{"id":23388231,"url":"https://github.com/code2319/macos-banshee-logs","last_synced_at":"2026-02-28T15:01:07.658Z","repository":{"id":267871832,"uuid":"902610378","full_name":"code2319/macOS-banshee-logs","owner":"code2319","description":null,"archived":false,"fork":false,"pushed_at":"2024-12-14T15:01:40.000Z","size":2130,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-08T13:21:14.571Z","etag":null,"topics":["banshee","macos","stealer","unifiedlogging"],"latest_commit_sha":null,"homepage":"","language":"AppleScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/code2319.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-12T23:00:24.000Z","updated_at":"2024-12-22T23:02:05.000Z","dependencies_parsed_at":"2025-02-14T09:36:44.435Z","dependency_job_id":"028d5422-2c42-4259-b3cd-f76cb4426c3b","html_url":"https://github.com/code2319/macOS-banshee-logs","commit_stats":null,"previous_names":["code2319/macos-banshee-logs"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/code2319/macOS-banshee-logs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/code2319%2FmacOS-banshee-logs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/code2319%2FmacOS-banshee-logs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/code2319%2FmacOS-banshee-logs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/code2319%2FmacOS-banshee-logs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/code2319","download_url":"https://codeload.github.com/code2319/macOS-banshee-logs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/code2319%2FmacOS-banshee-logs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29938962,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T13:49:17.081Z","status":"ssl_error","status_checked_at":"2026-02-28T13:48:50.396Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["banshee","macos","stealer","unifiedlogging"],"created_at":"2024-12-22T02:18:20.839Z","updated_at":"2026-02-28T15:01:07.628Z","avatar_url":"https://github.com/code2319.png","language":"AppleScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Tracing the BANSHEE Infostealer: Analysis of macOS Logs  \nThe purpose of this analysis is to understand and see what logs the infostealer generates.\n\n## Lab Setup info\n1. UTM 4.6.2 (104)\n2. macOS Sonoma 14.7.1\n3. Splunk Universal Forwarder\n4. [CIS Apple macOS 14.0 Sonoma benchmark](files/CIS_Apple_macOS_14.0_Sonoma_Benchmark_v2.0.0.pdf) logging configuration\n\n# Setup a Splunk Universal Forwarder\nTo forward data to Splunk Cloud Platform instance, perform the following procedures:\n\n1. Download and install the universal forwarder software.\n2. Download the Splunk universal forwarder credentials package (Apps -\u003e Universal Forwarder) and copy it to the `/tmp` folder.\n3. Install the Splunk universal forwarder credentials package on the universal forwarder machine. See [Install and configure the Splunk Cloud Platform universal forwarder credentials package](http://docs.splunk.com/Documentation/Forwarder/9.3.2/Forwarder/ConfigSCUFCredentials).\n4. Install universal forwarder credentials package (`splunkclouduf.spl`) by entering the following command: `$SPLUNK_HOME/bin/splunk install app /tmp/splunkclouduf.spl`.\u003cbr\u003e\n5. When you are prompted for a user name and password, enter the user name and password for the Universal Forwarder. The following message displays if the installation is successful: `App '/tmp/splunkclouduf.spl' installed`.\n6. Configure inputs to collect data from the host that the universal forwarder is on. For an overview, see [Configure the universal forwarder](http://docs.splunk.com/Documentation/Forwarder/9.3.2/Forwarder/Configuretheuniversalforwarder).\nI have set up the following folders (lots of spam, period I don't recommend):\n```\n1. /var/log\n2. /Library/Logs\n3. ~/Library/Logs\n4. /private/var/db/diagnostics\n```\n\nSplunk universal forwarder logs:\n```\n/Applications/SplunkForwarder/var/log/splunk/splunkd.log\n```\nConfiguration files:\n```\n/Applications/SplunkForwarder/etc/system/local\n```\nDebug command:\n```\n/Applications/SplunkForwarder/bin/splunk btool outputs list --debug\n```\n\n# CIS: Logging and Auditing\nApplied the following recommendations from the logging and auditing section:\n1. Enabled security auditing (auditd)\n2. Changed security auditing flags to `-all`\n3. Security auditing retention (`expire-after`) setup to `5G`\n4. Firewall logging is enabled\nplus\n\n\n# Analysing stealer logs\nSince the source code has been leaked we can play around with it: write our own [python-server](files/server.py), change the C2 server to ours, disable the `checkVM()` function, and disable `system(\"killall Terminal\");` to see what logs it generates. Luckily for us, *at least in build* `T0JVJJy6tgNdmygyRfN0eRaIiZq2uw` terminal logs come out of box `#define DebugLog(...) NSLog(__VA_ARGS__)`, meaning if `DebugLog()` is defined, we can see that log in the terminal.\n\u003cdetails\u003e\n\u003csummary\u003ebanshee debug log\u003c/summary\u003e\n\n```\n% ./banshee run_controller 123\n2024-12-12 21:45:11.347 banshee[1619:30946] Password saved successfully.\n2024-12-12 21:45:11.758 banshee[1619:30946] Delimiter not found or index out of bounds\n2024-12-12 21:45:11.758 banshee[1619:30946] Delimiter not found or index out of bounds\n2024-12-12 21:45:11.758 banshee[1619:30946] Delimiter not found or index out of bounds\n2024-12-12 21:45:11.758 banshee[1619:30946] Delimiter not found or index out of bounds\n2024-12-12 21:45:11.758 banshee[1619:30946] Starting to fetch IP...\n2024-12-12 21:45:11.768 banshee[1619:30946] Starting AppleScript execution.\n2024-12-12 21:45:11.768 banshee[1619:30946] Attempt 1 to execute AppleScript.\n2024-12-12 21:45:11.907 banshee[1619:30946] Received response from IP API.\n2024-12-12 21:45:11.907 banshee[1619:30946] IP data parsed successfully: {\n    cityName = Belgrade;\n    continent = Europe;\n    continentCode = EU;\n    countryCode = RS;\n    countryName = Serbia;\n    currency =     {\n        code = RSD;\n        name = \"Serbian Dinar\";\n    };\n    ipAddress = \"\";\n    ipVersion = 4;\n    isProxy = 0;\n    language = Serbian;\n    latitude = \"\";\n    longitude = \"\";\n    regionName = Beograd;\n    timeZone = \"+02:00\";\n    timeZones =     (\n        \"Europe/Belgrade\"\n    );\n    tlds =     (\n        \".rs\",\n        \".\\U0441\\U0440\\U0431\"\n    );\n    zipCode = ;\n}\n2024-12-12 21:45:12.098 banshee[1619:30946] All good\n2024-12-12 21:45:12.098 banshee[1619:30946] {\n    \"Activation Lock Status\" = Disabled;\n    \"BUILD_ID\" = T0JVJJy6tgNdmygyRfN0eRaIiZq2uw;\n    \"Boot Mode\" = Normal;\n    \"Boot Volume\" = \"Macintosh HD\";\n    Chip = \"Apple M3 Pro (Virtual)\";\n    \"Computer Name\" = \"user\\U2019s Virtual Machine\";\n    \"Hardware UUID\" = \"D538657A-8AD3-517E-ACC6-913A9FD37985\";\n    \"Kernel Version\" = \"Darwin 23.6.0\";\n    Memory = \"4 GB\";\n    \"Model Identifier\" = \"VirtualMac2,1\";\n    \"Model Name\" = \"Apple Virtual Machine 1\";\n    \"Model Number\" = \"VM0001ZE/A\";\n    \"OS Loader Version\" = \"10151.140.19.700.2\";\n    \"Provisioning UDID\" = \"0000FE00-92F510A9A0C424BA\";\n    \"Secure Virtual Memory\" = Enabled;\n    \"Serial Number (system)\" = ZFVC16YYR4;\n    \"System Firmware Version\" = \"10151.140.19.700.2\";\n    \"System Integrity Protection\" = Enabled;\n    \"System Version\" = \"macOS 14.7.1 (23H222)\";\n    \"Time since boot\" = \"30 minutes, 7 seconds\";\n    \"Total Number of Cores\" = 5;\n    \"User Name\" = \"user (user)\";\n    \"ip_info\" =     {\n        cityName = Belgrade;\n        continent = Europe;\n        continentCode = EU;\n        countryCode = RS;\n        countryName = Serbia;\n        currency =         {\n            code = RSD;\n            name = \"Serbian Dinar\";\n        };\n        ipAddress = \"\";\n        ipVersion = 4;\n        isProxy = 0;\n        language = Serbian;\n        latitude = \"\";\n        longitude = \"\";\n        regionName = Beograd;\n        timeZone = \"+02:00\";\n        timeZones =         (\n            \"Europe/Belgrade\"\n        );\n        tlds =         (\n            \".rs\",\n            \".\\U0441\\U0440\\U0431\"\n        );\n        zipCode = ;\n    };\n    \"system_os\" = macos;\n    \"system_password\" = \"\";\n}\n2024-12-12 21:45:12.099 banshee[1619:30946] System info written to file successfully.\n2024-12-12 21:45:20.411 banshee[1619:30946] AppleScript output: \n2024-12-12 21:45:20.412 banshee[1619:30946] AppleScript executed successfully on attempt 1.\n2024-12-12 21:45:20.412 banshee[1619:30946] Running command: mv /Users/user/tempFolder-32555443 /var/folders/tr/025lt0413vq2kl72y877f4n80000gn/T/WU5v2kgvf5ksgHOyauCwPQzN4/FileGrabber\n2024-12-12 21:45:20.424 banshee[1619:30946] AppleScript executed and files moved successfully.\n2024-12-12 21:45:20.425 banshee[1619:30946] Source directory /Users/user/Library/Application Support/Exodus/exodus.wallet is empty or does not exist, skipping.\n2024-12-12 21:45:20.425 banshee[1619:30946] Source directory /Users/user/Library/Application Support/electrum/wallets is empty or does not exist, skipping.\n2024-12-12 21:45:20.425 banshee[1619:30946] Source directory /Users/user/Library/Application Support/Coinomi/wallets is empty or does not exist, skipping.\n2024-12-12 21:45:20.425 banshee[1619:30946] Source directory /Users/user/Library/Application Support/Guarda/Local Storage/leveldb is empty or does not exist, skipping.\n2024-12-12 21:45:20.425 banshee[1619:30946] Source directory /Users/user/Library/Application Support/walletwasabi/client/Wallets is empty or does not exist, skipping.\n2024-12-12 21:45:20.425 banshee[1619:30946] Source directory /Users/user/Library/Application Support/atomic/Local Storage/leveldb is empty or does not exist, skipping.\n2024-12-12 21:45:20.425 banshee[1619:30946] Source directory /Users/user/Library/Application Support/Ledger Live is empty or does not exist, skipping.\n2024-12-12 21:45:20.460 banshee[1619:31298] Data posted successfully\n2024-12-12 21:45:20.462 banshee[1619:30946] Path does not exist: /Users/user/tempFolder-32555443\n```\n\u003c/details\u003e\u003cbr\u003e\n\nBut these were terminal logs, what about auditd logs? Since we know the time the stealer was run, we can see the logs using the following command:\n```\n% log show --start \"2024-12-12 21:45:11\" --end \"2024-12-12 21:45:21\" --info --debug \u003e banshee.log\n```\n\n## Unified Logging\n### System info collection (system_profiler)\n```\n% log show --predicate 'process=\"system_profiler\"' --start \"2024-12-12 21:45:11\" --end \"2024-12-12 21:45:21\" --info --debug\nFiltering the log data using \"process == \"system_profiler\"\"\n2024-12-12 21:45:11.359548+0100 0x7949     Info        0x0                  1622   0    system_profiler: (SPSupport) [com.apple.SPSupport:Reporting] -[SPDocument reportForDataType:] -- Dispatching helperTool request for dataType SPSoftwareDataType.\n2024-12-12 21:45:11.359782+0100 0x794a     Info        0x0                  1622   0    system_profiler: (SPSupport) [com.apple.SPSupport:Reporting] -[SPDocument _reportFromHelperToolForDataType:completionHandler:]_block_invoke -- Launching task to collect SPSoftwareDataType\n2024-12-12 21:45:11.364968+0100 0x794d     Info        0x0                  1623   0    system_profiler: (SPSupport) [com.apple.SPSupport:Reporting] -[SPDocument _reportFromBundlesForDataType:completionHandler:] -- Called on the main thread for dataType SPSoftwareDataType. Re-dispatching to global_queue.\n2024-12-12 21:45:11.365089+0100 0x794e     Info        0x0                  1623   0    system_profiler: (SPSupport) [com.apple.SPSupport:Reporting] -[SPDocument _reportFromBundlesForDataType:] -- Starting task to collect SPSoftwareDataType\n...\n2024-12-12 21:45:11.614578+0100 0x7949     Info        0x0                  1622   0    system_profiler: (SPSupport) [com.apple.SPSupport:Reporting] -[SPDocument reportForDataType:] -- Dispatching helperTool request for dataType SPHardwareDataType.\n2024-12-12 21:45:11.614695+0100 0x794a     Info        0x0                  1622   0    system_profiler: (SPSupport) [com.apple.SPSupport:Reporting] -[SPDocument _reportFromHelperToolForDataType:completionHandler:]_block_invoke -- Launching task to collect SPHardwareDataType\n2024-12-12 21:45:11.621749+0100 0x7953     Info        0x0                  1625   0    system_profiler: (SPSupport) [com.apple.SPSupport:Reporting] -[SPDocument _reportFromBundlesForDataType:completionHandler:] -- Called on the main thread for dataType SPHardwareDataType. Re-dispatching to global_queue.\n2024-12-12 21:45:11.621833+0100 0x7954     Info        0x0                  1625   0    system_profiler: (SPSupport) [com.apple.SPSupport:Reporting] -[SPDocument _reportFromBundlesForDataType:] -- Starting task to collect SPHardwareDataType\n```\n\n### dscl\nLet's try to find logs related to checking the entered password using the `dscl` command. Since the source code used `NSTask` in the `exec` function, it spawned a child process, so searching the original process will not yield any results:\n```\n% log show --predicate 'composedMessage contains \"dscl\" OR process contains \"dscl\"' --start \"2024-12-12 21:45:11\" --end \"2024-12-12 21:45:21\" --info --debug\nFiltering the log data using \"process CONTAINS \"dscl\" OR composedMessage CONTAINS \"dscl\"\"\nTimestamp                       Thread     Type        Activity             PID    TTL  \n2024-12-12 21:45:11.238323+0100 0x7942     Activity    0x13a70              1621   0    dscl: (CFOpenDirectory) Open a given node\n2024-12-12 21:45:11.240016+0100 0x7942     Default     0x13a70              1621   0    dscl: (libxpc.dylib) [com.apple.xpc:connection] [0x600001044000] activating connection: mach=true listener=false peer=false name=com.apple.system.opendirectoryd.api\n2024-12-12 21:45:11.240690+0100 0x76d4     Info        0x13a70              119    0    opendirectoryd: [com.apple.opendirectoryd:session] UID: 501, EUID: 501, GID: 20, EGID: 20, PID: 1621, PROC: dscl ODNodeCreateWithNameAndOptions request, SessionID: 00000000-0000-0000-0000-000000000000, Name: \u003cprivate\u003e, Options: 0x0\n2024-12-12 21:45:11.242897+0100 0x7942     Activity    0x13a71              1621   0    dscl: (CFOpenDirectory) Retrieve record from node\n2024-12-12 21:45:11.242901+0100 0x7942     Activity    0x13a72              1621   0    dscl: (CFOpenDirectory) Querying records from directories\n2024-12-12 21:45:11.243128+0100 0x78e3     Info        0x13a72              119    0    opendirectoryd: [com.apple.opendirectoryd:session] UID: 501, EUID: 501, GID: 20, EGID: 20, PID: 1621, PROC: dscl ODQueryCreateWithNode request, NodeID: DFD1BF07-4D91-4198-9ACF-B0F3707E22F2, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): \u003cprivate\u003e, Requested Attributes: \u003cnone\u003e, Max Results: 1\n2024-12-12 21:45:11.247745+0100 0x7942     Activity    0x13a73              1621   0    dscl: (CFOpenDirectory) Verify basic credentials\n2024-12-12 21:45:11.247839+0100 0x76d4     Info        0x13a73              119    0    opendirectoryd: [com.apple.opendirectoryd:session] UID: 501, EUID: 501, GID: 20, EGID: 20, PID: 1621, PROC: dscl ODRecordVerifyPassword request, NodeID: DFD1BF07-4D91-4198-9ACF-B0F3707E22F2, RecordType: dsRecTypeStandard:Users, Record: \u003cprivate\u003e\n2024-12-12 21:45:11.346074+0100 0x7942     Activity    0x13a74              1621   0    dscl: (CFOpenDirectory) Closing a node reference\n2024-12-12 21:45:11.346143+0100 0x76d4     Info        0x13a74              119    0    opendirectoryd: [com.apple.opendirectoryd:session] UID: 501, EUID: 501, GID: 20, EGID: 20, PID: 1621, PROC: dscl ODNodeRelease request, NodeID: DFD1BF07-4D91-4198-9ACF-B0F3707E22F2\n2024-12-12 21:45:11.346638+0100 0x78e4     Info        0x0                  119    0    opendirectoryd: [com.apple.opendirectoryd:session] PID: 1621, Client: 'dscl', exited with 0 session(s), 0 node(s) and 0 active request(s)\n--------------------------------------------------------------------------------------------------------------------\nLog      - Default:          1, Info:                5, Debug:             0, Error:          0, Fault:          0\nActivity - Create:           5, Transition:          0, Actions:           0\n```\n\n### C2\nTo find the data transfer on C2 we can use the following command:\n```\n% log show --predicate 'subsystem=\"com.apple.network\"' --start \"2024-12-12 21:45:11\" --end \"2024-12-12 21:45:21\" --info --debug\n```\nThe full log can be found [here](files/com.apple.network.log), here is the fact of the transfer:\n```\n2024-12-12 21:45:20.459870+0100 0x7a42     Default     0x0                  1619   0    banshee: (Network) [com.apple.network:connection] [C4 37BD558C-A5D9-4ED2-8CF3-A38F63F7986E 127.0.0.1:8000 tcp, url hash: 5fe282c6, definite, attribution: developer] cancelled\n\t[C4 D935AE40-57F8-4924-9BCC-AA9E2B8CE0B6 127.0.0.1:49281\u003c-\u003e127.0.0.1:8000]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: lo0\n\tPrivacy Stance: Not Eligible\n\tDuration: 0.012s, TCP @0.000s took 0.001s\n\tbytes in/out: 111/85518, packets in/out: 3/7, rtt: 0.001s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0\n```\n\n#### C2 request\nNow let's see what came to our C2\n```\n% python3 server.py\nStarting HTTP server on port 8000...\nReceived POST request to /send/\nHeaders: Host: 127.0.0.1:8000\nContent-Type: application/json\nConnection: keep-alive\nAccept: */*\nUser-Agent: banshee (unknown version) CFNetwork/1498.700.2 Darwin/23.6.0\nContent-Length: 83298\nAccept-Language: en-US,en;q=0.9\nAccept-Encoding: gzip, deflate\n\n\nBody: {\"data\":\"base64encodedAndEncryptedData:i22rA7cWN57YefE:HofPYbB9JeABDQGeL1U4oUwws\"}\n```\nWhere\n```\nHofPYbB9JeABDQGeL1U4oUwws - is the original filename extracted from our system (without the .zip extension);\ni22rA7cWN57YefE - is the key we can use to decrypt our data;\nbase64encodedData - is the base64 encoded and encrypted data.\n```\nTo decrypt intercepted data, we can use [this](files/decryptor.py) python-script:\n```\n% decryptor.py server-files/HofPYbB9JeABDQGeL1U4oUwws.json\n```\n\n# Splunk Logs\nWe can check which source generates more logs `index=* | stats count by source | sort -count`\n\u003cdetails\u003e\n\u003csummary\u003esources stats\u003c/summary\u003e\n\n```\n/var/log/com.apple.xpc.launchd/launchd.log\t62396\n/var/log/install.log\t1138\n/Library/Logs/DiagnosticReports/shutdown_stall_2024-12-13-003247_users-Virtual-Machine.shutdownStall\t595\n/var/log/asl/Logs/aslmanager.20241212T204313+01\t266\n/var/log/asl/Logs/aslmanager.20241213T000519+01\t263\n/var/log/asl/Logs/aslmanager.20241213T003227+01\t260\n/private/var/db/diagnostics/logdata.statistics.0.txt\t121\n/var/log/system.log\t87\n/private/var/db/diagnostics/logdata.statistics.0.jsonl\t51\n/var/log/fsck_apfs.log\t26\n/private/var/db/diagnostics/logd.0.log\t15\n/var/log/fsck_apfs_error.log\t14\n/Users/user/Library/Logs/DiagnosticReports/banshee_orig-2024-12-12-210846.ips\t3\n/Users/user/Library/Logs/DiagnosticReports/banshee_orig-2024-12-12-211124.ips\t3\n/Users/user/Library/Logs/DiagnosticReports/banshee_orig-2024-12-12-211155.ips\t3\n/private/var/db/diagnostics/shutdown.log\t2\n/var/log/shutdown_monitor.log\t2\n/private/var/db/diagnostics/logd_helper.0.log\t1\n/var/log/daily.out\t1\n/var/log/wifi.log\t1\n```\n\u003c/details\u003e\u003cbr\u003e\nBut overall the logs are useless as they only contain 25 events for a specific time range from \"2024-12-12 21:45:11\" to \"2024-12-12 21:45:21\" and nothing related to our infostealer.\n\n# References\n1. [Beyond the wail: deconstructing the BANSHEE infostealer](https://www.elastic.co/security-labs/beyond-the-wail)\n2. [Malware \u0026 ThreatsSource Code of $3,000-a-Month macOS Malware ‘Banshee Stealer’ Leaked](https://www.securityweek.com/source-code-of-3000-a-month-macos-malware-banshee-stealer-leaked/)\n3. [Jamf. Unified Logging](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Unified_Logging.html)\n4. [Kandji. Mac Logging and the log Command: A Guide for Apple Admins](https://www.kandji.io/blog/mac-logging-and-the-log-command-a-guide-for-apple-admins)\n5. [Aftermath. macOS IR Framework](https://github.com/jamf/aftermath)\n6. [Google santa. A binary authorization and monitoring system for macOS](https://github.com/google/santa)\n7. [A deep dive into macOS TCC.db](https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive)\n8. [Original Apple Script from source code](files/tempAppleScript.scpt)\n9. [SentinelOne. macOS Threat Hunting \u0026 Incident Response](https://www.sentinelone.com/resources/ebook-macos-threat-hunting-incident-response/)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcode2319%2Fmacos-banshee-logs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcode2319%2Fmacos-banshee-logs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcode2319%2Fmacos-banshee-logs/lists"}