AutoMacTC: Automating Mac Forensic Triage

Performing macOS incident response (IR) investigations can be challenging, considering the difficulties in quickly capturing, parsing and analyzing forensic data across disparate affected systems. Recognizing this, CrowdStrike® Services created AutoMacTC, an open-source triage collector utility that helps investigators swiftly gather the relevant data, find answers and then eradicate adversaries from their environments. You can find the AutoMacTC tool in our public Github repo.

What is AutoMacTC?

AutoMacTC, or Automated macOS Triage Collector (pronounced auto-mac-tick) is a framework of python scripts designed to parse macOS forensic artifacts and produce output in a format that can be easily accessed and leveraged by forensic analysts. We wrote AutoMacTC primarily with incident response triage and live collection in mind, but it can also be run against a (mounted) disk image for offline analysis.

Why Did We Create It?

Inspired by Crowd Response, the Crowdstrike static host data collection tool, we wrote AutoMacTC to support the macOS forensic community by releasing scripts that automatically parse several of the artifacts that we analyze during macOS incident response investigations. Our main considerations in the development process have been:
  • Ease of use, while remaining feature-rich.AutoMacTC is very easy to use. An analyst simply has to drop the directory containing the main script (automactc.py) and the modules, and run automactc.py -m all on the command line to rapidly run all available modules. We also wrote AutoMacTC to be highly configurable, since different incidents and IR teams require different artifacts. An analyst can specify which modules to run, and change module-level functionality — for example, which directories to enumerate with the dirlist module.
  • Analytical accessibility. As forensic analysts ourselves, we want our tools to produce data in ways that we can immediately start analyzing. AutoMacTC holds true to that objective and generates CSV (or JSON) output files for each module, which can be analyzed with any spreadsheet tool or log aggregator.
  • Extensibility. We recognize that macOS forensics evolves frequently, as existing artifacts change, older artifacts fade away or as new ones crop up. We fashioned AutoMacTC as a modular framework that can also mature as the forensic landscape does. Existing modules can be updated, and new ones can be quickly added to the mix.

What Does AutoMacTC Do?

This utility consists of a main script (automactc.py) and module scripts that can be called by the main script. Each module performs self-contained and independent analysis of a particular forensic artifact. By calling the main script and specifying the modules to run, AutoMacTC will:
  1. Gather basic system information (hostname, serial number, and local IP address) to name the output files.
  2. Execute the specified modules. Each completed output file is dynamically rolled into a tar archive to minimize filesystem presence.
  3. Compress the tar archive when the last module in the queue is completed.
The current module set will collect and parse data from several forensic artifacts. These include:
  • pslist (current process list at time of AutoMacTC run)
  • lsof (current file handles open at time of AutoMacTC run)
  • netstat (current network connections at time of AutoMacTC run)
  • asl (parsed Apple System Log (.asl) files)
  • autoruns (parsing of various persistence locations and plists)
  • bash (parsing bash/.*_history files for all users)
  • chrome (parsing chrome visit history and download history)
  • coreanalytics (parsing program execution evidence produced by Apple diagnostics)
  • dirlist (list of files and directories across the disk)
  • firefox (parsing firefox visit history and download history)
  • installhistory (parsing program installation history)
  • mru (parsing SFL and MRU plist files)
  • quarantines (parsing QuarantineEventsV2 database)
  • quicklook (parsing Quicklooks database)
  • safari (parsing safari visit history and download history)
  • spotlight (parsing user spotlight top searches)
  • ssh (parsing known_hosts and authorized_keys files for each user)
  • syslog (parsing system.log files)
  • systeminfo (basic system identification, such as current IP address, serial no, hostname)
  • users (listing present and deleted users on the system)
  • utmpx (listing user sessions on terminals)

How Can You Use It?

AutoMacTC does not require any additional dependencies to run. It requires only Python 2.7, which ships natively on macOS. Organizations can deploy the tool at scale with the deployment utility of their choice. Some specific use-cases for AutoMacTC are below.
  • Reviewing recent executions and browser behaviors to identify the initial attack vector on a compromised system: sudo /usr/bin/python2.7 automactc.py -m chrome firefox safari coreanalytics dirlist quarantines
  • Collecting execution and persistence artifacts across your macOS environment for threat hunting: sudo /usr/bin/python2.7 automactc.py -m pslist bash coreanalytics autoruns
  • Tracking lateral movement of an adversary between systems: sudo /usr/bin/python2.7 automactc.py -m netstat asl syslog ssh utmpx
Alternatively, you can run every module available to gather as much data as possible: sudo /usr/bin/python2.7 automactc.py -m all AutoMacTC also provides the ability to run against a locally-mounted macOS disk. However, this functionality requires a Mac as the analysis system — AutoMacTC cannot run on or against any other operating system — only macOS. sudo /usr/bin/python2.7 automactc.py -f -i /Volumes/MOUNTED_DISK_IMAGE -m all Tables 1 and 2 below show how this initial release of AutoMacTC can map to the MITRE ATT&CK™ Framework (for threat hunting and incident response).
Initial AccessExecutionPersistencePrivilege

 

Escalation
Defense Evasion
LsofPslistPslistLsofPslist
BrowserLsofLsofAutorunsLsof
InstallHistoryAslNetstatBashBash
MRUBashAutorunsSyslogDirlist
QuarantinesCoreanalyticsCoreanalyticsUtmpxUsers
SSHInstallHistoryDirlist
UtmpxMRU
Syslog
Table 1. Mapping the modules of AutoMacTC to the first five tactics defined in the MITRE ATT&CK Framework.
Credential AccessDiscoveryLateral MovementCollectionExfiltrationCommand & Control
LsofPslistPslistLsofLsofPslist
BashNetstatNetstatBashNetstatLsof
DirlistBashASLDirlistBashNetstat
UsersBashMRUSSHSSH
UtmpxSSH
Syslog
Utmpx
Table 2. Mapping the modules of AutoMacTC to the latter six tactics defined in the MITRE ATT&CK Framework.

Additional Resources

 

Breaches Stop Here