Aftermath – A Free macOS IR Framework

Aftermath can be leveraged by defenders in order to collect and subsequently analyze the data from the compromised host. Aftermath can be deployed from an MDM (ideally), but it can also run independently from the infected user’s command line.

Aftermath first runs a series of modules for collection. The output of this will either be written to the location of your choice, via the -o or --output option, or by default, it is written to the /tmp directory.

To build Aftermath locally, clone it from the repository

cd into the Aftermath directory

Build using Xcode

cd into the Release folder

Run aftermath

The default usage of Aftermath runs

To specify certain options




Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page