CyLR — Live Response Collection tool by Alan Orlikoski and Jason Yegge
(1)
Download CylR from https://github.com/orlikoski/CyLR/releases
Run ./CyLR
(2)
Analyze collected files
(3)
Analyze more
What does CyLR collect from a MacOS:
Note: Modern macOS systems have functionality that will prompt the user to approve on a per-application basis, access to sensitive locations on a system. This can be overridden through modifying the System Preferences to give the CyLR binary and it's parent process (such as Terminal) full disk access.System Path:
- /etc/hosts.allow
- /etc/hosts.deny
- /etc/hosts
- /etc/passwd
- /etc/group
- /etc/rc.d/**
- /var/log/**
- /private/etc/rc.d/**
- /private/etc/hosts.allow
- /private/etc/hosts.deny
- /private/etc/hosts
- /private/etc/passwd
- /private/etc/group
- /private/var/log/**
- /System/Library/StartupItems/**
- /System/Library/LaunchAgents/**
- /System/Library/LaunchDaemons/**
- /Library/StartupItems/**
- /Library/LaunchAgents/**
- /Library/LaunchDaemons/**
- /.fseventsd/**
- **/Library/*Support/Google/Chrome/Default/*
- **/Library/*Support/Google/Chrome/Default/History*
- **/Library/*Support/Google/Chrome/Default/Cookies*
- **/Library/*Support/Google/Chrome/Default/Bookmarks*
- **/Library/*Support/Google/Chrome/Default/Extensions/**
- **/Library/*Support/Google/Chrome/Default/Extensions/Last*
- **/Library/*Support/Google/Chrome/Default/Extensions/Shortcuts*
- **/Library/*Support/Google/Chrome/Default/Extensions/Top*
- **/Library/*Support/Google/Chrome/Default/Extensions/Visited*
- /root/.*history
- /Users/*/.*history
- **/places.sqlite*
- **/downloads.sqlite*
Comments
Post a Comment