Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Wes Lambert Profile picture
Wes Lambert
@therealwlambert
Principal Engineer - Security Onion Solutions Github: https://t.co/tmQk6TbWMr https://t.co/5KDnHsdBlV Mastodon: @weslambert@infosec.exchange

Oct 27, 2022, 9 tweets

🦖Day 36 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: MacOS[.]System[.]QuarantineEvents

Link: docs.velociraptor.app/artifact_refer…

This artifact parses the 'com[.]apple.LaunchServices.QuarantineEventsV2' sqlite database to provide defenders with information around files that have been downloaded from the internet.

Information includes:

- DL Time
- DL URL
- Origin
- Agent Name/Bundle
- User
- Event UUID

On macOS, when a user downloads a file from the internet/third party source, the file will have an extended attribute associated with it called 'com[.]apple.quarantine'.

This asserts that the file will not be opened/executed, until explicitly allowed by the user (via prompt).

If we look a little closer ('xattr -l'), we can actually see where the file came from, and a unique identifier assigned to it for the quarantine attribute.

This is excellent information to have as an incident responder, as it provides greater context during an investigation.

We can interpret the value of the quarantine attribute as such:

'0083;6359d263;Safari;88E8F4A7-C78B-45B6-B31A-68E8C68DCC60'

0083 - Flags
6359d263 - DL time (Unix, in hex)
Safari - Name of DLing application
88E8F4A7-C78B-45B6-B31A-68E8C68DCC60 - UUID to tie in w/ QEvents DB

In recent versions of macOS file downloads are recorded in the QuarantineEventsV2 sqlite database stored in '/Users/*/Library/Preferences/com[.]apple.LaunchServices.QuarantineEventsV2', regardless of whether the quarantine attribute gets removed from the file (approval/etc).

As mentioned previously, we can see the associated UUID ('88E8F4A7-C78B-45B6-B31A-68E8C68DCC60') used for tracking the download in the database, as evidenced in the extended 'quarantine' attribute for the file (image).

To recap, this is a great way to confirm a particular file was downloaded, or to gather insight into what files have been downloaded by a user, in general.

Using this artifact across a fleet of many hosts, we can identity outliers and commonalities at scale.

That's it for now! Stay tuned to learn about more artifacts! 🦖

Also, check out the article below by @0xmachos for more information about macOS quarantine functionality!
0xmachos.com/2019-02-01-Qua…

#DFIR
#Infosec
#ThreatHunting

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling