{
	"id": "d93c5823-4b30-48f4-a1ca-2f66c28ab5d8",
	"created_at": "2026-04-06T00:11:53.226944Z",
	"updated_at": "2026-04-10T03:21:48.284907Z",
	"deleted_at": null,
	"sha1_hash": "472bdc407d7de01e230feb340475599b5e8ee0a6",
	"title": "How do you find the culprit when unauthor…",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31162,
	"plain_text": "How do you find the culprit when unauthor…\r\nBy rjben Author\r\nArchived: 2026-04-05 14:20:26 UTC\r\nApr 19, 2017 10:49 AM in response to rjben\r\nI found a login in system.log\r\nThis was on a laptop running El Capitan:\r\nscreensharingd [5791]: Authentication: SUCCEEDED :: User Name: XXX Viewer Address :: 172.xx.xx.xx ::\r\nType DH\r\nSo search system.log on the attacked computer for some of these things and you will at least get the ip address,\r\nand if you are fast you could relate that back to the computer that it was done from. In this case they had shoulder\r\nsurfed the password from the attacked computer, so they were logging in with what they know is a local user of\r\nthe victim computer.\r\nMay 30, 2012 8:23 PM in response to rjben\r\nthe secure.log includes logs of computers that remote into the computer VIA ARDAgent. This includes the time\r\ndate, account, and IP address of a computer they used to remote into the computer. The secure log is found in\r\n/var/logs/secure.log.\r\nIf they're using some thing other then the built-in remote fetures of the mac. Then your not going to see any thing\r\nin the secure log.\r\nof corse you could just have all the passwords updated on the mac. Make sure ARDAgent is restricted. So they\r\nhopefully can't remote into the computer.\r\nAlso keep in mind an IP address has limitations. IE if I remote into a computer on 1/2/12 and then you check the\r\nlog on 4/2/12, by that time some one else may have that IP address.\r\nMay 31, 2012 9:57 AM in response to TeenTitan\r\nYou may also want to completly change the password on YOUR ARD sever. If someone has comprimised YOUR\r\nsystem, you may find out that it was your system doing the \"illegal\" mosue movements. You may also want to\r\ncheck to be sure to NOT allow your system to be controlled by ARD from someone else. The Setting is in the\r\nARD (Server) Preferences Menu under the Security tab.\r\nSource: https://discussions.apple.com/thread/3991574\r\nhttps://discussions.apple.com/thread/3991574\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://discussions.apple.com/thread/3991574"
	],
	"report_names": [
		"3991574"
	],
	"threat_actors": [],
	"ts_created_at": 1775434313,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/472bdc407d7de01e230feb340475599b5e8ee0a6.pdf",
		"text": "https://archive.orkl.eu/472bdc407d7de01e230feb340475599b5e8ee0a6.txt",
		"img": "https://archive.orkl.eu/472bdc407d7de01e230feb340475599b5e8ee0a6.jpg"
	}
}