2) Security

checking System Integrity (Intrusion?)

Here a few commands for the experienced user to check for potentially suspicious activity on a Macintosh, assuming s/he has admin rights on that computer. Please note that these commands display very specific information and require a good understanding of processes, protocols and configuration files. If any of these commands reveal unusual results (and you understand what you’re seeing) you should immediately consult with a professional. There are many commands like uptime, whoami, who, last, etc that reveal interesting things and those have been covered countless times on other sites. Below you find a few commands that I have learned from seasoned investigators, Red Teams and incident responders. Almost every command can be tweaked with options and arguments. I’ve listed only a few options, most of which I use on a regular basis. Please consult the man-pages for more information.

User information:

w‘ shows which users are logged in, the time of login and the process they are running

id‘ displays the user’s ID and Group IDs s/he belongs to.

finger -m‘ or ‘finger -m <username>‘ shows information about a user account, including the last login time.

printenv‘ displays the environment variables of the user that executed the command. You can ‘su <username>‘ given you know the password for that account, then execute ‘printenv’.

mdls <filename>‘ shows metadata about a files, folders and applications. Pictures may have geo-location information, the type of device and model that took the picture, color space, dates and times, etc.

stat -x <filename>‘ displays timestamps, size, filetype, UID, GUID, permissions, Inode and more.


Network information:

netstat -anb‘ displays information about network connections and open ports.

netstat -r‘ lists the routing tables. Check out ‘man nestat’ to learn more about this great tool.

lsof -p <process ID>‘ lists all open files from the process with a specific process-ID.

lsof -P -i :<port nr>‘ lists ┬áthe process-ID of a specific open port (there’s a space between ‘-i’ and ‘:’ and no space between ‘:’ and the port number).

Two helpful variations:

lsof -i -n -P | grep LISTEN

lsof -i -n -P | grep ESTABLISHED