View all Worklets
macOS

Incident Response Capture Script

Provides baseline data points and logs for Incident Response on macOS.

Worklet Details

Introduction to the Bash-Based Incident Response Capture Script Worklet

The Incident Response Capture Script Worklet is a bash-based script designed for macOS endpoints as a starting point for incident response. This Worklet allows administrators to gather baseline data points and select logs from their macOS endpoints, providing valuable information that can aid in identifying and assessing potential security incidents.

With its targeted data collection capabilities, this Worklet serves as an essential tool for both incident responders and system administrators.

Why would you use the Incident Response Capture Script Worklet?

In the event of a security breach or suspicious activity on a macOS system, having an effective incident response plan is crucial. The main purpose of the Incident Response Capture Script Worklet is to streamline the process of gathering relevant data needed for digital forensics and threat hunting.

By consolidating endpoint data and outputting it into an easy-to-analyze format, this script enables faster identification of malicious activities and potentially compromised devices.

Components of the Incident Response Capture Script Worklet

The various components within the script include: enumeration of user and daemon information; snapshot of network connections; running processes; bash history; security keychains; environment variables; persistence mechanisms; hidden files within specific directories; and browser history or downloads.

The Worklet also collects system logs from several folders on the endpoint. By combining these components, this powerful tool provides comprehensive insights into a running system's state at any given time.

How does the Incident Response Capture Script Worklet work?

Upon execution, this bash script creates a folder called "IR_collection" where all collected data will be stored. It then proceeds with capturing essential information such as network snapshots, running processes, user login activity, file system metadata, and browser artifacts by using native binaries available in macOS.

As it gathers sensitive information that might be useful during incident analysis, it also timestamps each log or file created to maintain accurate records. Once all desired data has been collected, the script compresses the content into a zip file for easy extraction and analysis.

What is the expected outcome when you use the Incident Response Capture Script Worklet?

When executed, the Incident Response Capture Script Worklet collects relevant data from macOS devices and organizes it in a structured manner, making it easier for incident responders to identify potential issues or malicious activities.

The resulting file can be extracted using third-party tools like EDR remote shell or remote desktop software, allowing for efficient and speedy analysis of the gathered information.

The Incident Response Capture Script Worklet serves as an essential tool for incident response on macOS systems. With its ability to collect critical data points and logs from various sources within a device's environment, this bash-based script streamlines digital forensics and threat hunting processes while providing valuable insights that can help prevent future incidents.

View in app

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklet automation scripts perform configuration, remediation, and the installation or removal of applications and settings across Windows, macOS, and Linux.

do more with worklets