Here a few commands for the experienced user to check for potentially suspicious activity on a Macintosh, assuming s/he has admin rights on that computer. Please note that these commands display very specific information and require a good understanding of processes, protocols and configuration files. If any of these commands reveal unusual results (and you understand what you’re seeing) you should immediately consult with a professional. There are many commands like uptime, whoami, who, last, etc that reveal interesting things and those have been covered countless times on other sites. Below you find a few commands that I have learned from seasoned investigators, Red Teams and incident responders. Almost every command can be tweaked with options and arguments. I’ve listed only a few options, most of which I use on a regular basis. Please consult the man-pages for more information.
‘w‘ shows which users are logged in, the time of login and the process they are running
‘id‘ displays the user’s ID and Group IDs s/he belongs to.
‘finger -m‘ or ‘finger -m <username>‘ shows information about a user account, including the last login time.
‘printenv‘ displays the environment variables of the user that executed the command. You can ‘su <username>‘ given you know the password for that account, then execute ‘printenv’.
‘mdls <filename>‘ shows metadata about a files, folders and applications. Pictures may have geo-location information, the type of device and model that took the picture, color space, dates and times, etc.
‘stat -x <filename>‘ displays timestamps, size, filetype, UID, GUID, permissions, Inode and more.
‘netstat -anb‘ displays information about network connections and open ports.
‘netstat -r‘ lists the routing tables. Check out ‘man nestat’ to learn more about this great tool.
‘lsof -p <process ID>‘ lists all open files from the process with a specific process-ID.
‘lsof -P -i :<port nr>‘ lists the process-ID of a specific open port (there’s a space between ‘-i’ and ‘:’ and no space between ‘:’ and the port number).
Two helpful variations:
lsof -i -n -P | grep LISTEN
lsof -i -n -P | grep ESTABLISHED