CSA (312-39) SOC Simulation Lab

Welcome to the Tier 3 analysis queue. In this module, you will analyze macOS file structures to locate critical user-level logs during an incident. Master this to track attacker activity within user profiles.

Scenario Context

You are investigating an alert on an executive's MacBook Pro (`exec-mbp-01`). The EDR flagged suspicious terminal commands running in user-space, but system-wide root logs show no anomalies. The attacker appears to be operating entirely within the context of the compromised user account to avoid triggering system-level protections. You need to pull the crash dumps and application logs specific to this user to identify the payload.

Security Environment

You establish a remote shell to the endpoint and begin querying the file system for recent user application crashes that might indicate a failed memory exploit or a buggy persistence script:

admin@soc-jumpbox ~ % ssh ir_admin@10.20.15.80 ir_admin@exec-mbp-01 ~ % ls -la ~/Library/Logs/DiagnosticReports/ | grep -i "crash" -rw-r--r--@ 1 jdoe staff 24K Oct 24 10:15 Python_2023-10-24-101501_exec-mbp-01.crash -rw-r--r--@ 1 jdoe staff 18K Oct 24 10:18 osascript_2023-10-24-101822_exec-mbp-01.crash ir_admin@exec-mbp-01 ~ % grep "Exception Type" ~/Library/Logs/DiagnosticReports/*.crash Python_2023-10-24-101501_exec-mbp-01.crash:Exception Type: EXC_BAD_ACCESS (SIGSEGV) osascript_2023-10-24-101822_exec-mbp-01.crash:Exception Type: EXC_CRASH (SIGABRT)

Question

Which of the following is a default directory in a Mac OS X that stores security-related logs?

Expert Insight

What is happening here?

An attacker has compromised the `jdoe` user account and is attempting to execute Python and AppleScript (`osascript`) payloads entirely in user-space. The payloads are failing and crashing, generating crash dumps (DiagnosticReports). Because these actions are happening under the user's context without root escalation, the relevant application crash logs and execution traces are stored in the user's personal Library directory.

Why 'D' is correct

~/Library/Logs (where the tilde `~` represents the current user's home directory, e.g., `/Users/jdoe/`) contains logs specific to the user. This includes user-level application logs, agent logs, and critically, `DiagnosticReports` which house crash logs. When investigating user-mode malware, persistence mechanisms (like LaunchAgents), or application exploitation, this directory is a primary artifact source.

Why the others are wrong

A. /private/var/log: This contains legacy system-wide logs (like `system.log` and `install.log`). While important, it is the system-level directory, whereas the question often distinguishes user-level security context depending on the exam version.

B. /Library/Logs/Sync: This is a highly specific directory related to system-wide synchronization services, not a general repository for security-related logs.

C. /var/log/cups/access_log: This specifically stores access logs for CUPS (the Common UNIX Printing System). It is irrelevant to general endpoint security investigations.

MINI LESSON: macOS Logging Architecture

macOS logging is split into distinct tiers. As an incident responder, knowing where to look saves critical time:

  1. ~/Library/Logs: User-specific. Look here for user-installed app logs, user-space malware, and user app crashes.
  2. /Library/Logs: System-wide application logs. Look here for system-level daemon logs (like commercial EDR or MDM agents).
  3. /var/log (or /private/var/log): Legacy UNIX system logs.
  4. Unified Logging System (log show): Modern macOS relies heavily on the Unified Logging System, storing compressed logs in /var/db/diagnostics/. These are not read via flat files, but queried via the log command.

Ready to test your SOC detection logic further?

Explore more CSA simulations