log

Created by Brendan Chamberlain (@infosecB)

Description

The log command can be used to access system log messages from Apple Unified Logging (AUL). The tool can be used to inspect exiting logs, stream logs in realtime, and delete logs. This tool is normally used by system admins and application developers for troubleshooting purposes but can be used by an adversary to gain an understanding of the user’s behavior or to cover up their tracks by deleting log messages.

Created	Tactics	Tags
2023-06-06	Defense Evasion Credential Access	requires_root bash zsh

Paths

/usr/bin/log

Use Cases

Remove all log messages

An attacker can cover up their tracks by removing all log messages using the following command. Requires root privileges.

log erase --all

Search log messages for tokens

An attacker can potentially search log messages and review if they do contain sensitive information like jwt tokens.

log show --info --debug --predicate 'eventMessage CONTAINS[d] "eyJ"'

Detections

No detections at time of publishing

Resources

Living off the land in macOS (Daniel Stinson)

Acknowledgements

Daniel Stinson (@shellcromancer)

log #

Description ##

Paths ##

Use Cases ##

Remove all log messages ##

Search log messages for tokens ##

Detections ##

Resources ##

Acknowledgements ##

log