this post was submitted on 11 Feb 2024
40 points (100.0% liked)

Technology

37702 readers
288 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
alyaza@beehaw.org
TheRtRevKaiser@beehaw.org
gyrfalcon@beehaw.org
rs5th@beehaw.org
coldredlight@beehaw.org
Los@beehaw.org
SemioticStandard@beehaw.org
TheRtRevKaiser@kbin.social
remington@beehaw.org
40
A terminal window periodically flashes on my screen every few minutes. It goes away in one second. I have no idea what it is, nor how to stop it. (beehaw.org)
submitted 8 months ago* (last edited 8 months ago) by SpectralPineapple@beehaw.org to c/technology@beehaw.org
22 comments fedilink hide all child comments
 

I'm running Windows 10.

I have absolutely no idea what is going on. Task Manager doesn't show anything useful, I killed processes that might be it with no effect. Is there any way whatsoever for me to learn what is causing this and remove it? I ran a Windows Defender scan and nothing showed up.

you are viewing a single comment's thread
view the rest of the comments
[–] t3rmit3@beehaw.org 1 points 8 months ago* (last edited 8 months ago)

Most of the IR that I do is within corporate production environments, so I can answer this with the tools I would use for Linux incident response, but there will be areas like Kernel Extensions that are MacOS-specific, which I don't have IR experience in, and can't speak to. Assume that sudo permissions are required for these.

Also note that I'm not including commands to look for active user intrusions (e.g. ssh keys, new users, sudoer edits, etc), just binary implantation like malware. Active human intrusion blows up the amount of places and things to check for, and for regular users who don't have regulatory reporting requirements, you're better off just restoring from a backup.

  • ps aux : This lists all processes running under all users, not attached to a terminal session. This is a static list, unlike the live-updating list you get with top
  • lsof -b -c |-u | -p -R : This lists open files. You can specify process names, PIDs, usernames, and more, to filter on. If you filter on PID, include the -R argument to get the parent process info for that process.
  • lsof -i : This lists open files that have an active network port.
  • netstat -antv -p tcp : It's important to note that on MacOS, netstat doesn't perform like it does on Linux (e.g. it won't give you process names), so you need to use the Mac-specific flags for it like these, and you'll need to combine that with lsof or ps to get more info about the processes.

There is apparently also a tool made by Apple called sysdiagnose that you can run to basically do a large-scale debug dump of your system, including lots of data about applications and processes. I can't claim any personal experience with this, but this guide (and part 2 here) go into using it to hunt for malware.