macOS Privilege Escalation & Post-Exploitation

Begin Unsorted Section

User protections could be bypassed - Phil Stokes(2018)] * Apple Events are blocked depending on origination, could be bypassed using SSH. Disco * Articles/Blogposts/Writeups * Always Watching: macOS Eavesdropping – Justin Bui (SO-CON 2020) * As macOS becomes more prevalent in modern enterprise environments, red teamers have had to adapt their tradecraft. Input monitoring and screenshots can provide a wealth of information for attacker on any operating system. In this talk, we’ll discuss macOS internals and dive into the various API calls necessary for keylogging, clipboard monitoring, and screenshots. The accompanying source code will be released to GitHub! * Tools DMG http://newosxbook.com/DMG.html DylibHijack https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x https://malwareunicorn.org/workshops/macos_dylib_injection.html#0 * Dylib-Hijack-Scanner * JavaScript for Automation (JXA) version of Patrick Wardle's tool that searches applications for dylib hijacking opportunities DYLD http://newosxbook.com/articles/DYLD.html Entitlements https://secret.club/2020/08/14/macos-entitlements.html Evasion * Articles/Blogposts/Writeups * Tools Execution https://github.com/CylanceVulnResearch/osx_runbin https://github.com/cedowens/JXA-Runner * 101 * Articles/Blogposts/Writeups https://antman1p-30185.medium.com/macos-native-api-calls-in-electron-d297d9a960af * Talks/Presentations/Videos * Tools * Bring-Your-Own-* https://blog.xpnsec.com/bring-your-own-vm-mac-edition/ Gatekeeper https://bouj33boy.com/gatekeeper-symlink-automount-bypass/ Hooking * subhook * SubHook is a super-simple hooking library for C and C++ that works on Windows, Linux and macOS. It supports x86 only (32-bit and 64-bit). * Function Hooking for Mac OSX and Linux - * Slides Injection https://en.wikipedia.org/wiki/Rpath https://github.com/djhohnstein/macos_shell_memory * InjectCheck * The tool enumerates the Hardened Runtime, Entitlements, and presence of Electron files to determine possible injection opportunities JAMF * An Attacker's Perpsective on JAMF Configurations - Luke Roberts, Calum Hall(ObjectiveByTheSeav3) * Jamfing for Joy: Attacking macOS in Enterprise - Calum Hall, Luke Roberts(2020) JXA https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5 * PersistentJXA * Collection of macOS persistence methods and miscellaneous tools in JXA https://news.ycombinator.com/item?id=21803874 https://forum.keyboardmaestro.com/t/jxa-javascript-for-automation-from-the-start/4522 https://stackoverflow.com/questions/47940322/cant-find-jxa-documentation https://medium.com/@SteveBarbera/automating-chrome-with-jxa-javascript-application-scripting-6f9bc433216a https://pragli.com/blog/manage-macos-windows-with-jxa/ https://computers.tutsplus.com/tutorials/a-beginners-guide-to-javascript-application-scripting-jxa--cms-27171 https://wiki.nikitavoloboev.xyz/macos/jxa https://github.com/JXA-Cookbook/JXA-Cookbook LoLbins https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ Mach-O * So You Want To Be A Mach-O Man? - symbolcrash(2019) * Mach-O Universal / Fat Binaries - symbolcrash(2019) Malware https://objective-see.com/blog/blog_0x4E.html https://objective-see.com/blog/blog_0x4D.html https://www.irongeek.com/i.php?page=videos/derbycon6/104-macs-get-sick-too-tyler-halfpop-jacob-soo https://www.sentinelone.com/blog/2020/01/29/scripting-macs-with-malice-how-shlayer-and-other-malware-installers-infect-macos/ https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/ https://objective-see.com/blog/blog_0x5C.html Objective-C Payloads https://posts.specterops.io/sparkling-payloads-a2bd017095c https://posts.specterops.io/sparkling-payloads-a2bd017095c Persistence https://topic.alibabacloud.com/a/how-to-implement-persistent-access-on-macos-through-emond_3_75_32777033.html https://posts.specterops.io/are-you-docking-kidding-me-9aa79c24bdc1 https://posts.specterops.io/saving-your-access-d562bf5bf90b https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/ https://theevilbit.github.io/posts/macos_persisting_through-application_script_files/ https://github.com/cedowens/Persistent-Swift https://github.com/CyborgSecurity/PoisonApple * Persistent JXA - Leo Pitt(2020) * Operationalising Calendar Alerts: Persistence on macOS - Luke Roberts(2020) * Throughout the following blog post we provide insights into calendar alerts, a method of persisting on macOS. Building on the work of Andy Grant over at NCC (https://research.nccgroup.com/2020/05/05/exploring-macos-calendar-alerts-part-1-attempting-to-execute-code/), this post takes deeper look into weaponising the feature for use in offensive operations. This includes reversing Automator.app to find an undocumented API that enables the technique. * Hey, I'm Still In Here: An Overview of macOS Persistence Techniques – Leo Pitt (SO-CON 2020) * There is more to macOS persistence than Launch Agents. This talk goes over some lesser utilized macOS persistence methods. We will walk through how these methods work, how automation can be leveraged to quickly execute these from an offensive perspective, and how defenders can leverage indicators of these methods to assist in detection efforts. * Finder plugins https://github.com/D00MFist/InSync * Tools * CalendarPersist * JXA script to allow programmatic persistence via macOS Calendar.app alerts. plist Pkgs Unpacking Pkgs: A Look Inside Macos Installer Packages And Common Security Flaws - Andy Grant PkgInfo PopUps https://github.com/its-a-feature/macos-popups PostEx https://www.irongeek.com/i.php?page=videos/nolacon2018/nolacon-2018-107-your-mac-defenestrated-post-osxploitation-elevated-fuzzynop-noncetonic * macos_execute_from_memory Privileged Helper Tools https://www.offensivecon.org/speakers/2019/tyler-bohan.html https://github.com/blankwall/Offensive-Con https://theevilbit.github.io/posts/secure_coding_privilegedhelpertools_part1/ https://theevilbit.github.io/posts/secure_coding_privilegedhelpertools_part2/ PrivEsc https://xlab.tencent.com/en/2021/01/11/cve-2020-9971-abusing-xpc-service-to-elevate-privilege/ https://www.rapid7.com/db/vulnerabilities/apple-osx-systempreferences-cve-2020-9839 https://packetstormsecurity.com/files/159084/macOS-cfprefsd-Arbitrary-File-Write-Local-Privilege-Escalation.html https://book.hacktricks.xyz/linux-unix/privilege-escalation https://bradleyjkemp.dev/post/launchdaemon-hijacking/ https://research.nccgroup.com/2021/06/04/ios-user-enrollment-and-trusted-certificates/ https://github.com/djhohnstein/macos_shell_memory https://blogs.blackberry.com/en/2017/02/running-executables-on-macos-from-memory https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 https://www.offensive-security.com/offsec/macos-preferences-priv-escalation/ https://themittenmac.com/publication_docs/OBTS_v2_Bradley.pdf * Unauthd - Logic bugs FTW - A2nkF(2020) * [Privilege Escalation

macOS Malware & The Path to Root Part 2 - Phil Stokes(2019)](https://www.sentinelone.com/blog/privilege-escalation-macos-malware-the-path-to-root-part-2/) https://www.criticalstart.com/local-privilege-escalation-vulnerability-discovered-in-vmware-fusion/ Shellcode * 101 * Creating OSX shellcodes - theevilbit(2015) * Shellcode: Mac OSX amd64 - odzhan(2017) * Techniques * Talks/Presentations/Videos * Tools * Samples * OSX/x64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes) * OSX/x64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes) TCC https://blog.fleetsmith.com/tcc-a-quick-primer/ https://lapcatsoftware.com/articles/disclosure3.html https://eclecticlight.co/2018/10/10/watching-mojaves-privacy-protection-at-work/ https://eclecticlight.co/2020/11/25/macos-has-checked-app-signatures-online-for-over-2-years/ https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy https://www.macobserver.com/link/about-macos-transparency-consent-and-control-system/ https://www.theregister.com/2020/07/01/apple_macos_privacy_bypass/ https://lockboxx.blogspot.com/2019/04/macos-red-teaming-205-tcc-transparency.html https://blog.xpnsec.com/bypassing-macos-privacy-controls/ https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 https://eclecticlight.co/2019/07/22/mojaves-privacy-consent-works-behind-your-back/ https://lapcatsoftware.com/articles/disclosure2.html https://mjtsai.com/blog/tag/transparency-consent-and-control-tcc/ https://fpf.org/2020/07/06/ios-privacy-advances/ https://github.com/slyd0g/SwiftParseTCC https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-on-macos-10-14 https://eclecticlight.co/2018/10/10/watching-mojaves-privacy-protection-at-work/ https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 URL Schemes * Custom_URL_Scheme Workflows https://support.apple.com/guide/automator/use-quick-action-workflows-aut73234890a/mac XPC https://www.youtube.com/watch?v=KPzhTqwf0bA&list=PLYvhPWR_XYJmwgLkZbjoEOnf2I1zkylz8&index=7

End Unsorted Section

macOS Post-Exploitation General Notes

F

AppleScript, Objective-C & Swift

F

Post-Exploitation OS X

Educational
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
  - The Mouse is Mightier than the Sword - Patrick Wardle
    - In this talk we'll discuss a vulnerability (CVE-2017-7150) found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box!
  - Fire & Ice; Making and Breaking macOS firewalls - Patrick Wardle(Rootcon12)
    - Slides
  - When Macs Come Under ATT&CK - Richie Cyrus(Derbycon2018)
    - Macs are becoming commonplace in corporate environments as a alternative to Windows systems. Developers, security teams, and executives alike favor the ease of use and full administrative control Macs provide. However, their systems are often joined to an active directory domain and ripe for attackers to leverage for initial access and lateral movement. Mac malware is evolving as Mac computers continue to grow in popularity. As a result, there is a need for proactive detection of attacks targeting MacOS systems in a enterprise environment. Despite advancements in MacOS security tooling for a single user/endpoint, little is known and discussed regarding detection at a enterprise level. This talk will discuss common tactics, techniques and procedures used by attackers on MacOS systems, as well as methods to detect adversary activity. We will take a look at known malware, mapping the techniques utilized to the MITRE ATT&CK framework. Attendees will leave equipped to begin hunting for evil lurking within their MacOS fleet.
  - Harnessing Weapons of Mac Destruction - Patrick Wardle
  - Herding cattle in the desert: How malware actors have adjusted to new security enhancements in Mojave - Omer Zohar
    - Slides
    - In this talk, we’ll deep dive into recent security changes in MacOS Mojave & Safari and examine how these updates impacted actors of highly distributed malware in terms of number of infections, and more importantly - monetization. We’ll take a look at malware actors currently infecting machines in the wild (Bundlore and Genio to name a few) - and investigate how their tactics evolved after the update: From vectors of infection that bypass Gatekeeper, getting around the new TCC dialogs, hijacking search in a SIP protected Safari, to persistency and reinfection mechanisms that ultimately turn these ‘annoying PUPs’ into a fully fledged backdoored botnet.
  - Never Before Had Stierlitz Been So Close To Failure (Sergei Shevchenko(OBTS v2.0)
    - Slides
    - In this research, we'll dive into the installer's Mach-O binary to demonstrate how it piggy-backs on 'non-lazy' Objective-C classes, the way it dynamically unpacks its code section in memory and decrypts its config. An in-depth analysis will reveal the structure of its engine and a full scope of its hidden backdoor capabilities, anti-debugging, VM evasion techniques and other interesting tricks that are so typical to the Windows malware scene but aren’t commonly found in the unwanted apps that claim to be clean, particularly on the Mac platform. This talk reveals practical hands-on tricks used in Mach-O binary analysis under a Hackintosh VM guest, using LLDB debugger and IDA Pro disassembler, along with a very interesting marker found during such analysis. Curious to learn what that marker was? Willing to see how far the Mac-specific techniques evolved in relation to Windows malware?
  - Bash-ing Brittle Indicators: Red Teaming macOS without Bash or Python - Cody Thomas(ObjectiveByTheSea v2.0)
    - Objective by the Sea 354 subscribers On macOS, defenders are watching shell scripts, a few common binaries, and python usage as easy tell-tale signs of red teamers. After all, it's very anomalous for HR to start running Python, Perl, or Ruby, and Marketing employees never run shell commands. As EDR products and defenders start to get more adept at looking into macOS, it's time for red teamers to start adapting as well. The question becomes: what should you use for an agent? If only macOS had a native scripting capability geared towards automating tasks common across all disciplines that is meant to be accessible even to non-programmers. In this talk, I'll go into the research, development, and usage of a new kind of agent based on JavaScript for Automation (JXA) and how it can be used in modern red teaming operations. This agent is incorporated into a broader open source project designed for collaborative red teaming I created called Apfell. I will discuss TTPs for doing reconnaissance, persistence, injection, and some keylogging all without using a shell command or spawning another scripting language. I will go into details of how JXA can be used to create an agent complete with encrypted key exchange for secure communications, domain fronting C2, and modular design to load or change key functionality on the fly. I will also cover the defensive considerations of these TTPs and how Apple is starting to secure these capabilities going forward.
  - An 0day in macOS - Patrick Wardle(OBTSv2.0)
    - Slides
    - Let's talk about a powerful 0day in macOS Mojave.
  - Yin and Yang: The Art of Attack and Defense on macOS - Patrick Wardle(JNUC2019)
    - This session will begin by looking at recent malware infections targeting macOS and how (interactive) attackers can further penetrate the macOS enterprise. We'll then switch gears to talk about Apple's recent macOS security improvements, then wrap up by discussing security solutions today that are able to detect advanced macOS threats that may bypass Apple’s built-in security mechanisms.
  - Offensive Ops In macOS Environments by Cedric Owens(Greyhat2020)
    - Slides
- Tools
  - Jamf-Attack-Toolkit
    - Suite of tools to facilitate attacks against the Jamf macOS management platform. These tools compliment the talk given by Calum Hall and Luke Roberts at Objective By The Sea V3, slides and video can be found here and here.
- Writeups that didn't fit elsewhere
  - The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits - TrendMicro
Execution
- General
  - Apple Silicon Macs to Require Signed Code - @mjtsai(2020)
  - macOS Pop-Ups
    - This repo serves as a collection of Red Team techniques and administrative tasks for various macOS versions that cause popups, what those popups look like, what permissions are being requested, where they're stored, and hopefully how to check for them before causing popups.
- Unsorted
- Command and Scripting Interpreter
  - AppleScript
    - 101
      - AppleScript Language Guide - developer.apple
      - AppleScript Fundamentals - developer.apple
        
        Section from the Language Guide
      - AppleScript - William R. Cook(2006)
      - Scripting with AppleScript - developer.apple
        
        The following is a brief introduction to AppleScript scripts, tools for working with them, and information on using AppleScript scripts together with other scripting systems. For related documents, see the learning paths in Getting Started with AppleScript.
      - AppleScript: The Definitive Guide, 2nd Edition - Matt Neuburg
      - AppleScript Reference Library
      - AppleScriptLanguageGuide - Apple
      - Open Scripting Architecture - developer.apple.com
    - Articles/Blogposts/Writeups
    - Tools
      - Orchard
        
        Live off the land for macOS. This program allows users to do Active Directory enumeration via macOS JXA (JavaScript for Automation) code. This is the newest version of AppleScript, and thus has very poor documentation on the web.
  - Javascript for Automation(JXA)
    - Talks/Presentations/Videos
      - Bash-ing Brittle Indicators: Red Teaming macOS without Bash or Python - Cody Thomas(Objective by the Sea v2.0)
        
        Slides
        
        In this talk, I'll go into the research, development, and usage of a new kind of agent based on JavaScript for Automation (JXA) and how it can be used in modern red teaming operations. This agent is incorporated into a broader open source project designed for collaborative red teaming I created called Apfell. I will discuss TTPs for doing reconnaissance, persistence, injection, and some keylogging all without using a shell command or spawning another scripting language. I will go into details of how JXA can be used to create an agent complete with encrypted key exchange for secure communications, domain fronting C2, and modular design to load or change key functionality on the fly. I will also cover the defensive considerations of these TTPs and how Apple is starting to secure these capabilities going forward.
  - Objective-C
    - Articles/Blogposts/Writeups
      - Making Objective C Calls From Python Standard Libraries (Red Team Edition) - Cedric Owens(2020)
  - Swift
    - Articles/Blogposts/Writeups
      - Making Objective C Calls From Python Standard Libraries (Red Team Edition) - Cedric Owens(2020)
      - Loading Python Runtimes in Swift - Cedric Owens(2020)
    - Tools
      - ShellOut
        
        Easily run shell commands from a Swift script or command line tool
- In-Memory Execution
  - Articles/Blogposts/Writeups
  - Tools
    - macos_execute_from_memory
      - PoC of macho loading from memory
- Office Macros
  - Articles/Blogposts/Writeups * Running JXA Payloads from macOS Office Macros - Cedric Owens(2020)
  - Talks/Presentations/Videos
    - Office Drama on macOS - Patrick Wardle(DefconSafemode2020)
      - On the Windows platform, macro-based Office attacks are well understood (and frankly are rather old news). However on macOS, though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community. In this talk, we will begin by analyzing recent documents that contain macro-based attacks targeting Apple's desktop OS, highlighting the macOS-specific exploit code and payloads. Though sophisticated APT groups are behind several of these attacks, (luckily) these malicious documents and their payloads are constrained by recent application and OS-level security mechanisms. However, things could be far worse! To illustrate this claim, we'll detail the creation of a powerful exploit chain, that begins with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple's stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no other user interaction was required in order to persistently infect even a fully-patched macOS Catalina system! To end the talk, we'll discuss various prevention and detection mechanisms that could thwart each stage of the exploit chain, as well as that aim to generically provide protection against future attacks!
- URL Handlers
  - Articles/Blogposts/Writeups
    - Few click RCE via GitHub Desktop macOS client with Gatekeeper bypass and custom URL handlers - theevilbit(2019)
- User Execution
  - Malicious Link
    - Articles/Blogposts/Writeups
      - URL Routing on macOS - Florian Schliep
      - Remote Mac Exploitation Via Custom URL Schemes - Patrick Wardle(2018)
  - Malicious File
    - Articles/Blogposts/Writeups
      - Native Mac OS X Application / Mach-O Backdoors for Pentesters
    - Tools
      - HappyMac
        
        A Python Mac app to suspend background processes
      - Platypus
        
        Platypus is a developer tool that creates native Mac applications from command line scripts such as shell scripts or Python, Perl, Ruby, Tcl, JavaScript and PHP programs. This is done by wrapping the script in an application bundle along with a slim app binary that runs the script.
- Tools
  - Mouse
    - Mouse Framework is an iOS and macOS post-exploitation framework that gives you a command line session with extra functionality between you and a target machine using only a simple Mouse Payload. Mouse gives you the power and convenience of uploading and downloading files, tab completion, taking pictures, location tracking, shell command execution, escalating privileges, password retrieval, and much more.
  - Appfell
    - A collaborative, multi-platform, red teaming framework
  - MacShell Post Exploitation Tool - Cedric Owens
  - MacShell
    - MacShell is a macOS post exploitation tool written in python using encrypted sockets. I wrote this tool as a way for defenders and offensive security researchers to more easily understand the inner workings of python-based post exploitation tools on macOS.
  - MacShellSwift
    - MacShellSwift is a proof of concept MacOS post exploitation tool written in Swift using encrypted sockets. I rewrote a prior tool of mine MacShell (one of my repos) and changed the client to Swift intstead of python. This tool consists of two parts: a server script and a client binary. I wrote this tool to help blue teamers proactively guage detections against macOS post exploitation methods that use macOS internal calls. Red teams can also find this of use for getting ideas around using Swift for macOS post exploitation.
  - Parasite
    - Parasite is a powerful code insertion platform for OS X. It enables developers to easily create extensions which change the original behavior of functions. For users Parasite provides an easy way to install these extensions and tweak their OS.
  - EvilOSX
    - A pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX.
Persistence
- General
  - Articles/Blogposts/Writeups
- Presentations/Talks/Videos
  - Userland Persistence On Mac Os X "It Just Works" - Shmoocon 2015
    - Got root on OSX? Do you want to persist between reboots and have access whenever you need it? You do not need plists, new binaries, scripts, or other easily noticeable techniques. Kext programming and kernel patching can be troublesome! Leverage already running daemon processes to guarantee your access. As the presentation will show, if given userland administrative access (read: root), how easy it is to persist between reboots without plists, non-native binaries, scripting, and kexts or kernel patching using the Backdoor Factory.
- Boot or Logon Initialization Scripts
  - Logon Script (Mac)
    - Adding Login Items - developer.apple
    - Open items automatically when you log in on Mac - developer.apple
- Compromise Client Software Binary
  - Mail.app
    - Using email for persistence on OS X - n00py
- Folder Actions
  - Folder Actions for Persistence on macOS - Cody Thomas(2019)
- Xcode
  - Running and disguising programs through XCode shims on OS X
- Tools
  - p0st-ex
    - Post-exploitation scripts for OosxpostS X persistence and privesc
  - iMessagesBackdoor
    - A script to help set up an event handler in order to install a persistent backdoor that can be activated by sending a message.
Privilege Escalation
- General
  - Articles/Blogposts/Writeups
    - Hidden backdoor API to root privileges in Apple OS X
      - The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It’s been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to escalate privileges to root from any user account in the system. The intention was probably to serve the “System Preferences” app and systemsetup (command-line tool), but any user process can use the same functionality. Apple has now released OS X 10.10.3 where the issue is resolved. OS X 10.9.x and older remain vulnerable, since Apple decided not to patch these versions. We recommend that all users upgrade to 10.10.3.
      - Works on 10.7 -> 10.10.2
  - Presentations/Talks/Videos
    - Hacking Exposed: Hacking Macs - RSA Keynote, George Kurtz and Dmitri Alperovitch, Part 1 "Delivery"(2019)
      - CrowdStrike Co-founders, CEO George Kurtz and CTO Dmitri Alperovitch, and Falcon OverWatch Senior Engineer Jaron Bradley demonstrate a “Delivery” stage attack against a MacOS system. This demo is from their RSA 2019 keynote address titled, “Hacking Exposed: Hacking Macs.”
    - Hacking Macs from RSA- George Kurtz and Dmitri Alperovitch, Part 2 "Privilege Escalation"
      - CrowdStrike Co-founders, CEO George Kurtz and CTO Dmitri Alperovitch, and Falcon OverWatch Senior Engineer Jaron Bradley demonstrate a “Privilege Escalation” stage attack against a MacOS system. This demo is from their RSA 2019 keynote address titled, “Hacking Exposed: Hacking Macs.”
    - OSX XPC Revisited - 3rd Party Application Flaws - Tyler Bohan(OffensiveCon2020)
      - XPC or cross process communication is a way for OSX and iOS processes to communicate with one another and share information. One use for this is to elevate privileges using a daemon who listens as a XPC service. While Apple has released a coding guideline it is all to often ignored or incorrectly implemented in third-party applications. One striking example of this is the Privileged Helper Tool. In this talk I am going to dive into what a Privileged Helper Tool is and why you should care about it. I will show the viewers how to locate these on an OSX computer and walk through the reverse engineering steps needed to identify if the service is vulnerable. We will then set up communications via Objective-C to deliver a privilege escalation attack. I will be showcasing twenty plus vulnerabilities in at least five products. All tooling and code will be released with the talk!
- Dylib Hijacking
  - Articles/Blogposts/Writeups
    - DylibHijack
      - python utilities related to dylib hijacking on OS X
  - Talks/Presentations/Videos
    - Gaining Root with Harmless AppStore Apps - Csaba Fitzi
      - Slides
      - This talk is about my journey from trying to find dylib hijacking vulnerability in a particular application to finding a privilege escalation vulnerability in macOS. During the talk I will try to show the research process, how did I moved from one finding to the next and I will also show many of the failures / dead ends I had during the exploit development.First I will briefly cover what is a dylib hijacking, and what is the current state of various application regarding this type of vulnerability. We will see how hard is to exploit these in many cases due to the fact that root access is required. Second I will cover two seemingly harmless bugs affecting the installation process of AppStore apps, and we will see how can we chain these together in order to gain root privileges - for this we will utilise a completely benign app from the macOS App Store. Part of this I will cover how can we submit apps to the store, and what are the difficulties with that process.In the last part I will cover how we can infect and include our malicious file in an App installer without breaking the App’s signature.
    - Automated Dylib Hijacking - Jimi Sebree(Derbycon2019)
      - Applications on macOS use a common and flawed method of loading dynamic libraries (dylib), which leaves them vulnerable to a post-exploitation technique known as dylib hijacking. Dylib hijacking is a technique used to exploit this flawed loading method in order to achieve privilege escalation, persistence, or the ability to run arbitrary code. This talk provides an overview of the attack vector and the process involved in exploiting vulnerable applications. Additionally, the process of automating the exploitation of vulnerable applications will be demonstrated and discussed in depth. The tools developed and used for this demonstration will be made publicly available.
  - Tools
    - boko
      - boko.py is an application scanner for macOS that searches for and identifies potential dylib hijacking and weak dylib vulnerabilities for application executables, as well as scripts an application may use that have the potential to be backdoored. The tool also calls out interesting files and lists them instead of manually browsing the file system for analysis. With the active discovery function, there's no more guess work if an executable is vulnerable to dylib hijacking!
- Elevated Execution with Prompt
  - Articles/Blogposts/Writeups
- Emond
- Exploitation for Privilege Escalation
  - CVE-2019-8805 - A macOS Catalina privilege escalation - Scott Knight
  - Sniffing Authentication References on macOS - Patrick Wardle(2018)
    - details of a privilege-escalation vulnerability (CVE-2017-7170)
    - The Ugly: for last ~13 years (OSX 10.4+) anybody could locally sniff 'auth tokens' then replay to stealthy & reliably elevate to r00t 🍎🤒☠️ The Bad: reported to Apple -they silently patched it (10.13.1) 🤬 The Good: when confronted they finally assigned CVE + updated docs 😋 [pic.twitter.com/RlNBT1DBvK](pic.twitter.com/RlNBT1DBvK)
  - Mac OS X local privilege escalation (IOBluetoothFamily)
  - How to gain root with CVE-2018-4193 in < 10s - Eloi Benoist-Vanderbeken
  - CVE-2018-4193
    - exploit for CVE-2018-4193
  - Rootpipe
    - Rootpipe Reborn (Part I) - codecolorist
      - CVE-2019-8513 TimeMachine root command injection
    - Rootpipe Reborn (Part II) - codecolorist
      - CVE-2019-8565 Feedback Assistant race condition leads to root LPE
    - Stick That In Your (root)Pipe & Smoke It - Patrick Wardle(Defcon23)
      - Talk
- Launch Daemon
- Permissions Misconfiguration
  - Articles/Blogposts/Writeups
    - Exploiting directory permissions on macOS - theevilbit
      - In the following post I will first go over the permission model of the macOS filesystem, with focus on the POSIX part, discuss some of the non trivial cases it can produce, and also give a brief overview how it is extended. I won’t cover every single detail of the permission model, as it would be a topic in itself, but rather what I found interesting from the exploitation perspective. Then I will cover how to find these bugs, and finally I will go through in detail all of the bugs I found. Some of these are very interesting as we will see, as exploitation of them involves “writing” to files owned by root, while we are not root, which is not trivial, and can be very tricky.
  - Talks/Presentations/Videos
    - Root Canal - Samuel Keeley(OBTSv2.0)
      - Slides
      - Apple released System Integrity Protection/rootless with OS X El Capitan almost four years ago.The root account is still there, and many common pieces of software open the Mac up to simple root escalations - including common macOS management tools. How can we detect these vulnerabilities across our Mac fleets? What can root still be abused for in 2019?
- Plist Modification
- Privileged File Operations
  - Articles/Blogposts/Writeups
    - An introduction to privileged file operation abuse on Windows - @clavoillotte(2019)
  - Talks/Presentations/Videos
    - Job(s) Bless Us!Privileged Operations on macOS - Julia Vaschenko(OBTSv3.0)
- Process Injection
  - Articles/Blogposts/Writeups
    - Privilege Escalation on OS X below 10.0
      - CVE-2014-8835
  - Tools
    - osxinj
      - Another dylib injector. Uses a bootstrapping module since mach_inject doesn't fully emulate library loading and crashes when loading complex modules.
- Setuid and Setgid
- Startup Items
- Sudo
- Sudo Caching
  - tty_tickets option now on by default for macOS Sierra’s sudo tool - rtrouton
  - Privilege escalation on OS X – without exploits - n00py.io
- Valid Accounts
- Web Shell
- SIP Bypass
  - abusing the local upgrade process to bypass SIP - Objective-see
- Exploits
  - Why <blank> Gets You Root- Patrick Wardle(2017)
    - In case you haven't heard the news, there is a massive security flaw which affects the latest version of macOS (High Sierra). The bug allows anybody to log into the root account with a blank, or password of their choosing. Yikes!
  - macOS 10.13.x SIP bypass (kernel privilege escalation)
    - "Works only on High Sierra, and requires root privilege. It can be chained with my previous local root exploits."
    - Slides
  - IOHIDeous(2017)
    - Code
    - A macOS kernel exploit based on an IOHIDFamily 0day.
  - Issue 1102196: Security: Keystone for macOS should use auditToken to validate incoming XPC message - Project0
    - PrivEsc through Chrome installer.
- Talks/Presentations/Videos
  - Death By 1000 Installers on macOS and it's all broken! - Patrick Wardle(Defcon25)
    - Slides
  - Attacking OSX for fun and profit tool set limiations frustration and table flipping Dan Tentler - ShowMeCon
    - 'I was approached by Fusion to be part of their 'Real Future' documentary - specifically, and I quote, to 'see how badly I could fuck his life up, while having control of his laptop'. They wanted me to approach this scenario from how a typical attacker wou'
- Tools
  - BigPhish
    - This issue has been resolved by Apple in MacOS Sierra by enabling tty_tickets by default. NOTE: All other MacOS operation system (El Capitan, Yosemite, Mavericks etc...) still remain vulnerable to this exploit.
Defense Evasion
- 101
- Articles/Blogposts/Writeups
  - Creating undetected malware for OS X - Erik Pistelli(2013)
  - The vulnerability in Remote Login (ssh) persists - hoakley(2020)
- Talks/Presentations/Videos
  - Bypassing MacOS Detections With Swift - Cedric Owens(Derbycon2019)
    - This talk is centered around red teaming in MacOS environments. Traditionally, MacOS post exploitation has largely been done in python with a heavy reliance on command line utilities. However, as defender tradecraft continues to evolve with detecting suspicious python usage on MacOS, we (as red teamers) should consider migrating to different post exploitation methods. In this talk, I will share why the Swift language can be beneficial for red teaming macOS environments. I will also share some macOS post exploitation code I have written using the Swift programming language and contrast detection techniques between python and Swift based post exploitation.
- Tools
  - appencryptor
    - A command-line tool to apply or remove Apple Binary Protection from an application.
- Application Whitelisting
  - Articles/Blogposts/Writeups * Bypassing Google's Santa Application Whitelisting on macOS (Part 1 of 2) - Adam Crosser * Bypassing Google's Santa Application Whitelisting on macOS (Part 2 of 2) - Adam Crosser
- Endpoint Security
  - 101
    - EndpointSecurity - developer.apple
      - Endpoint Security is a C API for monitoring system events for potentially malicious activity. Your client, which you can write in any language supporting native calls, registers with Endpoint Security to authorize pending events, or receive notifications of events that have already occurred. These events include process executions, mounting file systems, forking processes, and raising signals. Develop your system extension with Endpoint Security and package it in an app that uses the SystemExtensions framework to install and upgrade the extension on the user’s Mac.
  - Articles/Blogposts/Writeups
- Gatekeeper
  - 101
    - Gatekeeper - Wikipedia
    - Gatekeeper Bypass - ATT&CK
    - Safely open apps on your Mac - support.apple
      - 'macOS includes a technology called Gatekeeper, that's designed to ensure that only trusted software runs on your Mac.'
    - Launch Service Keys - LSFileQuarantineEnabled
    - macOS Code Signing In Depth - developer.apple
  - Articles/Blogposts/Writeups
- System Integrity Protection(SIP)
  - 101
  - Articles/Blogposts/Writeups
    - Bypassing Apple's System Integrity Protection - Patrick Wardle
      - abusing the local upgrade process to bypass SIP]
  - Talks/Presentations/Videos
    - Bad Things in Small Packages - Jaron Bradley
      - Slides
      - This talk will primarily focus on the work that went into discovering CVE-2019-8561. The vulnerability exists within PackageKit that could lead to privilege escalation, signature bypassing, and ultimately the bypassing of Apple's System Integrity Protection (SIP). This vulnerability was patched in macOS 10.14.4, but the details behind this exploit have not been documented anywhere prior to this conference!
- XProtect
  - 101
    - XProtect Explained: How Your Mac’s Built-in Anti-malware Software Works - Chris Hoffman(2015)
    - How the “antimalware” XProtect for MacOS works and why it detects poorly and badly - ElevenPaths(2019)
  - Articles/Blogposts/Writeups
    - How To Bypass XProtect on Catalina - Phil Stokes
    - XProtect
      - This repo contains historical releases of the XProtect configuration data.
Credential Access
- Cracking Password Hashes
  - Articles/Blogposts/Writeups
  - Tools
    - DaveGrohl 3.01 alpha
      - A Password Cracker for OS X
- Bash History
  - Articles/Blogposts/Writeups
- Brute Force
  - Articles/Blogposts/Writeups
  - Tools
- Credential Dumping
  - Articles/Blogposts/Writeups
    - Getting What You’re Entitled To: A Journey Into MacOS Stored Credentials - MDSec(2020)
      - In this blog post we will explore how an operator can gain access to credentials stored within MacOS third party apps by abusing surrogate applications for code injection, including a case study of Microsoft Remote Desktop and Google Drive.
    - Bypassing MacOS Privacy Controls - Adam Chester(2020)
  - Talks/Presentations/Videos
  - Tools
- Credentials from Web Browsers
  - Articles/Blogposts/Writeups
  - Talks/Presentations/Videos
  - Tools
- Credentials in Files
  - Articles/Blogposts/Writeups
  - Talks/Presentations/Videos
  - Tools
- Exploitation for Credential Access
  - Articles/Blogposts/Writeups
  - Talks/Presentations/Videos
  - Tools
- Input Capture
  - Articles/Blogposts/Writeups
    - How to Dump 1Password, KeePassX & LastPass Passwords in Plaintext - Tokyoneon
    - Fun With Frida - James(2019)
- In this post, we’re going to take a quick look at Frida and use it to steal credentials from KeePass.
  - Talks/Presentations/Videos
  - Tools
    - kcap
      - This program simply uses screen captures and programmatically generated key and mouse events to locally and graphically man-in-the-middle an OS X password prompt to escalate privileges.
- Input Prompt
  - Articles/Blogposts/Writeups
    - osascript: for local phishing - fuzzynop
  - Talks/Presentations/Videos
  - Tools
    - Empire propmt.py
    - FiveOnceinYourlife
      - Local osx dialog box phishing using osascript. Easier than keylogging on osx. Simply ask for the passwords you want.
- Keychain
  - Articles/Blogposts/Writeups
    - Keychain Services - developer.apple.com
    - Security Flaw in OS X displays all keychain passwords in plain text - Brenton Henry(2016)
      - There is a method in OS X that will allow any user to export your keychain, without sudo privileges or any system dialogs, to a text file, with the username and passwords displayed in plain text. As of this writing(2016), this method works in at least 10.10 and 10.11.5, and presumably at the least all iterations in between.
    - Stealing macOS apps' Keychain entries - Wojciech Reguła(2020)
  - Talks/Presentations/Videos
    - OBTS v2.0 "KeySteal: A Vulnerability in Apple's Keychain" (Linus Henze)
      - Slides
      - What do your iCloud, Slack, MS Office, etc. credentials have in common? Correct, they're all stored inside your Mac's Keychain. While the Keychain is great because it prevents all those annoying password prompts from disturbing you, the ultimate question is: Is it really safe? Does it prevent malicious Apps from stealing all my passwords?In this talk I will try to answer those questions, showing you how the Keychain works and how it can be exploited by showing you the full details of my KeySteal exploit for the first time. The complete exploit code will be available online after the talk.
  - Tools
    - Mac OS X Keychain Forensic Tool
      - The chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. Master Key candidates can be extracted from volafox or volatility keychaindump module. Supports: Snow Leopard, Lion, Mountain Lion, Mavericks, Yosemite, El Capitan, (High) Sierra. This branch contains a quick patch for chainbreaker to dump non-exportable keys on High Sierra, see README-keydump.txt for more details.
    - KeySteal
      - KeySteal is a macOS <= 10.14.3 Keychain exploit that allows you to access passwords inside the Keychain without a user prompt. The vulnerability has been assigned CVE-2019-8526 number.
    - OSX Key Chain Dumper
      - 'Scripts to dump the values out of OSX Keychain. Tested on OS X El Capitan ver 10.11.6'
    - keychaindump(2015)
      - Keychaindump is a proof-of-concept tool for reading OS X keychain passwords as root. It hunts for unlocked keychain master keys located in the memory space of the securityd process, and uses them to decrypt keychain files.
    - osx-hash-dumper
      - Bash script to dump OSX user hashes in crackable format. Author: Cedric Owens
    - retrieve-osxhash.py
    - Chainbreaker2 - Luke Gaddie
- Network Sniffing
  - Articles/Blogposts/Writeups
  - Talks/Presentations/Videos
  - Tools
- Private Keys
  - Articles/Blogposts/Writeups
- Securityd Memory
  - Articles/Blogposts/Writeups
  - Tools
- Steal Web Session Cookie
  - Articles/Blogposts/Writeups
  - Tools
- Two-Factor Authentication Interception
  - Articles/Blogposts/Writeups
  - Tools
Discovery
- Mac Quarantine Event Database - menial.co.uk(2011)
  - After all the fuss surrounding the iPhone location log, you may be interested to know that there is a file on Macs running Snow Leopard or higher that keeps a record of files you've downloaded. This record is not purged when you clear Safari downloads, caches or even reset Safari completely.
- General/Unsorted
- Process Discovery
  - Articles/Blogposts/Writeups
  - Tools
    - Kemon
      - An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring.
    - Sinter
      - Sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift. Sinter uses the user-mode EndpointSecurity API to subscribe to and receive authorization callbacks from the macOS kernel, for a set of security-relevant event types. The current version of Sinter supports allowing/denying process executions; in future versions we intend to support other types of events such as file, socket, and kernel events.
- Remote System Discovery
  - Articles/Blogposts/Writeups
  - Tools
- Security Software Discovery
  - Articles/Blogposts/Writeups
  - Tools
    - AV_Enum_JXA
      - JXA code to enumerate security software on a macOS host
- Software Discovery
  - Articles/Blogposts/Writeups
  - Tools
- System Information Discovery
  - Articles/Blogposts/Writeups
  - Tools
    - SwiftBelt
      - SwiftBelt is a macOS enumerator inspired by @harmjoy's Windows-based Seatbelt enumeration tool. SwiftBelt does not utilize any command line utilities and instead uses Swift code (leveraging the Cocoa Framework, Foundation libraries, OSAKit libraries, etc.) to perform system enumeration. This can be leveraged on the offensive side to perform enumeration once you gain access to a macOS host. I intentionally did not include any functions that cause pop-ups (ex: keychain enumeration).
    - HealthInspector
      - JXA situational awareness helper by simply reading specific files on a filesystem
- Tools
  - forgetmenot
    - local looting script in python
  - APOLLO - Apple Pattern of Life Lazy Output'er
    - APOLLO stands for Apple Pattern of Life Lazy Output’er. I wanted to create this tool to be able to easily correlate multiple databases with hundreds of thousands of records into a timeline that would make the analyst (me, mostly) be able to tell what has happened on the device. iOS (and MacOS) have these absolutely fantastic databases that I’ve been using for years with my own personal collection of SQL queries to do what I need to get done. This is also a way for me to share my own research and queries with the community. Many of these queries have taken hours, even days to research and compile into something useful. My goal with this script is to put the analysis function the SQL query itself. Each query will output a different part of the puzzle. The script itself just compiles the data into a CSV or SQLite database for viewing and filtering. While this database/spreadsheet can get very large, it is still more efficient that running queries on multiple databases and compiling the data into a timeline manually.
Lateral Movement
- AppleScript
  - Articles/Blogposts/Writeups
  - Tools
- Application Deployment Software
  - Articles/Blogposts/Writeups
  - Tools
- Exploitation of Remote Services
  - Articles/Blogposts/Writeups
  - Tools
- Internal Spearphishing
  - Articles/Blogposts/Writeups
  - Tools
- Logon Scripts
  - Articles/Blogposts/Writeups
  - Tools
- Remote File Copy
  - Articles/Blogposts/Writeups
  - Tools
- Remote Services
  - Articles/Blogposts/Writeups
  - Tools
- SSH Hijacking
  - Articles/Blogposts/Writeups
    - Interacting with MacOS terminal windows for lateral movement - Steve Borosh
  - Tools
- Third-party Software
  - Articles/Blogposts/Writeups
  - Tools
Collection
- 101
- Articles/Blogposts/Writeups
  - Breaking macOS Mojave Beta: does apple adequately protect the webcam and mic? ...no - Patrick Wardle(2018)
- Audio Capture
- Automated Collection
- Browser-Data
  - Articles/Blogposts/Writeups
  - Tools
    - Chlonium
      - Chlonium is an application designed for cloning Chromium Cookies.
- Clipboard Data
- Data from Information Repositories
- Data from Local System
  - Articles/Blogposts/Writeups
    - Stealing local files using Safari Web Share API - Pawel Wylecial(2020)
  - Tools
    - PICT - Post-Infection Collection Toolkit
      - This set of scripts is designed to collect a variety of data from an endpoint thought to be infected, to facilitate the incident response process. This data should not be considered to be a full forensic data collection, but does capture a lot of useful forensic information.
    - PICT-Swift (Post Infection Collection Toolkit)
      - This is a Swift (and slightly modified) version of Thomas Reed's PICT (Post Infection Collection Toolkit: https://github.com/thomasareed/pict). Thomas Reed is the brains behind the awesome PICT concept. I just simply wrote a Swift version of it and added an additional collector.
    - macOS-browserhist-parser
      - Swift code to parse the quarantine history database, Chrome history database, Safari history database, and Firefox history database on macOS.
- Data from Network Shared Drive
- Data from Removable Media
- Data Staged
- Input Capture
  - Articles/Blogposts/Writeups
    - Using IOHIDManager to Get Modifier Key Events - StackOverflow
    - OSX HID Filter for Secondary Keyboard? - StackOverflow
  - Tools
    - SwiftSpy
      - macOS keylogger, clipboard monitor, and screenshotter written in Swift
    - Swift-Keylogger
      - Keylogger for mac written in Swift using HID
- Screen Capture
  - Articles/Blogposts/Writeups
    - [Programmatically Screenshot
Swift 3, macOS - StackOverflow](https://stackoverflow.com/questions/39691106/programmatically-screenshot-swift-3-macos) * Tools
- Video Capture
MacOS Red Teaming Blogpost Series by Action Dan(2019)

macOS Technologies

Code Signing
- macOS Code Signing In Depth
- Launch Service Keys - LSFileQuarantineEnabled
Endpoint Security Framework
- EndpointSecurity - developer.apple
  - Endpoint Security is a C API for monitoring system events for potentially malicious activity. Your client, which you can write in any language supporting native calls, registers with Endpoint Security to authorize pending events, or receive notifications of events that have already occurred. These events include process executions, mounting file systems, forking processes, and raising signals. Develop your system extension with Endpoint Security and package it in an app that uses the SystemExtensions framework to install and upgrade the extension on the user’s Mac.
GateKeeper
- App security overview - support.apple
- Protecting against malware - support.apple
- Gatekeeper and runtime protection - support.apple
- Gatekeeper - Wikipedia
  - 'macOS includes a technology called Gatekeeper, that's designed to ensure that only trusted software runs on your Mac.'
- Safely open apps on your Mac - support.apple
Mach-O Binaries
- 101
System Integrity Protection
Transparency, Consent, and Control
XProtect
- XProtect Explained: How Your Mac’s Built-in Anti-malware Software Works - Chris Hoffman(2015)
- How the “antimalware” XProtect for MacOS works and why it detects poorly and badly - ElevenPaths(2019)

macOS Code Injection

101
General Information
Articles/Blogposts/Writeups
Techniques

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PrivescPostExmac.md

PrivescPostExmac.md

macOS Privilege Escalation & Post-Exploitation

Table of Contents

Begin Unsorted Section

End Unsorted Section

macOS Post-Exploitation General Notes

F

AppleScript, Objective-C & Swift

F

Post-Exploitation OS X

macOS Technologies

macOS Code Injection

Files

PrivescPostExmac.md

Latest commit

History

PrivescPostExmac.md

File metadata and controls

macOS Privilege Escalation & Post-Exploitation

Table of Contents

Begin Unsorted Section

End Unsorted Section

macOS Post-Exploitation General Notes

F

AppleScript, Objective-C & Swift

F

Post-Exploitation OS X

macOS Technologies

macOS Code Injection