Derailed Mac OS

broken image


  1. Mac Os Catalina
  2. Derailed Map Of Zelda A Link To The Past

To erase a Macintosh hard disk you can boot with a different disk and use the Disk Utility.

For OS X 10.2-10.7:

Note:This refers to a full Mac OS X 10.2.3 or later CD included with a computer, not to the update-only 10.2.3 CD. Steps for zeroing data:

  • Fallout is a series of post-apocalyptic role-playing video games—and later action role-playing games—created by Interplay Entertainment.The series is set during the 21st, 22nd and 23rd centuries, and its atompunk retrofuturistic setting and art work are influenced by the post-war culture of 1950s United States, with its combination of hope for the promises of technology and the lurking.
  • Apple has released the iOS 14.5 and iPadOS 14.5 operating system update, adding the ability to unloc Chris Smith April 26, 2021 6:52 pm BST. Spotify is raising its subscription prices in the UK.
  • Whitney Elizabeth Houston was born on August 9, 1963, in what was then a middle-income neighborhood in Newark, New Jersey. She was the daughter of ex-Army serviceman and Newark city administrator John Russell Houston Jr. And gospel singer Emily 'Cissy' (Drinkard) Houston.

These steps assume you have a Mac OS X 10.2.3 or later CD:

  1. Insert the Mac OS X CD.
  2. Restart the computer.
  3. Immediately after the startup sound, press and hold the 'C' key to start up from CD.
  4. When the Installer screen appears, do not click Continue. Instead, choose Installer > Open Disk Utilities.
  5. Select the hard drive to erase.
  6. Click the Erase tab.
  7. Select the volume format from the Volume Format pop-up menu.
  8. Click Options.
  9. Select the checkbox for 'Zero all data'.
  10. Click OK.
  11. Click Erase.

Support Communities / Mac OS & System Software / OS X Mavericks Looks like no one's replied in a while. To start the conversation again, simply ask a new question. User profile for user: vperes vperes User level: Level 1 (3 points). We would like to show you a description here but the site won't allow us.

For a more secure method of erasing of data, you can select the checkbox '8 Way Random Write Format' instead of or in addition to selecting 'Zero all data.' This process could take several hours.

For OS 10.8 and newer:

Mac os download

Secure Erase is documented in the Help menu of the Disk Utility application. Disk Utility has shipped on all OS X versions in /Applications/Utilities folder.

To erase your computer's startup disk, you must start up from another disk, such as an OS X installation disc or from the Recovery Disk. All new OS devices come with a built-in Recovery Disk which can be used by restarting and holding down the R key. A Recovery Disk can also be created on an external hard disk or thumb drive using the Recovery Disk Assistant:

Securely erase a disk in OS X 10.8 or newer

The following is a summary of the Disk Utility help available from the Help menu when running the Disk Utility application:

You can securely erase a disk or partition to make sure the confidential information it contains cannot be recovered.

When erasing a disk or partition, Disk Utility does not erase the actual files; it erases only the information used to access the files. Many commonly available disk recovery apps can easily recover the files. When securely erasing a disk or partition, Disk Utility writes over the erased files, so they can never be recovered. You can choose how many times to write over the files. Writing over the files several times is more secure than writing over them once, but it takes longer.

Jw org videos tagalog youtube. Securely erasing a disk erases files on all its partitions. Securely erasing a partition erases all the files on that partition but does not affect other partitions.

You can't securely erase a CD, DVD, or a solid-state drive. If you don't want data recovered from a solid-state drive, use full disk encryption.

To erase your computer's startup disk, you must start up from another disk, such as an OS X installation disc or from the Recovery Disk .

  1. Open Disk Utility application from the Utility Folder in the Applications folder or select it from the list when booting from the Recovery Disk.
  2. Select the disk or partition to erase, and then click Erase.
  3. Specify a format, and enter a name for the disk.
  4. Click Security Options, use the slider to choose how many times to write over the data on the disk, and click OK. Writing over the data three times meets the U.S. Department of Energy standard for securely erasing magnetic media. Writing over the data seven times meets the U.S. Department of Defense 5220-22-M standard. Single pass or 'Zeroing out' the date is adequate for most
  5. Click Erase.

Also for those wanting to 'Clean' individual files, note this section from the technote:

Mac OS X 10.3+ feature – Secure Empty Trash

You can securely empty the Trash in Mac OS X Panther. While in the Finder, from the File menu choose Secure Empty Trash.

Note: When you securely empty the Trash, the deleted data cannot be recovered by disk utilities. You should only do this if you have a backup or you are sure you will never need the data again. Wd elements 5tb mac.

For machines which boot only MacOS 9 or less use either Drive Setup, Apple HD SC Setup, or Internal HD Format and select the option to zero out and/or low level format the disk. These programs are usually in the Utilities Folder on the install CDs for the various versions of the MacOS.

I remember when I got my first MacBook. My first 'malware-less' computer, I thought to myself.

Fast forward a few years to when I started working in the information security world and my feelings of invincibility depreciated pretty rapidly.

Although Mac OS attacks occur less often than Windows OS attacks, the implications of an attack happening on either OS can be lethal.

If you work in cybersecurity, you know that attack trends are a thing. There's always some new hotness in attacker Tactics, Techniques, and Procedures (TTPs), which often parallels the TTPs of security red teamers. Why? Well, when you see something that works, why reinvent the wheel?

At Expel, we're seeing more and more orgs utilizing Mac OS, yet there's still little discussion about practical enterprise security for Mac OS. But because plenty of our customers run Mac OS systems, we're calling attention to a few recent attack trends we're seeing and how you can make your org (and devices) more resilient.

Recent Mac OS activity and detections

There are two TTPs I've seen recently that target Mac OS.

The first involves the use of persistent interactive scripting interpreters to evade command line auditing. The second involves the use of launchd persistence to download encoded text and compile the encoded text into binary in order to evade perimeter content-based filtering and host-based AV. Using encoded commands from PowerShell is an effective technique that's been used by Windows attackers for a long time … Macs are no longer immune. How to show my hard drive on mac.

Technique 1: Execution of persistent interactive scripting interpreters:

What is it?

Like PowerShell and CMD with Windows, what's a Mac without Bash and Python? Plenty of people love Python because you can use it as both a scripting interpreter and an interactive console.

The only downside? Some of the features we love about Python also make it a security threat. For instance, I love how I can quickly write a Python script to conduct common Bash-like functions like making new files and directories. However, if you want to use the Bash syntax we all know and love, you can invoke Bash directly from Python and execute a command within an interactive Bash console. Using Bash, the ability to execute commands are nearly limitless on a Mac.

Immediately following successful lateral movement to a Mac OS host, I've seen attackers use '/bin/bash' to execute '/usr/bin/nohup' with parameters for an interactive Python console. If you're not familiar with the native BSD utility, the 'nohup' utility invokes another utility — in this case it's Python — with its arguments and tells your system to ignore the 'SIGHUP' signal. This is a problem because 'nohup' allows the utility to remain active and hidden in the background even after a user signs out.

Using Python, attackers then execute another interactive Bash terminal. He or she uses that interactive Bash terminal to execute Curl — which lets him or her download malicious shellcode from an online code repository like GitHub or Paste Code. Once the attacker gets his or her hands on the data they're looking for, that data is then executed locally. The acquired data is either exploit payloads like keyloggers and Keychain dumpers, or utilities to further the attacker's mission like media streamers for data exfiltration.

The process looks something like this:

Though this technique doesn't make it impossible to detect malicious activity, it definitely helps obscure the attacker's activity. For example:

1. Following the compromise of a user account with sudo permissions, an attacker executes a Python console which spawns another Bash under root context.

2. The attacker uses a utility such as Curl to download raw text, using it as shell code or converting it to binary.

3. The shell code or binary code is executed under root context.

4. Now the Bash history for the Curl activity mentioned above isn't in the user's '.bash_history' file or '/var/root/.sh_history.' And it's not mentioned in the Mac OS unified logs. So the crafty attacker goes undetected.

How do you detect this type of attack?

To detect this type of activity on your network, your best bet is to look at your Endpoint Detection and Response (EDR) tech recording process activity from the kernel level.

Using your EDR, look for common code syntax to spawn a TTY shell from another shell. Try any of the following queries:

  • python -c ‘import pty; pty.spawn('/bin/sh')'
  • python -c ‘import pty; pty.spawn('/bin/bash')'
  • bash -i
  • /bin/sh -i
  • perl —e ‘exec '/bin/sh';'
  • ruby: exec '/bin/sh'

You can also look for any of these processes as parent of a TTY shell:

  • vi (or) vim
  • nmap
  • python
  • perl
  • ruby
  • Java

The next step in the process is to look for instances where the child process is a parent of 'curl' or 'wget,' and where the process arguments point to an online code repository. Here are some examples of code repository domains that — in this context — should raise a red flag:

  • paste[.]ofcode[.]org
  • pastecode[.]xyz
  • pastiebin[.]com
  • paste[.]org
  • raw[.]githubusercontent[.]com
  • wstools[.]io
  • gist[.]github[.]com
  • pasted[.]co
  • etherpad[.]org
  • Snipplr[.]com

Mac Os Catalina

By running the activities above using Carbon Black Response (one of the EDR techs that some of our customers use), I produced this recorded process tree:

Looking at the curl process arguments resulting from the child bash shell, there's a command line argument noting a download from 'raw[.]githubusercontent[.]com':

How do I protect my org from this kind of attack in the future?

1. Determine if your engineering team has a business and/or production justification for granting any employees access to any of the online code repositories referenced above. If not, black list the domains using your network permeter tech.

2. Use your EDR tech to set up a recurring hunt or custom detection to monitor for the activity discussed above.

3. Consider restricting standard user accounts from using 'sudo' or 'root,' or implement a privilege control service like 'Make Me Admin' or 'Privileges.app' so that user accounts can only be elevated to administrator level on a temporary basis.

4. If you don't have an EDR, go get one. Relying on local host-based detection is risky at best — without an EDR, it's easy to miss this type of activity.

Technique 2: Launchd persistence to download encoded text

What is it?

Derailed Mac OS

Secure Erase is documented in the Help menu of the Disk Utility application. Disk Utility has shipped on all OS X versions in /Applications/Utilities folder.

To erase your computer's startup disk, you must start up from another disk, such as an OS X installation disc or from the Recovery Disk. All new OS devices come with a built-in Recovery Disk which can be used by restarting and holding down the R key. A Recovery Disk can also be created on an external hard disk or thumb drive using the Recovery Disk Assistant:

Securely erase a disk in OS X 10.8 or newer

The following is a summary of the Disk Utility help available from the Help menu when running the Disk Utility application:

You can securely erase a disk or partition to make sure the confidential information it contains cannot be recovered.

When erasing a disk or partition, Disk Utility does not erase the actual files; it erases only the information used to access the files. Many commonly available disk recovery apps can easily recover the files. When securely erasing a disk or partition, Disk Utility writes over the erased files, so they can never be recovered. You can choose how many times to write over the files. Writing over the files several times is more secure than writing over them once, but it takes longer.

Jw org videos tagalog youtube. Securely erasing a disk erases files on all its partitions. Securely erasing a partition erases all the files on that partition but does not affect other partitions.

You can't securely erase a CD, DVD, or a solid-state drive. If you don't want data recovered from a solid-state drive, use full disk encryption.

To erase your computer's startup disk, you must start up from another disk, such as an OS X installation disc or from the Recovery Disk .

  1. Open Disk Utility application from the Utility Folder in the Applications folder or select it from the list when booting from the Recovery Disk.
  2. Select the disk or partition to erase, and then click Erase.
  3. Specify a format, and enter a name for the disk.
  4. Click Security Options, use the slider to choose how many times to write over the data on the disk, and click OK. Writing over the data three times meets the U.S. Department of Energy standard for securely erasing magnetic media. Writing over the data seven times meets the U.S. Department of Defense 5220-22-M standard. Single pass or 'Zeroing out' the date is adequate for most
  5. Click Erase.

Also for those wanting to 'Clean' individual files, note this section from the technote:

Mac OS X 10.3+ feature – Secure Empty Trash

You can securely empty the Trash in Mac OS X Panther. While in the Finder, from the File menu choose Secure Empty Trash.

Note: When you securely empty the Trash, the deleted data cannot be recovered by disk utilities. You should only do this if you have a backup or you are sure you will never need the data again. Wd elements 5tb mac.

For machines which boot only MacOS 9 or less use either Drive Setup, Apple HD SC Setup, or Internal HD Format and select the option to zero out and/or low level format the disk. These programs are usually in the Utilities Folder on the install CDs for the various versions of the MacOS.

I remember when I got my first MacBook. My first 'malware-less' computer, I thought to myself.

Fast forward a few years to when I started working in the information security world and my feelings of invincibility depreciated pretty rapidly.

Although Mac OS attacks occur less often than Windows OS attacks, the implications of an attack happening on either OS can be lethal.

If you work in cybersecurity, you know that attack trends are a thing. There's always some new hotness in attacker Tactics, Techniques, and Procedures (TTPs), which often parallels the TTPs of security red teamers. Why? Well, when you see something that works, why reinvent the wheel?

At Expel, we're seeing more and more orgs utilizing Mac OS, yet there's still little discussion about practical enterprise security for Mac OS. But because plenty of our customers run Mac OS systems, we're calling attention to a few recent attack trends we're seeing and how you can make your org (and devices) more resilient.

Recent Mac OS activity and detections

There are two TTPs I've seen recently that target Mac OS.

The first involves the use of persistent interactive scripting interpreters to evade command line auditing. The second involves the use of launchd persistence to download encoded text and compile the encoded text into binary in order to evade perimeter content-based filtering and host-based AV. Using encoded commands from PowerShell is an effective technique that's been used by Windows attackers for a long time … Macs are no longer immune. How to show my hard drive on mac.

Technique 1: Execution of persistent interactive scripting interpreters:

What is it?

Like PowerShell and CMD with Windows, what's a Mac without Bash and Python? Plenty of people love Python because you can use it as both a scripting interpreter and an interactive console.

The only downside? Some of the features we love about Python also make it a security threat. For instance, I love how I can quickly write a Python script to conduct common Bash-like functions like making new files and directories. However, if you want to use the Bash syntax we all know and love, you can invoke Bash directly from Python and execute a command within an interactive Bash console. Using Bash, the ability to execute commands are nearly limitless on a Mac.

Immediately following successful lateral movement to a Mac OS host, I've seen attackers use '/bin/bash' to execute '/usr/bin/nohup' with parameters for an interactive Python console. If you're not familiar with the native BSD utility, the 'nohup' utility invokes another utility — in this case it's Python — with its arguments and tells your system to ignore the 'SIGHUP' signal. This is a problem because 'nohup' allows the utility to remain active and hidden in the background even after a user signs out.

Using Python, attackers then execute another interactive Bash terminal. He or she uses that interactive Bash terminal to execute Curl — which lets him or her download malicious shellcode from an online code repository like GitHub or Paste Code. Once the attacker gets his or her hands on the data they're looking for, that data is then executed locally. The acquired data is either exploit payloads like keyloggers and Keychain dumpers, or utilities to further the attacker's mission like media streamers for data exfiltration.

The process looks something like this:

Though this technique doesn't make it impossible to detect malicious activity, it definitely helps obscure the attacker's activity. For example:

1. Following the compromise of a user account with sudo permissions, an attacker executes a Python console which spawns another Bash under root context.

2. The attacker uses a utility such as Curl to download raw text, using it as shell code or converting it to binary.

3. The shell code or binary code is executed under root context.

4. Now the Bash history for the Curl activity mentioned above isn't in the user's '.bash_history' file or '/var/root/.sh_history.' And it's not mentioned in the Mac OS unified logs. So the crafty attacker goes undetected.

How do you detect this type of attack?

To detect this type of activity on your network, your best bet is to look at your Endpoint Detection and Response (EDR) tech recording process activity from the kernel level.

Using your EDR, look for common code syntax to spawn a TTY shell from another shell. Try any of the following queries:

  • python -c ‘import pty; pty.spawn('/bin/sh')'
  • python -c ‘import pty; pty.spawn('/bin/bash')'
  • bash -i
  • /bin/sh -i
  • perl —e ‘exec '/bin/sh';'
  • ruby: exec '/bin/sh'

You can also look for any of these processes as parent of a TTY shell:

  • vi (or) vim
  • nmap
  • python
  • perl
  • ruby
  • Java

The next step in the process is to look for instances where the child process is a parent of 'curl' or 'wget,' and where the process arguments point to an online code repository. Here are some examples of code repository domains that — in this context — should raise a red flag:

  • paste[.]ofcode[.]org
  • pastecode[.]xyz
  • pastiebin[.]com
  • paste[.]org
  • raw[.]githubusercontent[.]com
  • wstools[.]io
  • gist[.]github[.]com
  • pasted[.]co
  • etherpad[.]org
  • Snipplr[.]com

Mac Os Catalina

By running the activities above using Carbon Black Response (one of the EDR techs that some of our customers use), I produced this recorded process tree:

Looking at the curl process arguments resulting from the child bash shell, there's a command line argument noting a download from 'raw[.]githubusercontent[.]com':

How do I protect my org from this kind of attack in the future?

1. Determine if your engineering team has a business and/or production justification for granting any employees access to any of the online code repositories referenced above. If not, black list the domains using your network permeter tech.

2. Use your EDR tech to set up a recurring hunt or custom detection to monitor for the activity discussed above.

3. Consider restricting standard user accounts from using 'sudo' or 'root,' or implement a privilege control service like 'Make Me Admin' or 'Privileges.app' so that user accounts can only be elevated to administrator level on a temporary basis.

4. If you don't have an EDR, go get one. Relying on local host-based detection is risky at best — without an EDR, it's easy to miss this type of activity.

Technique 2: Launchd persistence to download encoded text

What is it?

I first saw this technique used by a sophisticated commodity malware masquerading as a legit media update. When an unsuspecting user tries to update the tech, the malware establishes persistence via 'launchd' and creates and executes a randomly named sub-process from '/private/tmp.' Launchd allows an attacker to continually execute the malicious app every time a user logs on. Even if the user kills and deletes the processes running from '/private/tmp' the malicious process recreates the '/private/tmp' process again following a successful logon.

Derailed Map Of Zelda A Link To The Past

The sub-process running from '/private/tmp' then executes '/bin/bash' and is followed by a series of strategic bash commands to assemble a malicious binary from raw text. A sub-process uses '/bin/bash' to pass a block of encoded text in an anonymous pipe which is then decoded by executing '/usr/bin/base64.' The decoded value is passed back through the anonymous pipe to 'xxd' and formatted into hex. Once in hex, it's then reverted from hex to binary. The resulting malicious binary is then executed on the local host while leaving no evidence of a binary download at the perimeter of the network. The process looks like this:

How do you detect this type of attack?

Just like the first attack I described, your EDR tech is your best friend for detecting this one. However, identifying the specific commands executed by the attacker is a multi-step (aka not quick) process. Why? Because of the way that the kernel assigns the 'file system value' in place of the actual value being passed in the anonymous pipe. Messenger on pc without facebook.

The screenshot below shows an actual process tree of an attacker attempting this technique as recorded by Crowdstrike Falcon. The command line for base64 specifies to decode ('–decode') the encoded value ('/dev/fd/63'). The encoded value is actually a base64 string, but you can't see the true value the attacker is attempting to decode.

This creates an extra step for analysts in the investigation process.

How can you discover that an attacker is storing data in an anonymous pipe? Use your EDR tech to look for processes with '/dev/fd/63' in command line arguments, especially if the process has the ability to encode, decode, archive or compile binaries. The occurrence of '/dev/fd/63' is not that common; however, you'll run into false positives. Once you find a couple suspicious processes with '/dev/fd/63,' make note of the process names, command lines, hosts and users associated with them.

Now use your EDR technology to either 'tail' or 'grep' the user's Bash history file for the process name and command line which included '/dev/fd/63' in its command line arguments.
Here's how to do it using Carbon Black Response:

1. Use your EDR tech to get a copy of the user's bash history file:

2. Download the Bash history file and use a combination of 'tail' and 'grep' to identify the process — in this case 'base64' — command which generated the recorded activity by your EDR tech:

3. The long base64 string follows the '–decode' argument. You can use any number of tools or utilities, including 'base64', to safely decode the string and find out what the attacker was trying to do.

How do I protect my org from this kind of attack in the future?

To make your org more resilient to this type of technique in the future, use your EDR tech to set up a recurring hunt or custom detection to monitor for processes with '/dev/fd/63' in command line arguments, especially if the process has the ability to encode, decode, archive or compile binaries. Then follow the suggested triage steps above.

Need some help setting up a new hunt? Read our post on getting started with threat hunting.

Bonus tip: all of these resilience actions will benefit your company's security posture if you've got Linux hosts in your environment, too.

Conclusion

Whether its commodity malware or obfuscated command execution on Mac OS that keeps you up at night, there are some easy steps to take for detecting and triaging the problems … and keeping them from happening again.

Have questions about detecting attacks on Mac OS, or want to know more about hunting for these types of threats? Send us a note.





broken image