- MacOS Intrusion
Windows | MacOS |
---|---|
Registry | Property List Files (.plist) |
Windows Event Logs | Apple Unified Logging |
CMD / PSH | Terminal.app (bash / zsh)t |
Portable Executable (PE) | Mach-O Executable |
DLL | Dynamic Library (Dylib) |
%APPDATA% | ~/Library/Application Support/ |
SYSTEM / Administrators | Root / admin |
LSASS | Keychain |
User Account Control (UAC) | Transparency, Consent, and Control (TCC) |
Privileges | Entitlements |
.lnk | Dock Shortcuts |
- | Application Bundles (.app) |
EvilNginx
Payload execution will probably be sandboxed.
- https://github.com/cldrn/macphish
- https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c
- https://github.com/its-a-feature/Mythic
- https://github.com/kareman/SwiftShell
- https://github.com/cedowens/MacC2
--> Main blog for persistence techniques: - https://theevilbit.github.io/beyond/beyond_intro/
Check if current user is local admin
id
dscl . list groups
dscl . read groups/admin
- aws
- gcp
- azure
- SSH keys
Look for ZSH, Bash and other terminal history.
- https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
- https://github.com/defaultnamehere/cookie_crimes
git clone https://github.com/defaultnamehere/cookie_crimes.git
cd cookie_crimes/
./cookie_crimes_macos.sh
- https://www.sentinelone.com/blog/macos-red-team-spoofing-privileged-helpers-and-others-to-gain-root/
Prompt user for credentials based on predefined context.
If root access you can retrieve and grab the keychain db and take offline using chainbreaker.
- Introduced MacOS X Lion (10.7)
- Cryptographic signature embedded in app using (developer) certificate
- Verification handled by : com.apple.driver.AppleMobileFileIntegrity.kext kernel extension and /usr/libexec/amfid daemon
Granular set of permissions that allow or deny an application access to specific system resources or privileges. (Fine-grained rights)
Displaying entitlements for a binary or application
codesign –dv --entitlement - ./binary
We conducting red team operation, operator should look for processes with desired entitlements, child process inherits the entitlements of the parent by default.
TCC - Transaprency, Consent and Control is a mechanis in MacOS to limit and control application access to certain features. Requires user consent to access user data and some system resources.
--> Similar to Window's UAC (User Account Control), prompting the user if needed permissions.
Folders such as ~ and /tmp are not protected by TCC and followings sensitive directories such as:
- ~.ssh
- ~.aws
- ~.config
- gcloud
- credentials.db
- ~.azure
--> If SSH is running you can SSH in locally to get full disk access and bypass TCC.
ssh user@ip "cat ~/Library/Application\ Support/com.apple.TCC/TCC.db"
- https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/
- https://www.youtube.com/watch?v=vMGiplQtjTY
Quarantine Attribute - q attr.
- Appended by the OS to files downloaded via browsers (similar to smart screen in Windows world)
--> Using curl does not append the quarantine attribute to the file.
- https://eclecticlight.co/2019/04/25/%f0%9f%8e%97-quarantine-apps/
- https://eclecticlight.co/2019/05/27/is-a-mac-os-x-gatekeeper-bypass-what-it-says/
Listing extended attributes for a file
$ xattr downloadedFile
com.apple.metadata:kMDItemWhereFroms
com.apple.quarantine
Deleting quarantine attributes for a file
$ xattr -d com.apple.quarantine downloadedFile
$ xattr downloadedFile
com.apple.metadata:kMDItemWhereFroms
Deleting recursively
$ xattr -r -d com.apple.quarantine /path/to/MyApp.app
a### MacOS - Resources
- https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse
- https://null-byte.wonderhowto.com/how-to/hacking-macos-perform-privilege-escalation-part-1-file-permissions-abuse-0186331/
- https://null-byte.wonderhowto.com/how-to/hacking-macos-perform-privilege-escalation-part-2-password-phishing-0186332/
Explanation of some MacOS security feature - Quarantine / GateKeeper / Notarization
TO DO
- Apple Events
- Read all : https://objective-see.org/blog.html
- https://pentester.wtf/blog/2020/specterops-2020-review/
- https://www.youtube.com/watch?v=vMGiplQtjTY
- Office Macros: Application sandbox and escape
- JXA JavaScript For Automation
- https://posts.specterops.io/no-place-like-chrome-122e500e421f
- https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/
- https://theevilbit.github.io/beyond/
- https://objectivebythesea.org/v2/talks/OBTS_v2_Thomas.pdf
- https://github.com/cedowens/JXA-Runner
- Abuse daemons for privileges escalation (https://github.com/its-a-feature/HealthInspector)
- https://github.com/cedowens/JXA-Runner
- Basically all cedowens repo User_Launchdaemons() System_Launchdaemons()
- https://www.sentinelone.com/blog/privilege-escalation-macos-malware-the-path-to-root-part-2/
- https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
- https://wojciechregula.blog/post/macos-red-teaming-bypass-tcc-with-old-apps/
- https://wojciechregula.blog/post/macos-red-teaming-get-ad-credentials-from-nomad/
- https://wojciechregula.blog/tags/tcc/
- https://wojciechregula.blog/post/macos-red-teaming-apple-signed-java/
- https://github.com/tonghuaroot/Awesome-macOS-Red-Teaming
- https://medium.com/red-teaming-with-a-blue-team-mentality/using-macos-internals-for-post-exploitation-b5faaa11e121
- https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox
- https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections
- https://book.hacktricks.xyz/macos-hardening/macos-red-teaming
- https://hitcon.org/2022/slides/Every-authorization-has-its-black-tackling-privilege-escalation-in-macOS.pdf
- https://www.offsec.com/offsec/macos-preferences-priv-escalation/
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/
- https://www.slideshare.net/wojdwo/abusing-securing-xpc-in-macos-apps
- https://wojciechregula.blog/post/learn-xpc-exploitation-part-1-broken-cryptography/
- http://lockboxx.blogspot.com/2019/09/macos-red-teaming-208-macos-att.html
- https://github.com/usnistgov/macos_security#readme
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-219r1.pdf
- https://www.youtube.com/watch?v=RKidBayaM7c
- https://www.youtube.com/watch?v=pOQOh07eMxY
- https://www.youtube.com/watch?v=IPFpyulNcRQ
- https://www.youtube.com/watch?v=W9GxnP8c8FU
- https://www.youtube.com/watch?v=fMRT8mPMJUs
- https://www.youtube.com/watch?v=W9GxnP8c8FU
- https://www.youtube.com/watch?v=a9hsxPdRxsY
- https://www.youtube.com/watch?v=cAl7epCq0q4
- https://theevilbit.github.io/beyond/beyond_intro/