2022-06-24 15:58:06
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa,fc,fd,pc,nt,ex <- edit here like this
minfree:5
naflags:lo,aa,fc,fd,pc,nt,ex <- edit here like this
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
Usage Basic usage with OpenBSM (most standard usage) Run norimaci.py with sudo. Run a sample of malware (You can run any type of malware. For example, DMG, PKG, Mach-O binary, and so on). Wait for a while (Until, the malware can get their goal). Press "Ctrl + C " at the appropriate time in the terminal where Norimaci runs in. 2 kind of reports are generated (Norimaci_dd_Mon_yy__hh_mm_ffffff.txt and Norimaci_dd_Mon_yy__hh_mm_ffffff_timeline.csv). Confirm reports with your favorite tools (e.g. text editors, grep, less, etc). $ sudo python3 ./norimaci.py -m openbsm -o ./out/
Password:
--===[ Norimaci v0.1.0
--===[ Minoru Kobayashi [@unkn0wnbit]
[*] Launching OpenBSM agent...
[*] When runtime is complete, press CTRL+C to stop logging.
^C
[*] Termination of OpenBSM agent commencing... please wait
[*] Converting OpenBSM data ...
[*] Loading converted macOS activity data ...
[*] Saving report to: /Users/macforensics/tools/norimaci/out/Norimaci_14_Jan_20__15_55_093219.txt
[*] Saving timeline to: /Users/macforensics/tools/norimaci/out/Norimaci_14_Jan_20__15_55_093219_timeline.csv Basic usage with Monitor.app Note: Monitor.app can not run on macOS 10.15. But, it works fine on macOS 10.14 or earlier. Run norimaci.py with sudo. Enter a password after Norimaci launches Monitor.app (Monitor.app needs a password to install its kext). Run a sample of malware (You can run any type of malware. For example, DMG, PKG, Mach-O binary, and so on). Wait for a while (Until, the malware can get their goal). Press "Ctrl + C " at the appropriate time in the terminal where Norimaci runs in. 2 kind of reports are generated (Norimaci_dd_Mon_yy__hh_mm_ffffff.txt and Norimaci_dd_Mon_yy__hh_mm_ffffff_timeline.csv). Confirm reports with your favorite tools (e.g. text editors, grep, less, etc). Help of scripts norimaci.py $ python3 ./norimaci.py -h
--===[ Norimaci v0.1.0
--===[ Minoru Kobayashi [@unkn0wnbit]
usage: norimaci.py [-h] [-m MONITOR] [-j JSON] [-bl OPENBSM_LOG] [-p PROCLIST]
[-ml MONITORAPP_LOG] [-o OUTPUT] [--force] [--debug]
Light weight sandbox which works with OpenBSM or Fireeye's Monitor.app
optional arguments:
-h, --help show this help message and exit
-m MONITOR, --monitor MONITOR
Specify a program to monitor macOS activity. You can
choose 'openbsm' or 'monitorapp'.
-j JSON, --json JSON Path to a JSON file which is converted by
'openbsmconv.py' or 'monitorappconv.py'.
-bl OPENBSM_LOG, --openbsm-log OPENBSM_LOG
Path to an OpenBSM log file.
-p PROCLIST, --proclist PROCLIST
Path to a process list file to process OpenBSM log
file. A file which has ".proclist" extnsion would be
used, if this option is not specified.
-ml MONITORAPP_LOG, --monitorapp-log MONITORAPP_LOG
Path to a Monitor.app data file.
-o OUTPUT, --output OUTPUT
Path to an output directory.
--force Enable to overwrite output files.
--debug Enable debug mode. openbsmconv.py $ python3 ./openbsmconv.py -h
usage: openbsmconv.py [-h] [-f FILE] [-p PROCLIST] [-o OUT] [-c] [-rp]
[--with-failure] [--with-failure-socket] [--force]
[--debug]
Converts OpenBSM log file to JSON format.
optional arguments:
-h, --help show this help message and exit
33 viewsEH Community Feed, 12:58