man is typically used to provide information about how to use various commands. It’s configuration file is located at /private/etc/man.conf on most macOS systems.
While root access is required to do so, this configuration could be modified by an adversary to stealthily achieve persistence in an environment.
This artifact collects any entries in man.conf which appear to specify a non-default binary for use with man or whatis.
name: MacOS.System.Man
type: CLIENT
author: Wes Lambert - @therealwlambert|@weslambert@infosec.exchange
description: |
`man` is typically used to provide information about how to use various commands. It's configuration file is located at `/private/etc/man.conf` on most macOS systems.
While root access is required to do so, this configuration could be modified by an adversary to stealthily achieve persistence in an environment.
This artifact collects any entries in `man.conf` which appear to specify a non-default binary for use with `man` or `whatis`.
reference:
- https://theevilbit.github.io/beyond/beyond_0030
- https://www.youtube.com/watch?v=teq6r7XbBug
parameters:
- name: ManGlob
default: /private/etc/man.conf
description: Default file path for `man` configuration.
precondition:
SELECT OS From info() where OS = 'darwin'
sources:
- query: |
LET ManList = SELECT OSPath, Mtime FROM glob(globs=split(string=ManGlob, sep=","))
SELECT * FROM foreach(
row=ManList,
query={
SELECT
OSPath,
Mtime,
Line
FROM parse_lines(filename=OSPath)
WHERE Line =~ '^(MAN|WHATIS||)PAGER'
AND NOT Line =~ "/usr/bin/less|/usr/bin/more" })