Skip to content
Permalink
Browse files

Added Mac OS remote desktop artifact definitions (#361)

  • Loading branch information
Karneades authored and joachimmetz committed Nov 11, 2019
1 parent 817cbea commit 2fa198a5e55c9a8955a98d9c5bf72da8c2b87642
Showing with 34 additions and 0 deletions.
  1. +34 −0 data/macos.yaml
@@ -629,6 +629,40 @@ urls:
- 'http://forensicswiki.org/wiki/Mac_OS_X'
- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items'
---
name: MacOSRemoteDesktopAdministratorSystem
doc: Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance.
sources:
- type: FILE
attributes:
paths:
- '/private/var/db/RemoteManagement/ClientCaches/*'
- '/var/db/RemoteManagement/ClientCaches/*'
- '/private/var/db/RemoteManagement/RMDB/rmdb.sqlite3'
- '/var/db/RemoteManagement/RMDB/rmdb.sqlite3'
labels: [System, Network]
supported_os: [Darwin]
urls:
- 'https://help.apple.com/remotedesktop/mac/3.9/'
- 'https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html'
- 'https://github.com/fireeye/ARDvark#ard-artifacts-to-parse'
---
name: MacOSRemoteDesktopClientSystem
doc: Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance.
sources:
- type: FILE
attributes:
paths:
- '/private/var/db/RemoteManagement/caches/AppUsage.plist'
- '/var/db/RemoteManagement/caches/AppUsage.plist'
- '/private/var/db/RemoteManagement/caches/UserAcct.tmp'
- '/var/db/RemoteManagement/caches/UserAcct.tmp'
labels: [System, Network]
supported_os: [Darwin]
urls:
- 'https://help.apple.com/remotedesktop/mac/3.9/'
- 'https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html'
- 'https://github.com/fireeye/ARDvark#ard-artifacts-to-parse'
---
name: MacOSSidebarLists
doc: |
Sidebar Lists Preferences

0 comments on commit 2fa198a

Please sign in to comment.
You can’t perform that action at this time.