FreshRSS

πŸ”’
❌ Secure Planet Training Courses Updated For 2019 - Click Here
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Aftermath - A Free macOS IR Framework

By: noreply@blogger.com (Unknown)


Aftermath is a Swift-based, open-source incident response framework.

Aftermath can be leveraged by defenders in order to collect and subsequently analyze the data from the compromised host. Aftermath can be deployed from an MDM (ideally), but it can also run independently from the infected user's command line.

Aftermath first runs a series of modules for collection. The output of this will either be written to the location of your choice, via the -o or --output option, or by default, it is written to the /tmp directory.

Once collection is complete, the final zip/archive file can be pulled from the end user's disk. This file can then be analyzed using the --analyze argument pointed at the archive file. The results of this will be written to the /tmp directory. The administrator can then unzip that analysis directory and see a parsed view of the locally collected databases, a timeline of files with the file creation, last accessed, and last modified dates (if they're available), and a storyline which includes the file metadata, database changes, and browser information to potentially track down the infection vector.


Build

To build Aftermath locally, clone it from the repository

git clone https://github.com/jamf/aftermath.git

cd into the Aftermath directory

cd <path_to_aftermath_directory>

Build using Xcode

xcodebuild

cd into the Release folder

cd build/Release

Run aftermath

sudo ./aftermath

Usage

Aftermath needs to be root, as well as have full disk access (FDA) in order to run. FDA can be granted to the Terminal application in which it is running.

The default usage of Aftermath runs

sudo ./aftermath

To specify certain options

sudo ./aftermath [option1] [option2]

Examples

sudo ./aftermath -o /Users/user/Desktop --deep
sudo ./aftermath --analyze <path_to_collection_zip>

Releases

There is an Aftermath.pkg available under Releases. This pkg is signed and notarized. It will install the aftermath binary at /usr/local/bin/. This would be the ideal way to deploy via MDM. Since this is installed in bin, you can then run aftermath like

sudo aftermath [option1] [option2]

Uninstall

To uninstall the aftermath binary, run the AftermathUninstaller.pkg from the Releases. This will uninstall the binary and also run aftermath --cleanup to remove aftermath directories. If any aftermath directories reside elsewhere, from using the --output command, it is the responsibility of the user/admin to remove said directories.

Help Menu

Contributors
  • Stuart Ashenbrenner
  • Jaron Bradley
  • Maggie Zirnhelt
  • Matt Benyo
  • Ferdous Saljooki

Thank You

This project leverages the open source TrueTree project, written and licensed by Jaron Bradley.



Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems

By: Ravie Lakshmanan
Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications. The shortcoming, dubbedΒ AchillesΒ (CVE-2022-42821, CVSS score: 5.5), was addressed by the iPhone maker inΒ macOS Ventura 13,Β Monterey 12.6.2, andΒ Big Sur 11.7.2, describing it as a logic

New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products

By: Ravie Lakshmanan
Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code. Tracked asΒ CVE-2022-42856, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to

Apple iOS and macOS Flaw Could've Let Apps Eavesdrop on Your Conversations with Siri

By: Ravie Lakshmanan
A now-patched security flaw in Apple's iOS and macOS operating systems could have potentially enabled apps with Bluetooth access to eavesdrop on conversations with Siri. Apple said "an app may be able to record audio using a pair of connected AirPods," adding it addressed the Core Bluetooth issue in iOS 16.1 with improved entitlements. Credited with discovering and reporting the bug in August

New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems

By: Ravie Lakshmanan
A previously undocumented command-and-control (C2) framework dubbed Alchimist is likely being used in the wild to target Windows, macOS, and Linux systems. "Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution, and run

Details Released for Recently Patched new macOS Archive Utility Vulnerability

By: Ravie Lakshmanan
Security researchers have shared details about a now-addressed security flaw in Apple's macOS operating system that could be potentially exploited to run malicious applications in a manner that can bypass Apple's security measures. The vulnerability, tracked asΒ CVE-2022-32910, is rooted in the built-in Archive Utility and "could lead to the execution of an unsigned and unnotarized application

North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

By: Ravie Lakshmanan
The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system. In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto[.]com have been used to mount the attacks. The

Apple Releases iOS and macOS Updates to Patch Actively Exploited Zero-Day Flaw

By: Ravie Lakshmanan
Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild. The issue, assigned the identifierΒ CVE-2022-32917, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges. "Apple is aware of a report that this issue may

XCSSET Malware Updates with Python 3 to Target macOS Monterey Users

By: Ravie Lakshmanan
The operators of the XCSSET macOS malware have upped the stakes by making iterative improvements that add support for macOS Monterey by upgrading its source code components to Python 3. "The malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022," SentinelOne researchers

Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities

By: Ravie Lakshmanan
Apple on Wednesday released security updates forΒ iOS, iPadOS, andΒ macOSΒ platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices. The list of issues is below - CVE-2022-32893Β - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content CVE-2022-32894Β - An

North Korea Hackers Spotted Targeting Job Seekers with macOS Malware

By: Ravie Lakshmanan
The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets. Slovak cybersecurity firm ESET linked it to a campaign dubbed "Operation In(ter)ception" that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into

Zoom for Mac patches critical bug – update now!

By: Paul Ducklin
There's many a slip 'twixt the cup and the lip. Or at least between the TOC and the TOU...

Apple Releases Security Patches for all Devices Fixing Dozens of New Vulnerabilities

By: Ravie Lakshmanan
Apple on Wednesday rolled outΒ software fixesΒ for iOS, iPadOS, macOS, tvOS, and watchOS to address a number of security flaws affecting its platforms. This includes at least 37 flaws spanning different components in iOS and macOS that range from privilege escalation to arbitrary code execution and from information disclosure to denial-of-service (DoS). <!--adsense--> Chief among them is CVE-2022-

Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users

By: Ravie Lakshmanan
Cybersecurity researchers have taken the wraps off a previously undocumented spyware targeting the Apple macOS operating system. The malware, codenamedΒ CloudMensisΒ by Slovak cybersecurity firm ESET, is said to exclusively use public cloud storage services such as pCloud, Yandex Disk, and Dropbox for receiving attacker commands and exfiltrating files. "Its capabilities clearly show that the

Apple zero-day drama for Macs, iPhones and iPads – patch now!

By: Paul Ducklin
Sudden update! Zero-day browser hole! Drive-by malware danger! Patch Apple laptops and phones now...

apple-1200

Apple fixes Safari data leak (and patches a zero-day!) – update now

By: Paul Ducklin
That infamous "supercookie" bug in Safari has now been fixed. Oh, and there was a zero-day kernel hole as well.

apple-1200

❌