Skip to content

A "How'd that malware get there?" tool for OS X

License

Notifications You must be signed in to change notification settings

sunkiran/osxcollector

 
 

Repository files navigation

OSXCollector

How'd that malware get there?

That's the question you've got to answer for every OSX malware infection. We built OSXCollector to make that easy. With automated analysis of collected

A typical infection might follow a path like:

  1. a phishing email leads to a malicious download
  2. once installed, the initial payload establishes persistence
  3. then it reaches out on the network and pulls down additional payloads

With the output of OSXCollector we quickly correlate between browser history, startup items, downloads, and installed applications. It makes root causing an infection, collect IOCs, and get to the bottom of an infection.

So what does it do?

Evidence Collection

OSXCollector gathers information from plists, sqlite databases and the local filesystem. The output is JSON which makes it easy to process further with other tools.

Automated Analysis

Yelp automates the forensic analysis of most OSXCollector runs. Check out the output filters we use at Yelp to automate analysis.

Visit our wiki for more info!

License

This work is licensed under the GNU General Public License and a derivation of https://github.com/jipegit/OSXAuditor

About

A "How'd that malware get there?" tool for OS X

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 99.9%
  • Makefile 0.1%