MacOS.Collection.Aftermath

This is a simple artifact that leverages Afermath to collect many different forensic artifacts from a macOS host, then uploads the results to the Velociraptor server.

From the project’s description:

Aftermath is a Swift-based, open-source incident response framework.

Aftermath can be leveraged by defenders in order to collect and subsequently analyze the data from the compromised host. Aftermath can be deployed from an MDM (ideally), but it can also run independently from the infected user’s command line.

https://github.com/jamf/aftermath


name: MacOS.Collection.Aftermath
author: Wes Lambert -- @therealwlambert
description: |
    This is a simple artifact that leverages Afermath to collect many different forensic artifacts from a macOS host, then uploads the results to the Velociraptor server.

    From the project's description:

    Aftermath is a Swift-based, open-source incident response framework.

    Aftermath can be leveraged by defenders in order to collect and subsequently analyze the data from the compromised host. Aftermath can be deployed from an MDM (ideally), but it can also run independently from the infected user's command line.

    https://github.com/jamf/aftermath
    
tools:
  - name: Aftermath
    url: https://github.com/Velocidex/Tools/raw/main/Aftermath/aftermath
    serve_locally: true
parameters:
  - name: Analyze
    description: Analyze the collected data using the native --analyze option. This produces a ZIP file with summary information based on the analysis. If not chosen, the raw data will be uploaded.
    default: F
    type: bool
    
precondition: SELECT OS From info() where OS = 'darwin'

sources:
  - query: |
        LET AM <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="Aftermath", IsExecutable=TRUE)
        LET TmpDir <= tempdir(remove_last=TRUE)
        Let RunIt = SELECT *
                    FROM execve(argv=[
                        AM.FullPath[0],
                        "-o", TmpDir, 
                        "--deep"
                     ])
        LET AnalyzeIt = SELECT *
                    FROM execve(argv=[
                        AM.FullPath[0], "--analyze", grok(data=RunIt.Stdout,grok=["Aftermath archive moved to %{DATA:File}.zip"]).File + '.zip'
                     ]) 
        SELECT upload(accessor="file", file=grok(data=Stdout,grok=["Aftermath archive moved to %{DATA:File}.zip"]).File + '.zip') AS Upload FROM if(condition=Analyze, then=AnalyzeIt, else=RunIt)