diff --git a/aftermath.xcodeproj/project.pbxproj b/aftermath.xcodeproj/project.pbxproj index 8eefc76..14f34a6 100644 --- a/aftermath.xcodeproj/project.pbxproj +++ b/aftermath.xcodeproj/project.pbxproj @@ -461,7 +461,7 @@ CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; CLANG_WARN_UNREACHABLE_CODE = YES; CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; - CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO; + CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES; COPY_PHASE_STRIP = NO; DEBUG_INFORMATION_FORMAT = dwarf; ENABLE_HARDENED_RUNTIME = YES; @@ -524,7 +524,7 @@ CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; CLANG_WARN_UNREACHABLE_CODE = YES; CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; - CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO; + CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES; COPY_PHASE_STRIP = NO; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; ENABLE_HARDENED_RUNTIME = YES; @@ -553,7 +553,7 @@ ARCHS = "$(ARCHS_STANDARD)"; CLANG_ENABLE_MODULES = YES; CODE_SIGN_IDENTITY = "Developer ID Application"; - CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO; + CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES; CODE_SIGN_STYLE = Manual; DEVELOPMENT_TEAM = 6PV5YF2UES; ENABLE_HARDENED_RUNTIME = YES; @@ -579,7 +579,7 @@ ARCHS = "$(ARCHS_STANDARD)"; CLANG_ENABLE_MODULES = YES; CODE_SIGN_IDENTITY = "Developer ID Application"; - CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO; + CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES; CODE_SIGN_STYLE = Manual; DEVELOPMENT_TEAM = 6PV5YF2UES; ENABLE_HARDENED_RUNTIME = YES; diff --git a/analysis/LogParser.swift b/analysis/LogParser.swift index 8a0df4e..f8d2f09 100644 --- a/analysis/LogParser.swift +++ b/analysis/LogParser.swift @@ -32,7 +32,7 @@ class LogParser: AftermathModule { guard let date = splitLine[safe: 0] else { continue } guard let time = splitLine[safe: 1] else { continue } - let unformattedDate = date + "T" + time // "ex: 2022-03-1516:22:55-07" + let unformattedDate = date + "T" + time // ex: 2022-03-15T16:22:55-07 let dateFormatter = DateFormatter() dateFormatter.locale = Locale(identifier: "en_US") dateFormatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ssZ" @@ -108,7 +108,47 @@ class LogParser: AftermathModule { self.addTextToFile(atUrl: storylineFile, text: text) } } catch { - print("Unable to parse contentes") + print("Unable to parse contents") + } + } + + func parseXProtectRemediatorLog() { + + let xprotectremLog = "\(collectionDir)/UnifiedLog/xprotect_remediator.txt" + + do { + let contents = try String(contentsOf: URL(fileURLWithPath: xprotectremLog)) + let remediatorLogContents = contents.components(separatedBy: "\n") + + for ind in 1...remediatorLogContents.count - 1 { + let splitLine = remediatorLogContents[ind].components(separatedBy: " ") + + guard let date = splitLine[safe: 0] else { continue } + guard let time = splitLine[safe: 1] else { continue } + let unformattedDate = date + "T" + time // ex: 2022-08-30T06:51:47.381439-0700 + let dateFormatter = DateFormatter() + dateFormatter.locale = Locale(identifier: "en_US") + dateFormatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ" + dateFormatter.timeZone = TimeZone(secondsFromGMT: 0) + + var info = "" + + for i in 0...splitLine.count - 1 { + if i == 0 || i == 1 { continue } + info = info.appending(" " + splitLine[i]) + } + + sanatizeInfo(&info) + + guard let dateZome = dateFormatter.date(from: unformattedDate) else { continue } + dateFormatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ss" + let formattedDate = dateFormatter.string(from: dateZome) + let text = "\(formattedDate), XPROTECT_REMEDIATOR, \(info)" + self.addTextToFile(atUrl: logsFile, text: text) + self.addTextToFile(atUrl: self.storylineFile, text: text) + } + } catch { + print("Unable to parse contents") } } @@ -118,5 +158,8 @@ class LogParser: AftermathModule { self.log("Parsing system log...") parseSysLog() + + self.log("Parsing XProtect Remediator log...") + parseXProtectRemediatorLog() } } diff --git a/analysis/Storyline.swift b/analysis/Storyline.swift index 1e38cda..af4d599 100644 --- a/analysis/Storyline.swift +++ b/analysis/Storyline.swift @@ -117,10 +117,9 @@ class Storyline: AftermathModule { func sortStoryline() { - self.log("Creating the storyline...") + self.log("Creating the storyline...Please wait...") let sortedStoryline = self.createNewCaseFile(dirUrl: CaseFiles.analysisCaseDir, filename: "storyline.csv") - do { let csvFile = try EnumeratedCSV(url: self.storylineFile) let sortedArr = try Aftermath.sortCSV(unsortedArr: csvFile.rows) diff --git a/unifiedlogs/UnifiedLogModule.swift b/unifiedlogs/UnifiedLogModule.swift index 2c3f5bb..b805254 100644 --- a/unifiedlogs/UnifiedLogModule.swift +++ b/unifiedlogs/UnifiedLogModule.swift @@ -23,7 +23,8 @@ class UnifiedLogModule: AftermathModule, AMProto { "ssh": "process == \"sshd\"", "failed_sudo": "process == \"sudo\" and eventMessage CONTAINS \"TTY\" AND eventMessage CONTAINS \"3 incorrect password attempts\"", "manual_configuration_profile_install": "subsystem == \"com.apple.ManagedClient\" AND process == \"mdmclient\" AND category == \"MDMDaemon\" and eventMessage CONTAINS \"Installed configuration profile:\" AND eventMessage CONTAINS \"Source: Manual\"", - "screensharing": "(process == \"screensharingd\" || process == \"ScreensharingAgent\")" + "screensharing": "(process == \"screensharingd\" || process == \"ScreensharingAgent\")", + "xprotect_remediator": "subsystem == \"com.apple.XProtectFramework.PluginAPI\"" ] }