Hunting for macOS attack techniques. Part 1 – Initial Access, Execution, Credential Access, Persistence

1
Hunting for macOS attack techniques
Part 1 – Initial Access, Execution, Credential Access, Persistence
Teymur Kheirkhabarov
Director of Cyber Threat Monitoring, Response
and Research Department, BI.ZONE
Maxim Tumakov
Head of Cyber Threat Research, BI.ZONE

View Slide

2
dscl . -read "/Users/$(id -un)" RealName
• Director of Cyber Threat Monitoring, Response
and Research Department at BI.ZONE (SOC,
MDR, DFIR, TI, EDR, XDR, IRP, etc.)
• Threat Hunter
• ZeroNights / PHDays / OFFZONE speaker
• GIAC GXPN / GCFA / GDSA certified
• Ex- Head of SOC R&D at Kaspersky Lab / SOC
Analyst / Infosec Admin/ IT
• Twitter @HeirhabarovT
• Telegram @Heirhabarov
Teymur
Kheirkhabarov
• Head of Cyber Threat Research at BI.ZONE
• Threat Hunter
• Ex- Digital Forensics & Incident Response
expert (Informzaschita)
• Ex- Security Researcher (Kaspersky)
• OSCP / eCPTXv2 certified
• Telegram @mrtrumster
Maxim
Tumakov

View Slide

3
What we are going to talk about?

View Slide

4
What we used to prepare this talk?

View Slide

5
macOS monitoring mechanisms

View Slide

6
macOS monitoring tools

View Slide

7
Red Canary Mac Monitor

View Slide

8
Initial Access

View Slide

9
Initial Access

View Slide

10
Application
Application bundles are one of
the most common types of bundle
created by developers. The
application bundle stores
everything that the application
requires for successful operation
*.app in MacOS ≈ C:\ProgramFiles\\ in Windows

View Slide

11
Application. Malicious document
Document.pdf.app
The application disguised as a
PDF document
Main.scpt
The AppleScript launching
the second stage load
applet
The main binary file of the
application that runs the AppleScript

View Slide

12
Application. Malicious document. Let’s hunt it!
dev_os_type:macos AND
event_type:ProcessCreate
(
cmdline.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/ OR
proc_file_path.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/ OR
proc_p_file_path.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/ OR
proc_p_cmdline.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/
)
Running a process with suspicious extensions

View Slide

13
Packages
GUI Installer:
/System/Library/PrivateFrameworks/PackageKit
.framework/Versions/A/XPCServices/package_sc
ript_service.xpc/Contents/MacOS/package_scri
pt_service
CLI Installer:
/usr/sbin/installer
*.pkg in MacOS ≈ *.msi in Windows
Packages is a directory that contain a hierarchy of files
or objects that represent a preserved, organized state. A
package is displayed to users like a single file in the
Finder application to avoid being changed by the user.

View Slide

14
Packages. Pre\Post install scripts
Normally, pre\post install scripts are used for preparing
and cleaning up software installations. The preinstall
script is run before package installation and the
postinstall script is run after

View Slide

15
Packages. Pre\Post install scripts. Let’s hunt it!
Running a pre\post install script
1. May be noisy - must be profiled for specific infrastructure
2. Сan be used to threat hunting
proc_p_file_path:"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices
/package_script_service.xpc/Contents/MacOS/package_script_service" AND
cmdline:("/preinstall" OR "/postinstall") AND
proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR
"/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl")

View Slide

16
Packages. Pre\Post install scripts. Let’s hunt it!
Launching child processes of pre\post install script
1. More accurate, but must be profiled for specific infrastructure too
2. Сan be used to threat hunting
proc_p_cmdline:("/tmp/" AND "/Scripts/" AND ("/preinstall" OR "/postinstall")) AND
If the malicious command
ends with sign & then the parent
process will be /sbin/launchd. The
hunt does not work in this case

View Slide

17
Packages. Pre\Post install Scripts. Let’s hunt it!
Starting a process from the installer's temporary directory
proc_cwd.keyword:/.*\/private\/tmp\/PKInstallSandbox.*/ AND

View Slide

18
Packages. Distribution.xml
Distribution XML file (embedded script)
Distribution XML file (external script)

View Slide

19
Packages. Distribution.xml. Let’s hunt it!
Distribution XML file (embedded script)
proc_p_file_path:"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer" AND

View Slide

20
Packages. Distribution.xml. Let’s hunt it!
Distribution XML file (external script)
proc_pp_file_path:"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer" AND

View Slide

21
Packages. Installer Plugin
Installer Plugin is a helper
application that allows you to
customize the installation panel of
the main application
Extra step added by
Installer Plugin

View Slide

22
Packages. Installer Plugin. Let’s hunt it!
A special process is used to launch a installer plugin
proc_p_file_path.keyword:/\/System\/Library\/CoreServices\/Installer.app\/Contents\/XPCServ
ices\/InstallerRemotePluginService-
(x86_64|arm64).xpc\/Contents\/MacOS\/InstallerRemotePluginService-(x86_64|arm64)/ AND

View Slide

23
DMG
An Apple disk image file's name usually has ".dmg" as its
extension. A disk image is a compressed copy of the
contents of a disk or folder. Disk images have .dmg at
the end of their names
*.dmg in MacOS ≈ *.iso in Windows

View Slide

24
DMG
When the application is launched from DMG without installation, the
application bundle will be copied to a temporary directory. This hunt
detects the launch of suspicious processes from such temporary
directories
event_type:ProcessCreate AND
proc_p_cmdline:("/private/var/folders/" AND "/AppTranslocation/") AND

View Slide

25
MS Office
VBA Macro in MS Word document
XLM Macro in MS Excel document

View Slide

26
MS Office. Let’s hunt it!
proc_p_file_path:(
"/Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel" OR
"/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word" OR
"/Applications/Microsoft PowerPoint.app/Contents/MacOS/Microsoft PowerPoint"
)
AND -cmdline:(
"/Microsoft Error Reporting.app" OR "/Microsoft AutoUpdate.app"
)
VBA Macro XLM Macro

View Slide

27
MS Office. Sandbox escape
MS Office macros run in the sandbox, but there is a well-known escape method:
1. Upload ~$.zip archive with .bash_profile or .zshenv to the target host
2. Create a LoginItem for the victim user
3. After reboot, Login Item will unpack the archive to the user's home directory
4. Now, every time bash/zsh is launched, a malicious load will be launched outside the
sandbox context
Apfell
(Mythic payload)

View Slide

28
MS Office. Sandbox escape. Let’s hunt it!
event_type:(FileCreate OR FileDelete OR FileChange) AND
proc_cwd.keyword:/.*\/Library\/Containers\/com\.microsoft\.(Word|Excel|Powerpoint)\/Data/
file_path.keyword:/.*\/\~\$.*/
To escape from the sandbox, a suspicious macro must create one or more ~$.zip files. This
hunt detects manipulations with similar files

View Slide

29
Drive-by Compromise
proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR
"/csh" OR "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl")
AND
proc_p_file_path:(
"/Applications/Safari.app/" OR
"/Applications/Chrome.app/" OR
"/Applications/Firefox.app/"
)
Some browser exploits cause child processes to appear to perform various actions. Such
a general hunt with a low FP ratio can detect traces of exploitation of such vulnerabilities

View Slide

30
Execution

View Slide

31
Execution

View Slide

32
Execution. Open Scripting Architecture (OSA)
The Open Scripting Architecture (OSA) provides a standard and extensible mechanism for
interapplication communication in OS X. This communication takes place through the
exchange of Apple events. An Apple event is a type of interprocess message that
encapsulates commands and data.
Supported languages:
• AppleScript
• JavaScript for Automation (JXA)
Launch method Description
osascript -e "script here" Running one-line command
osascript /path/to/script Running a script from a file
#!/usr/bin/osascript Running a file with a specific header
osacompile - > Mach-O Script compilation
NSAppleScript, OSAScript Launch via native MacOS API
NSCreateObjectFileImageFromMemory Reflective Code Loading
applescript://com.apple.scripteditor?action=new&script= Open URL
OSA scripts in MacOS ≈ Powershell in Windows

View Slide

33
Execution. Open Scripting Architecture (OSA)
AppleScript compilation:
osacompile -o compiled.app apple_script.scpt
AppleScript RunOnly compilation:
osacompile -x -o compiled.app apple_run_only_script.scpt
Directory structure of the
compiled script-application
Directory structure of the
compiled RunOnly script-
application

View Slide

34
Execution. Open Scripting Architecture (OSA). Let’s hunt it!
cmdline.keyword:/.*osascript .*\.(js|scpt).*/
Running a script from a file

View Slide

35
Running suspicious commands
cmdline.keyword:/.*osascript .*-e.*return.*(system info|the clipboard|set popup).*/

View Slide

36
Compiling a script via a command line utility
cmdline.keyword:*osacompile*

View Slide

37
Downloading a file using Objective-C
cmdline:(*dataWithContentsOfURL* OR *URLWithString*)

View Slide

38
Execution. Shell
By default, at least 7 (?) different command shells are installed on Mac OS. Attackers can use shells to:
• execution of shell-embedded commands
• for launching system utilities
• for initializing the reverse shell
• etc

View Slide

39
Execution. Shells. Let’s hunt it!
cmdline.keyword:(
/.*\/dev\/tcp\/.*/ OR
/.*\/dev\/udp\/.*/ OR
/.*zsh\/net\/tcp\/.*/ OR
/.*zsh\/net\/udp\/.*/
)
Attackers can use any command shell
to get a reverse shell on a remote host

View Slide

cmdline:(*base64* OR *b64decode* OR (*openssl* AND *enc* AND *-base64*))
Just like in Windows and Linux, on Mac
OS attackers actively use Base64 to
encode the payload

View Slide

(
proc_file_path:"/usr/bin/nohup" OR
cmdline:*nohup*
)
To run processes in the background, attackers
use the nohup utility, which is rarely used by
legitimate applications on Mac OS

View Slide

42
Execution. Binary
Mach-O, short for Mach object file format, is a file
format for executables, object code, shared libraries,
dynamically loaded code, and core dumps.
Malicious applications often save the payload to the
root of temporary directories, although legitimate
applications almost never do so.
proc_file_path.keyword:(
/\/tmp\/[^\/]*/ OR
/\/private\/tmp\/[^\/]*/ OR
/\/var\/tmp\/[^\/]*/ OR
/\/private\/var\/tmp\/[^\/]*/
)
Symbolic links for temporary macOS directories:
• /tmp -> /private/tmp
• /var -> /private/var

View Slide

43
Execution. Binary. Let’s hunt it!
(
(
cmdline:(*chown* OR *chmod*) AND
cmdline.keyword:(
/.* \/private\/tmp\/[^\/]*/ OR /.* \/tmp\/[^\/]*/ OR
/.* \/private\/var\/tmp\/[^\/]*/ OR /.* \/var\/tmp\/[^\/]*/
)
) OR
(
proc_file_path:("/bin/chmod" OR "/bin/chown") AND
proc_cwd.keyword:(
/\/private\/tmp/ OR /\/tmp/ OR
/\/private\/var\/tmp/ OR /\/var\/tmp/
)
)
)
To launch a malicious file, the attacker needs to
add execution rights. This hunt detects the use
of the chmod\chown utility in the root of
temporary directories

View Slide

44
Execution. Interpreters
event_type:ProcessCreate
cmdline:(
(*SOCK_STREAM* AND *connect* AND *exec*) OR
(*INET* AND *PeerAddr* AND *fdopen*) OR
(*socket* AND *TCPSocket* AND (*exec* OR *popen*)) OR
(*fsockopen* AND (*exec* OR *shell_exec* OR *system* OR *passthru* OR *popen*))
)
The accurate hunt allows to
identify specific command lines
to run the reverse shell

View Slide

45
Execution. Interpreters
proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh") AND
proc_p_file_path:("/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript")
Generic hunt will allow to identify suspicious activity of interpreters

View Slide

46
Execution
cmdline:(*osascript* AND *curl*)
cmdline.keyword:/.*curl .* -o .*(\/tmp\/|\/private\/tmp\/|\/private\/var\/tmp\/).*/

View Slide

47
Persistence

View Slide

48
macOS Persistence

View Slide

49
macOS persistence management – what’s new in Ventura
• With Ventura, comes a the new login and background item management features
• This new feature helps users see what is running in the background of their Mac, the invisible becomes visible
• So, now users can see which apps are set up for persistence without having to find search directories in the
Finder, use the Terminal, or relying on 3rd party software
Users can now manage Login Items, Launch Agents
and Launch Daemons all from a single place in
System Settings
Also when new Launch Agent, Launch Daemon or
Login Item is added, the system now generates a
notification alert
Login items
Launch Agents / Daemons

View Slide

50
macOS persistence management – 3rd party tools
BlockBlock monitors common persistence
locations and alerts whenever a persistent
component is added.
KnockKnock performs inventory of
common persistence location an allows
uncovers persistently installed software

View Slide

51
• Launch Daemons are background processes that run with root privileges and
executes when system is started
• Launch Daemons use property list files defined in the:
• /System/Library/LaunchDaemons/*.plist (SIP protected)
• /Library/Apple/System/Library/LaunchDaemons/*.plist (SIP protected)
• /Library/LaunchDaemons/*.plist (only root has access)
T1543.001 – Create or Modify System Process: Launch Agent
T1543.004 – Create or Modify System Process: Launch Daemon
• Launch Agents are per-user background processes that only execute while the
user is logged in
• Launch agents are defined in property list files that are in:
• /System/Library/LaunchAgents/*.plist (SIP protected)
• /Library/Apple/System/Library/LaunchAgents /*.plist (SIP protected)
• /Library/LaunchAgents/*.plist (only root has access)
• /Users/$username/Library/LaunchAgents/*.plist ($username has access)

View Slide

52
• Can be anywhere on a macOS system.
• Three formats – XML, JSON (Dictionary) or binary blobs
• Used to store configuration settings, permissions,
preferences, etc
• Usually named in reverse DNS notation (com.apple.thing)
• From an offensive perspective, they come into play for:
• Persistence (Launch Agents/Launch Daemons)
• Evasion (Entitlements, Application’s Info.plist)
• Situational Awareness
(/Library/Receipts/InstallHistory.plist)
• Launch Agent / Launch Daemon plists must conform to
the launchd format. Important Keys:
• Label – a unique string that identifies the agent
• ProgramArguments – the arguments used to launch
the agent
• RunAtLoad – start the agent when the property list
file is loaded by launchd
Property List Files (PLIST)

View Slide

53
Hunting for suspicious Launch Agents/Daemons

View Slide

54
What telemetry we need?
• Process Creation monitoring
• Process Inventory
• Console Commands monitoring
• Console Commands History
• File Creation monitoring
• File Change monitoring
• File Inventory
• Launch Agents/Launch Daemons inventory
• Launch Items inventory

View Slide

55
Downloading Launch Agent/Daemon PLIST by console tool
OSX.CreativeUpdate:
OSX.Siggen:
Some macOS malware, that combines
EmPyre backdoor and XMRig miner
It is quite common for malware or adversaries to download Launch Agents/Daemons PLIST files using
standard tools like curl

View Slide

56
Search for command lines that contain combinations of standard downloading tools (like curl) and
paths to the Launch Agents/Daemons PLIST files location:
cmdline:*curl* AND
(cmdline:("*/LaunchAgents/*" OR "*/LaunchDaemons/*") OR
cmdline.keyword:*.plist*) AND
-cmdline:("*/homebrew/Library/Homebrew/*")
Let’s hunt it!

View Slide

57
Let’s hunt it!
Search for PLIST files creation or modification by curl or script interpreters:
event_type:(FileCreate OR FileChange) AND
proc_file_path:(*curl* OR *osascript* OR *python* OR *perl* OR *ruby*) AND
(file_path.keyword:*.plist OR file_path:("*/LaunchAgents/*" OR
"*/LaunchDaemons/*"))
-proc_cmdline:("*/homebrew/Library/Homebrew/*")

View Slide

58
Building Launch Agent/Daemon PLIST from the command line
Silver Sparrow and UpdateAgent malware use PlistBuddy in
direct mode to add arguments to a PLIST file:
VPN Trojan (Covid) malware creates PLIST file using echo
command:

View Slide

59
Building Launch Agent/Daemon PLIST from the command line
Let’s hunt it!
Search for usage of PlistBuddy or echo to create/modify PLIST:
cmdline:("echo *" OR *PlistBuddy*) AND
cmdline:(*RunAtLoad* OR *ProgramArguments*) AND
-(proc_cwd:"*/Library/InstallerSandboxes/.PKInstallSandboxManager/*" OR
proc_cwd.keyword:/.+\/tmp\/PKInstallSandbox\.[0-9A-Za-z]+\/Scripts\/.+/ OR
proc_p_cmdline:"*/Library/InstallerSandboxes/.PKInstallSandboxManager/*" OR
proc_p_cmdline.keyword:/.+\/tmp\/PKInstallSandbox\.[0-9A-Za-z]+\/Scripts\/.+/)

View Slide

60
Decode the content of PLIST from base64
Another trick that commonly used by malware is to decode the content of PLIST file from base64
encoded string. Bellow there is example from macOS.GMERA malware:

View Slide

61
Decode the content of PLIST from base64. Let’s hunt it!
Search for command lines that contain combinations of base64 substring and paths
to the Launch Agents/Daemons PLIST files location:
cmdline:(*base64*) AND
(cmdline:("*/LaunchAgents/*" OR "*/LaunchDaemons/*") OR
cmdline.keyword:*.plist*)

View Slide

• Calisto malware adds property list file in LaunchAgents using ‘cp’:
Other ways to create malicious Launch Agent/Daemon
PLIST files – mv, cp, touch, zip commands
• Dummy malware adds property list file in LaunchDaemons using ‘mv’:
• HiddenLotus uses ‘touch’ to create property list file in LaunchDaemons

View Slide

63
Suspicious Launch Agent/Daemon PLIST files
Masquerading as a system service (PLIST file
name contains: ”com.apple.*”) :
Adversaries may attempt to manipulate the name of PLIST file to make it appear legitimate or benign:
• ~/Library/LaunchAgents/com.apple.spx.plist
• ~/Library/LaunchDaemons/com.apple.acc.installer.v1.plist
• ~/Library/LaunchAgents/com.apple.softwareupdate.plist
• ~/Library/LaunchAgents/com.apple.spx.plist
• ~/Library/LaunchAgents/com.apple.HYQ.plist
• ~/Library/LaunchAgents/com.apple.2KR.plist
• ~/Library/LaunchAgents/com.apple.Yahoo.plist
• ~/Library/LaunchAgents/com.apple.Google.plist
• /Library/LaunchAgents/com.apple.update.plist
• ~/Library/LaunchAgents/com.apple.abtpd.plist
• /Library/LaunchDaemons/com.apple.abtpd.plist
• ~/Library/LaunchAgents/com.apple.Safari.proxy.plist
• ~/Library/LaunchAgents/com.apple.Safari.pac.plist
• /Library/LaunchDaemons/com.apple.marcoagent.voiceinstallerd.plist
• ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstaller.plist
• ~/Library/LaunchAgents/com.apple.appstore.checkupdate.plist
• ~/Library/LaunchAgents/com.apple.usagestatistics.plist
• ~/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
• /Library/LaunchDaemons/.com.apple.WindowServer.plist
• /Library/LaunchAgents/.com.apple.upd.plist
• ~/Library/LaunchAgents/.com.apple.system.plist
• ~/Library/LaunchAgents/ com.appIe.stockf.stocks
• ~/Library/LaunchAgents/ com.appIe.stockfolioses.Stockfoli
PLIST file name looks similar to ”com.apple” :
Hidden PLIST file (name starts with dot):
• ~/Library/LaunchAgents/com.uptodatemac.upd.agent.plist
• ~/Library/LaunchAgents/MacOSupdate.plist
• ~/Library/mdworker/MacOSupdate.plist
Masquerading as macOS update service:
• ~/Library/k.plist
• ~/Library/LaunchAgents/a.plist
• ~/Library/LaunchAgents/1.plist
Too short PLIST file name:

View Slide

64
Suspicious Launch Agent/Daemon PLIST files. Let’s hunt it!
Search for PLIST files looking like legitimate system services, but located not in typical for system
Launch Agents/Daemons folders:
event_type:(FileCreate OR FileInfo) AND
file_path:("*/Library/LaunchAgents/*" OR "*/Library/LaunchDaemons/*")AND
file_path:(*com.apple* OR *com.appie* OR (*update* AND *mac*) OR (*update* AND *system*))
-file_path:("/Library/Apple/System/Library/LaunchAgents/*" OR
"/Library/Apple/System/Library/LaunchDaemons/*" OR "/System/Library/LaunchDaemons/*" OR
"/System/Library/LaunchAgents/*")

View Slide

65
Search for PLIST files with short names:
file_path:("*/Library/LaunchAgents/*" OR "*/Library/LaunchDaemons/*") AND
file_path.keyword:/.+\/.{1,3}.plist/

View Slide

66
Search for hidden PLIST files:
file_path:("*/Library/LaunchAgents/*" OR "*/Library/LaunchDaemons/*") AND
file_path.keyword:/.+\/\..+/ AND
-proc_file_path:"/Library/Application Support/AirWatch/hubd"

View Slide

67

View Slide

68
Hunting suspicious PLIST targets – Telemetry
Osquery launchd table KnockKnoc command line scan with output to a file:

View Slide

69
Xloader stealer Launch Agent starts
file from hidden folder (.URzH)
OSX.LamePyre backdoor
starts two hidden files
(.system and .helper)
Hidden files or files from hidden folders as Launch
Agent/Daemon targets

View Slide

70
Hidden files or files from hidden folders as Launch
Agent/Daemon targets. Let’s hunt it!
Search for Launch Agents and Launch Daemons that start hidden files or files from hidden folders:
sensor_type:osquery AND
rule_name:"pack_inventory_launchd" AND
service_autorun:true AND
file_path.keyword:/.+\/\..+/

View Slide

71
Search for Launch Agents and Launch Daemons that start files from temporal folders:
rule_name.keyword:"pack_inventory_launchd" AND
file_path:("/tmp/*" OR "/var/tmp/*" OR "/private/var/tmp/*" OR
"/private/tmp/*" OR "*/etc/*")
Files from temporal folder as Launch Agent/Daemon targets
Let’s hunt it!

View Slide

72
Search for execution of files from temporal folders with /sbin/launchd as a parent:
event_type:(ProcessCreate OR ProcessInfo) AND
proc_p_file_path:"/sbin/launchd" AND
proc_file_path:("/tmp/*" OR "/var/tmp/*" OR "/private/var/tmp/*" OR
"/private/tmp/*" OR "*/etc/*") AND
-proc_file_path.keyword:/.+\/tmp\/PKInstallSandbox\.[0-9A-Za-z]+\/Scripts\/.+/
Files from temporal folder as Launch Agent/Daemon targets
Let’s hunt it!

View Slide

73
OSX.Siggen – a fake WhatsApp Trojan.
The Launch Agent is downloaded via
curl and starts bash script
XcodeSpy is a malicious Xcode project that installs a
custom variant of the EggShell backdoor and uses Launch
Agent as a persistence mechanism that starts bash
Script interpreters or shells as Launch Agents/Daemons targets

View Slide

74
WildPressure malware
decodes the XML, fills
[pyscript] placeholder
with the path to the
python script and
drops .plist file for
persistence
Silver Sparrow sets up
persistence with the
Launch Agent that
starts /bin/sh

View Slide

75
OSX.ppminer – the trojan
installs Launch Agent that
starts compiled AppleScript
using osasscript tool
CrossRAT persists as a
Launch Agent that starts .jar
file using java interpreter

View Slide

76
Search for Launch Agents and Launch Daemons that start interpreters:
rule_name:"pack_inventory_launchd" AND
(cmdline:(*bash* OR *zsh* OR *ksh* OR *tcsh* OR *dash* OR *tclsh* OR *fish* OR
"*/bin/sh*" OR *perl* OR *ruby* OR *python* OR *osascript* OR *javascript* OR
*curl* OR *wget* OR *java*) OR file_path.keyword:(*.sh OR *.bash OR *.py OR
*.pl OR *.rb OR *.scpt OR *.scptd OR *.jar))
Launch Agents/Daemons that start interpreters. Let’s hunt it!

View Slide

77
T1547.015 – Boot or Logon Autostart Execution: Login Items
• Login items are launched when the user logs in, and continue
running until the user logs out or manually quits them
• There are two ways to add a login item: using the Service
Management framework, and using a shared file list
• Shared file list login items can be set using scripting languages
such as AppleScript or LSSharedFileListInsertItemURL API,
whereas the Service Management Framework uses the API call
SMLoginItemSetEnabled.
• The entries of "Login Items" are stored in:
• ~/Library/Preferences/com.apple.loginitems.plist - before High Sierra
• ~/Library/Application Support/ com.apple.backgroundtaskmanagementagent/
backgrounditems.btm – since High Sierra
• /private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-
v*.btm (for example, BackgroundItems-v7.btm) – since Ventura
• Since macOS 13 Ventura when a Login Item is added, the system
generates a notification alert :
Before macOS 13 Ventura
Since macOS 13 Ventura

View Slide

78
T1547.015 – Boot or Logon Autostart Execution: Login Items
OSX/Dok utilizes AppleScript to create the Login Item named “AppStore”:
Apfell Mythic framework agent has command persist_loginitem_allusers
that add a login item for all users via the LSSharedFileListInsertItemURL:

View Slide

79
Create Login Item using osascript. Let’s hunt it!
Search for osascript usage to create Login Item:
cmdline:*osascript* AND
cmdline:"*System Events*" AND
cmdline:"*login item*" AND cmdline:*path* AND
-proc_p_cmdline:*PKInstallSandbox*

View Slide

80
Generic detection of Login Items creation/deletion
Modification of Background Items database file can be the sign of Login Item creation/deletion:
event_type:FileChange AND
file_path:(*BackgroundItems* OR "*/com.apple.loginitems.plist")

View Slide

81
Search for recently created non signed files started by launchd – can be the sign of newly created
Launch Agent, Launch Daemon or Login Item:
proc_p_file_path:"/sbin/launchd" AND
proc_file_age:<600 AND
-proc_file_sig_result:good
Generic detection of suspicious Launch Agents,
Launch Daemons or Login Items

View Slide

82
Credential Access

View Slide

macOS Credential Access

View Slide

Spoofing credentials dialog using AppleScript (osascript)
MacStealer uses standard osasscript tool to show
fake password prompts for gathering credentials:
Atomic Stealer uses a crude but effective means of
extracting the user’s login password via AppleScript spoofing:

View Slide

Spoofing credentials dialog using AppleScript. Attack Flow
1. Show spoofed
credentials dialog box
2. Check entered
password using sudo
or dscl comands
3. Repeatedly shows
spoofed credentials
dialog box until the
correct password is
supplied

View Slide

86
Spoofing credentials dialog with osascript. Let’s hunt it!
Search for osascript usage to spoof credentials dialog:
cmdline:*osascript* AND
cmdline:"*display dialog*" AND
cmdline:(*password* OR *пароль* "*hidden answer*")

View Slide

87
Checking passwords via sudo or dscl. Let’s hunt it!
Search for sudo and dscl tool usage to check password:
(
cmdline.keyword:/.*echo .+\|.*sudo \-S .+/ OR
(cmdline:*dscl* AND cmdline:*authonly*)
) AND
-cmdline:*ssh*

View Slide

88
Metasploit password_pompt_spoof module
osx/gather/password_prompt_spoof msf module drops
script to hidden folder inside /tmp and executes it with
ossascipt tool
88

View Slide

Metasploit password_pompt_spoof module. Let’s hunt it!
89
Search for usage of osascript tool to run scripts from tmp:
dev_os_type:macos AND((cmdline.keyword:(/.*osascript .{0,10}\/tmp\/.+/ OR
/.*osascript .{0,10}\/var\/tmp\/.+/ OR /.*osascript
.{0,10}\/private\/var\/tmp\/.+/)) OR (event_type:(ProcessCreate OR
ProcessInfo) AND cmdline:*osascript* AND proc_cwd:*tmp*) )

View Slide

Spoofing credentials dialog using API calls
It is possible to spoof credentials dialog via NSAAlert API calls. Bellow
there is an example from Swift-Attack testing tools:
90

View Slide

Keychain – wtf?
• The infrastructure and a set of APIs used by Apple operating systems
and third-party apps to store and retrieve passwords, keys and other
sensitive credentials
• Applications need to handle secure information, such as keys and
login tokens. The keychain provides a secure way to store these items
– it is like DPAPI on Windows hosts
• There are three types of Keychains: Login Keychain, System Keychain,
and Local Items (iCloud) Keychain
• The Login Keychain stores user passwords and information:
• ~/Library/Keychains/login.keychain-db (but may differ)
• The System Keychain stores items accessed by the operating system,
such as items shared among users on a host:
• /Library/Keychains/System.keychain
• The Local Items (iCloud) Keychain is used for items synced with
Apple’s iCloud service
• Native tools for interacting with Keychains – security (CLI), Keychain
Access (GUI)
91
“Keychain Access is a macOS
app that stores your
passwords and account
information, and reduces the
number of passwords you
have to remember and
manage.”
- Apple

View Slide

Keychain Dumping
92

View Slide

Grab Keychain files
Meterpreter enum_osx post-exploitation module get
Keychains file using cat command (/bin/cat
"/Users/name/Library/Keychains/login.keychain-db):
Atomic Stealer steal the user’s keychain
contents. A process called ‘unix1’ is spawned in
memory to obtain the keychain.:
93

View Slide

OSX/Proton backdoor collects user Keychains using zip command
(zip -r %@/KC.zip ~/Library/Keychains/ /Library/Keychains/;):
Calisto trojan is able to steal the contents of Keychain and archive it using zip command:
94
Grab Keychain files

View Slide

95
Metasplot enum_osx
module
Search for Keychains paths or well-known Keychain dumping tools names in the command line:
cmdline:("*/Library/Keychains/*" OR "*login.keychain*" OR "*System.keychai*" OR
"*keychain_dumper*" OR *libkeystealClient* OR *chainbreaker* OR *keychaindump*
OR "*dump-keychain*") AND
-proc_file_path:"/usr/bin/security" AND
-cmdline:("*/usr/bin/security*" OR *chown* OR *chmod*)AND
-cmdline.keyword:(/ls .+/ OR /cd .+/ OR /.*security .+/)
Grab Keychain files. Let’s hunt it!

View Slide

96
Grab Keychain files. Let’s hunt it!
Search for files whose names contain the word ”keychain” or names of the well-known Keychain
dumping tools:
file_path:(*keychain* OR *chainbreaker*) AND
-file_path:(”/usr/local/bin/git-credential-osxkeychain" OR
”/usr/sbin/systemkeychain" OR ”/usr/local/bin/docker-credential-osxkeychain" OR
"*/Library/Keychains*")

View Slide

Dumping of Keychain content via Security command
”security dump-keychains” command can be used to dump the content of the keychain storage data :
97

View Slide

98
Dumping of Keychain Content via Security Command
Let’s hunt it!
Search for security tool usage with dump-keychain option:
cmdline:*security* AND
cmdline:"*dump-keychain*" AND
cmdline.keyword:(/.+ \-d.*/ OR /.+ \-r.*/)

View Slide

Browsers cookies and credentials theft
Cookies storage locations:
• Chrome: ~/Library/Application Support/Google/Chrome/Default/Cookies
• Firefox:~/Library/ApplicationSupport/Firefox/Profiles/*.default/cookies.sqlite
• Safari: ~/Library/Safari/LocalStorage/*, ~/Library/Cookies/*
Credentials storage locations:
• Chrome:~/Library/Application Support/Google/Chrome/Default/Login Data
• Firefox:~/Library/ApplicationSupport/Firefox/Profiles/*.default/login.json"
• Safari: ~/Library/Safari/Form Values/*
Credentials from Password
Stores: Credentials from Web Browsers
Steal Web Session Cookie
• Browser cookies and saved passwords are highly valuable to attackers
• Stolen cookies and passwords can be used to gain access to
internal/external applications
99

View Slide

Browsers cookies and credentials theft examples
OSX/Proton collects private browser data using zip command:
XCSSET safari_cookie module thefts Safari cookie using scp command:
10
0

View Slide

10
1
Browsers cookies theft. Let’s hunt it!
Search for paths to the browser cookies storage in the command lines:
cmdline:("*/Library/Cookies*" OR ("*/Firefox/Profiles/*" AND "*cookies.sqlite*")
OR "*/Library/Application Support/Google/Chrome/Default/Cookies*" OR
"*/Google/Chrome Beta/Default/Cookies*" OR "*/Chromium/Default/Cookies*" OR
"*/Microsoft Edge/Default/Cookies*" OR "*/BraveSoftware/Brave-
Browser/Default/Cookies*" OR "*/com.operasoftware.Opera/Default/Cookies*" OR
"*/com.operasoftware.OperaGX/Default/Cookies*" OR "*/Vivaldi/Default/Cookies*"
OR "*/Coccoc/Default/Cookies*" OR "*/Yandex/YandexBrowser/Default/Cookies")

View Slide

10
2
Browsers credentials theft. Let’s hunt it!
Search for paths to the browser credentials storage in the command lines:
cmdline:("*/Library/Safari/Form Values/*" OR ("*/Firefox/Profiles/*" AND
"*login.json*") OR "*/Library/Application Support/Google/Chrome/Default/Login
Data*" OR "*/Google/Chrome Beta/Default/Login Data*" OR "*/Chromium/Default/Login
Data*" OR "*/Microsoft Edge/Default/Login Data*" OR "*/BraveSoftware/Brave-
Browser/Default/Login Data*" OR "*/com.operasoftware.Opera/Default/Login Data*"
OR "*/com.operasoftware.OperaGX/Default/Login Data*" OR "*/Vivaldi/Default/Login
Data*" OR "*/Coccoc/Default/Login Data*" OR "*/YandexBrowser/Default/Login Data")

View Slide

Decryption of stolen browser’s data
• Chrome encrypts all user data files with a key stored in
the login keychain.
• Cookies
• History
• Passwords
• Saved Payment information
• The encryption key is base64 encoded and stored as the
Chrome Safe Storage key in the User's Keychain
• Attacker can get this key from the grabbed copy of the
login keychain
• Another way to get Chrome Safe Storage is to use security
tool with “find-generic-password” option
• After obtaining the key ChromeCookieDecryptor tool
(https://github.com/marx-yu/ChromeCookieDecryptor)
can be used to decrypt data
10
3

View Slide

10
4
HackBrowserData credentials dumping tool
HackBrowserData gets the chromium master key from the keychain using security tool with
“find-generic-password” option:

View Slide

105
Using security tool to get browser’s master key. Let’s hunt it!
Search for security tool usage to get browser’s master key from user's Keychain:
cmdline:*security* AND
cmdline:("*find-generic-password*" OR "*find-internet-password*") AND
cmdline:(*Chrome* OR *Chromium* OR *Opera* OR *Safari* OR *Brave* OR
*Microsoft Edge* OR *Edge* OR *Firefox*)
AND -proc_p_file_path:("*/Applications/Keeper Password Manager.app/Contents/*"
OR "*/Contents/MacOS/Keeper Password Manager Helper*")

View Slide

10
6
To be continued… Privilege Escalation, Defense Evasion,
Discovery AND Lateral Movement

View Slide

10
7
Questions?

View Slide

Hunting for macOS attack techniques. Part 1 – Initial Access, Execution, Credential Access, Persistence

Hunting for macOS attack techniques. Part 1 – Initial Access, Execution, Credential Access, Persistence

Heirhabarov

More Decks by Heirhabarov

Other Decks in Technology

Featured

Transcript