just a few clues. Now look what I found. - downloads downloads ctime: "2015-02-02 12:15:14" file_path: "/Users/jdoe/Downloads/screenshot.scr" mtime: "2015-01-16 19:20:06" xattr-quarantines: ["0001;54b95657;Googlex20Chrome;162C4043-647D-44A8-83C2-2B1F69C7861F"] xattr-wherefrom: ["https://evildownloads. com/docs/securesc/5552qjr0llks3i1r65nm9vjn073v4ahg/82mfdn9k8qmvmo3ta2vja6hta3iink5i/1421431200000/002186363 34715341180/12229357981017199890/0B-HDNU1GNnRAVjBtYlBqdVFrT2s? e=download&h=01562916784096941731&nonce=850uav3g55qiu&user=12229357981017199890&hash=78ffvfobh7rreq0bj86hqf hb7i8eq92l", ""] related-files: ["screenshot.scr"] Nothing hides from Very Readable Output Bot If I were you, I'd probably update my blacklists to include: domain: "evildownloads.com" That might just help things, Skippy!
  • 41. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 43. @jsendor Call OpenDNS API endpoints from threat_intel.opendns import InvestigateApi investigate = InvestigateApi(<INVESTIGATE-API-KEY-HERE>, cache_file_name="/tmp/cache.opendns.json") domains = ["google.com", "baidu.com", "bibikun.ru"] investigate.security(domains) { "baidu.com": { "found": true, "dga_score": 0, "rip_score": 0, .. } }
  • 46. Questions? Let's talk! kuba@yelp.com @jsendor We are hiring! visit yelp.com/careers
  • 47. @jsendor This slide is intentionally left blank.