{
	"id": "6db22af0-6cb7-40dc-b3d8-cf6b984a4322",
	"created_at": "2026-04-06T00:16:23.640172Z",
	"updated_at": "2026-04-10T03:21:05.168865Z",
	"deleted_at": null,
	"sha1_hash": "b5c6f7b51ebde53fa7a1d16c3290059b845cbfb0",
	"title": "Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins — mac4n6.com",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45120,
	"plain_text": "Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] –\r\nWorking From Home? Remote Logins — mac4n6.com\r\nPublished: 2020-04-30 · Archived: 2026-04-05 20:19:02 UTC\r\nBlog\r\nResources\r\nTraining \u0026 Events\r\nI’m sure many of us are working remote right now possibly using some of these remote capabilities. Remote\r\nLogins can include a few different services; SSH and Screen Sharing are two that I’ll show here. These services\r\nare disabled by default and would need to be turned on in the user’s Sharing preferences.\r\nWhen Remote Login is turned on in the Sharing preferences, the system will have an SSH server enabled. Let’s\r\ntake a look at what an incoming SSH connection might look like first for a user account on the system that does\r\nnot have this option turned on (janedoe). We are looking for the entries for the process ‘sshd’.\r\nlog show --predicate 'process = \"sshd\"'\r\nOne entry to key in on is the “user account has expired”. A user attempted to use SSH to login to this system using\r\nthe ‘janedoe’ account coming from IP 192.168.1.170, however the connection failed.\r\nNow on a system that does have remote login turned on. This first example shows an incorrect password attempt.\r\nAnd a correct password attempt and login.\r\nConnections can of course be incoming or outgoing. If the user were trying to access another system it might look\r\nlike this. Not a whole lot unfortunately.\r\nlog show --info --predicate 'process = \"ssh\" or eventMessage contains \"ssh\"'\r\n…and when the connection closes.\r\nScreen Sharing is another service that needs to be explicitly enabled in the Sharing preferences. Incoming\r\nconnections will show the user who logged in and where they came from. The example below shows an incorrect\r\npassword that failed, and another that was correct. I’ve only queried for messages that contain the text\r\n‘Authentication:’. Looking for all messages associated with the ‘screensharingd’ process will be quite verbose\r\nwith some metadata about the session. \r\nlog show --predicate 'process = \"screensharingd\" and eventMessage contains \"Authentication:\"'\r\nhttps://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins\r\nPage 1 of 2\n\nOutgoing connections, like incoming connections, can be verbose. The process is ‘Screen Sharing’ like the\r\napplication name.\r\nlog show --info --predicate 'process = \"Screen Sharing\"'\r\nI might do a specific filter for ‘connect’ and ‘disconnect’ in the messages to see multiple sessions over time.\r\nSource: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins\r\nhttps://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins"
	],
	"report_names": [
		"analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins"
	],
	"threat_actors": [],
	"ts_created_at": 1775434583,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5c6f7b51ebde53fa7a1d16c3290059b845cbfb0.pdf",
		"text": "https://archive.orkl.eu/b5c6f7b51ebde53fa7a1d16c3290059b845cbfb0.txt",
		"img": "https://archive.orkl.eu/b5c6f7b51ebde53fa7a1d16c3290059b845cbfb0.jpg"
	}
}