Скачать или смотреть Mac Hunt | TryHackMe | CTF Forensics Walkthrough | macOS Incident Response & Phishing Attack

In this deep-dive Mac Hunt CTF walkthrough, we investigate how Jake’s macOS machine was compromised by a fake recruiter’s phishing campaign—and retrace the entire attack chain using built-in macOS artifacts.

🍎🍎 Scenario 🍏🍏

Jake had gained some good knowledge and skills in the game development field. So, he decided to enter the industry through a decent job and upgrade his finances. Little did he know that there were many fake recruiters in search of people looking for jobs. These fake recruiters lure the victim through attractive jobs to achieve their objectives, often to compromise the victim's machines and use them for malicious purposes. Having conventionally overlooked cyber security, Jake fell prey to such an attack. A well-crafted phishing attack with a promising job offer compromised his Mac machine.

*In this video you’ll learn:*

✅ macOS Forensics: Artefacts, Network Information, DHCP Settings, Wireless Connections, Application Usage, DS Store, Most Recently Used
✅ macOS Forensics: Applications, Application Install History, Launch Agents and Daemons, LaunchAgents, Permissions, Safari and Downloads

🛠 Tools Used: DB Browser for SQLite, APOLLO

*Relevant Links & Resources:*
📌 Room:📌 Mac Hunt on TryHackMe – https://tryhackme.com/room/machunt
📌A deep dive into macOS TCC.db: https://www.rainforestqa.com/blog/mac...
📌Apple Pattern of Life Lazy Output'er (APOLLO): https://github.com/mac4n6/APOLLO
📌.DS_Store-parser: https://github.com/hanwenzhu/.DS_Stor...

*Timestamps:*

📋0:00 Intro & Scenario
📋06:12 What is the name of the most recently accessed folder by the user?
📋12:04 Which social platform did the attacker use to deliver the document?
📋17:03 What link did the attacker craft for the victim to download the MeetMeLive application?
📋18:51 Which network did Jake connect to after reading the instructions in the PDF?
📋21:30 What was the IP address assigned to Jake’s system?
📋22:23 When did the application get installed into the system? (YYYY-MM-DD HH:MM:SS)
📋25:24 What is the human-friendly name for the permission the user explicitly granted for the application?
📋28:45 Which feature of the OS did the attacker use to run their application at startup persistently?
📋31:32 What was the URL to which the application was exfiltrating data?

🔔 *Subscribe* for more CTF walkthroughs and incident response tutorials:    / @djalilayed  
👍 *Like* if you found this useful, and comment below your favorite forensic trick!
💡 Disclaimer: This content is for educational purposes only. Only use these techniques on systems you own or have explicit permission to test.

#CTF, #macOS #forensics #Incidentresponse #dfir #tryhackme