Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hunting for macOS attack techniques. Part 1 – Initial Access, Execution, Credential Access, Persistence

Hunting for macOS attack techniques. Part 1 – Initial Access, Execution, Credential Access, Persistence

Heirhabarov

May 22, 2023
Tweet

More Decks by Heirhabarov

Other Decks in Technology

Transcript

  1. 1
    Hunting for macOS attack techniques
    Part 1 – Initial Access, Execution, Credential Access, Persistence
    Teymur Kheirkhabarov
    Director of Cyber Threat Monitoring, Response
    and Research Department, BI.ZONE
    Maxim Tumakov
    Head of Cyber Threat Research, BI.ZONE

    View full-size slide

  2. 2
    dscl . -read "/Users/$(id -un)" RealName
    • Director of Cyber Threat Monitoring, Response
    and Research Department at BI.ZONE (SOC,
    MDR, DFIR, TI, EDR, XDR, IRP, etc.)
    • Threat Hunter
    • ZeroNights / PHDays / OFFZONE speaker
    • GIAC GXPN / GCFA / GDSA certified
    • Ex- Head of SOC R&D at Kaspersky Lab / SOC
    Analyst / Infosec Admin/ IT
    • Twitter @HeirhabarovT
    • Telegram @Heirhabarov
    Teymur
    Kheirkhabarov
    • Head of Cyber Threat Research at BI.ZONE
    • Threat Hunter
    • Ex- Digital Forensics & Incident Response
    expert (Informzaschita)
    • Ex- Security Researcher (Kaspersky)
    • OSCP / eCPTXv2 certified
    • Telegram @mrtrumster
    Maxim
    Tumakov

    View full-size slide

  3. 3
    What we are going to talk about?

    View full-size slide

  4. 4
    What we used to prepare this talk?

    View full-size slide

  5. 5
    macOS monitoring mechanisms

    View full-size slide

  6. 6
    macOS monitoring tools

    View full-size slide

  7. 7
    Red Canary Mac Monitor

    View full-size slide

  8. 8
    Initial Access

    View full-size slide

  9. 9
    Initial Access

    View full-size slide

  10. 10
    Application
    Application bundles are one of
    the most common types of bundle
    created by developers. The
    application bundle stores
    everything that the application
    requires for successful operation
    *.app in MacOS ≈ C:\ProgramFiles\\ in Windows

    View full-size slide

  11. 11
    Application. Malicious document
    Document.pdf.app
    The application disguised as a
    PDF document
    Main.scpt
    The AppleScript launching
    the second stage load
    applet
    The main binary file of the
    application that runs the AppleScript

    View full-size slide

  12. 12
    Application. Malicious document. Let’s hunt it!
    dev_os_type:macos AND
    event_type:ProcessCreate
    (
    cmdline.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/ OR
    proc_file_path.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/ OR
    proc_p_file_path.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/ OR
    proc_p_cmdline.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/
    )
    Running a process with suspicious extensions

    View full-size slide

  13. 13
    Packages
    GUI Installer:
    /System/Library/PrivateFrameworks/PackageKit
    .framework/Versions/A/XPCServices/package_sc
    ript_service.xpc/Contents/MacOS/package_scri
    pt_service
    CLI Installer:
    /usr/sbin/installer
    *.pkg in MacOS ≈ *.msi in Windows
    Packages is a directory that contain a hierarchy of files
    or objects that represent a preserved, organized state. A
    package is displayed to users like a single file in the
    Finder application to avoid being changed by the user.

    View full-size slide

  14. 14
    Packages. Pre\Post install scripts
    Normally, pre\post install scripts are used for preparing
    and cleaning up software installations. The preinstall
    script is run before package installation and the
    postinstall script is run after

    View full-size slide

  15. 15
    Packages. Pre\Post install scripts. Let’s hunt it!
    Running a pre\post install script
    1. May be noisy - must be profiled for specific infrastructure
    2. Сan be used to threat hunting
    dev_os_type:macos AND
    proc_p_file_path:"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices
    /package_script_service.xpc/Contents/MacOS/package_script_service" AND
    cmdline:("/preinstall" OR "/postinstall") AND
    proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR
    "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl")

    View full-size slide

  16. 16
    Packages. Pre\Post install scripts. Let’s hunt it!
    Launching child processes of pre\post install script
    1. More accurate, but must be profiled for specific infrastructure too
    2. Сan be used to threat hunting
    dev_os_type:macos AND
    proc_p_cmdline:("/tmp/" AND "/Scripts/" AND ("/preinstall" OR "/postinstall")) AND
    proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR
    "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl")
    If the malicious command
    ends with sign & then the parent
    process will be /sbin/launchd. The
    hunt does not work in this case

    View full-size slide

  17. 17
    Packages. Pre\Post install Scripts. Let’s hunt it!
    Starting a process from the installer's temporary directory
    dev_os_type:macos AND
    proc_cwd.keyword:/.*\/private\/tmp\/PKInstallSandbox.*/ AND
    proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR
    "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl")

    View full-size slide

  18. 18
    Packages. Distribution.xml
    Distribution XML file (embedded script)
    Distribution XML file (external script)

    View full-size slide

  19. 19
    Packages. Distribution.xml. Let’s hunt it!
    Distribution XML file (embedded script)
    dev_os_type:macos AND
    proc_p_file_path:"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer" AND
    proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR
    "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl")

    View full-size slide

  20. 20
    Packages. Distribution.xml. Let’s hunt it!
    Distribution XML file (external script)
    dev_os_type:macos AND
    proc_pp_file_path:"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer" AND
    proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR
    "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl")

    View full-size slide

  21. 21
    Packages. Installer Plugin
    Installer Plugin is a helper
    application that allows you to
    customize the installation panel of
    the main application
    Extra step added by
    Installer Plugin

    View full-size slide

  22. 22
    Packages. Installer Plugin. Let’s hunt it!
    A special process is used to launch a installer plugin
    dev_os_type:macos AND
    proc_p_file_path.keyword:/\/System\/Library\/CoreServices\/Installer.app\/Contents\/XPCServ
    ices\/InstallerRemotePluginService-
    (x86_64|arm64).xpc\/Contents\/MacOS\/InstallerRemotePluginService-(x86_64|arm64)/ AND
    proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR
    "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl")

    View full-size slide

  23. 23
    DMG
    An Apple disk image file's name usually has ".dmg" as its
    extension. A disk image is a compressed copy of the
    contents of a disk or folder. Disk images have .dmg at
    the end of their names
    *.dmg in MacOS ≈ *.iso in Windows

    View full-size slide

  24. 24
    DMG
    When the application is launched from DMG without installation, the
    application bundle will be copied to a temporary directory. This hunt
    detects the launch of suspicious processes from such temporary
    directories
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    proc_p_cmdline:("/private/var/folders/" AND "/AppTranslocation/") AND
    proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR
    "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl")

    View full-size slide

  25. 25
    MS Office
    VBA Macro in MS Word document
    XLM Macro in MS Excel document

    View full-size slide

  26. 26
    MS Office. Let’s hunt it!
    dev_os_type:macos AND
    proc_p_file_path:(
    "/Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel" OR
    "/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word" OR
    "/Applications/Microsoft PowerPoint.app/Contents/MacOS/Microsoft PowerPoint"
    )
    AND -cmdline:(
    "/Microsoft Error Reporting.app" OR "/Microsoft AutoUpdate.app"
    )
    VBA Macro XLM Macro

    View full-size slide

  27. 27
    MS Office. Sandbox escape
    MS Office macros run in the sandbox, but there is a well-known escape method:
    1. Upload ~$.zip archive with .bash_profile or .zshenv to the target host
    2. Create a LoginItem for the victim user
    3. After reboot, Login Item will unpack the archive to the user's home directory
    4. Now, every time bash/zsh is launched, a malicious load will be launched outside the
    sandbox context
    Apfell
    (Mythic payload)

    View full-size slide

  28. 28
    MS Office. Sandbox escape. Let’s hunt it!
    dev_os_type:macos AND
    event_type:(FileCreate OR FileDelete OR FileChange) AND
    proc_cwd.keyword:/.*\/Library\/Containers\/com\.microsoft\.(Word|Excel|Powerpoint)\/Data/
    file_path.keyword:/.*\/\~\$.*/
    To escape from the sandbox, a suspicious macro must create one or more ~$.zip files. This
    hunt detects manipulations with similar files

    View full-size slide

  29. 29
    Drive-by Compromise
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR
    "/csh" OR "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl")
    AND
    proc_p_file_path:(
    "/Applications/Safari.app/" OR
    "/Applications/Chrome.app/" OR
    "/Applications/Firefox.app/"
    )
    Some browser exploits cause child processes to appear to perform various actions. Such
    a general hunt with a low FP ratio can detect traces of exploitation of such vulnerabilities

    View full-size slide

  30. 32
    Execution. Open Scripting Architecture (OSA)
    The Open Scripting Architecture (OSA) provides a standard and extensible mechanism for
    interapplication communication in OS X. This communication takes place through the
    exchange of Apple events. An Apple event is a type of interprocess message that
    encapsulates commands and data.
    Supported languages:
    • AppleScript
    • JavaScript for Automation (JXA)
    Launch method Description
    osascript -e "script here" Running one-line command
    osascript /path/to/script Running a script from a file
    #!/usr/bin/osascript Running a file with a specific header
    osacompile - > Mach-O Script compilation
    NSAppleScript, OSAScript Launch via native MacOS API
    NSCreateObjectFileImageFromMemory Reflective Code Loading
    applescript://com.apple.scripteditor?action=new&script= Open URL
    OSA scripts in MacOS ≈ Powershell in Windows

    View full-size slide

  31. 33
    Execution. Open Scripting Architecture (OSA)
    AppleScript compilation:
    osacompile -o compiled.app apple_script.scpt
    AppleScript RunOnly compilation:
    osacompile -x -o compiled.app apple_run_only_script.scpt
    Directory structure of the
    compiled script-application
    Directory structure of the
    compiled RunOnly script-
    application

    View full-size slide

  32. 34
    Execution. Open Scripting Architecture (OSA). Let’s hunt it!
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    cmdline.keyword:/.*osascript .*\.(js|scpt).*/
    Running a script from a file

    View full-size slide

  33. 35
    Execution. Open Scripting Architecture (OSA). Let’s hunt it!
    Running suspicious commands
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    cmdline.keyword:/.*osascript .*-e.*return.*(system info|the clipboard|set popup).*/

    View full-size slide

  34. 36
    Execution. Open Scripting Architecture (OSA). Let’s hunt it!
    Compiling a script via a command line utility
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    cmdline.keyword:*osacompile*

    View full-size slide

  35. 37
    Execution. Open Scripting Architecture (OSA). Let’s hunt it!
    Downloading a file using Objective-C
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    cmdline:(*dataWithContentsOfURL* OR *URLWithString*)

    View full-size slide

  36. 38
    Execution. Shell
    By default, at least 7 (?) different command shells are installed on Mac OS. Attackers can use shells to:
    • execution of shell-embedded commands
    • for launching system utilities
    • for initializing the reverse shell
    • etc

    View full-size slide

  37. 39
    Execution. Shells. Let’s hunt it!
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    cmdline.keyword:(
    /.*\/dev\/tcp\/.*/ OR
    /.*\/dev\/udp\/.*/ OR
    /.*zsh\/net\/tcp\/.*/ OR
    /.*zsh\/net\/udp\/.*/
    )
    Attackers can use any command shell
    to get a reverse shell on a remote host

    View full-size slide

  38. Execution. Shells. Let’s hunt it!
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    cmdline:(*base64* OR *b64decode* OR (*openssl* AND *enc* AND *-base64*))
    Just like in Windows and Linux, on Mac
    OS attackers actively use Base64 to
    encode the payload

    View full-size slide

  39. Execution. Shells. Let’s hunt it!
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    (
    proc_file_path:"/usr/bin/nohup" OR
    cmdline:*nohup*
    )
    To run processes in the background, attackers
    use the nohup utility, which is rarely used by
    legitimate applications on Mac OS

    View full-size slide

  40. 42
    Execution. Binary
    Mach-O, short for Mach object file format, is a file
    format for executables, object code, shared libraries,
    dynamically loaded code, and core dumps.
    Malicious applications often save the payload to the
    root of temporary directories, although legitimate
    applications almost never do so.
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    proc_file_path.keyword:(
    /\/tmp\/[^\/]*/ OR
    /\/private\/tmp\/[^\/]*/ OR
    /\/var\/tmp\/[^\/]*/ OR
    /\/private\/var\/tmp\/[^\/]*/
    )
    Symbolic links for temporary macOS directories:
    • /tmp -> /private/tmp
    • /var -> /private/var

    View full-size slide

  41. 43
    Execution. Binary. Let’s hunt it!
    dev_os_type:macos AND
    (
    (
    cmdline:(*chown* OR *chmod*) AND
    cmdline.keyword:(
    /.* \/private\/tmp\/[^\/]*/ OR /.* \/tmp\/[^\/]*/ OR
    /.* \/private\/var\/tmp\/[^\/]*/ OR /.* \/var\/tmp\/[^\/]*/
    )
    ) OR
    (
    proc_file_path:("/bin/chmod" OR "/bin/chown") AND
    proc_cwd.keyword:(
    /\/private\/tmp/ OR /\/tmp/ OR
    /\/private\/var\/tmp/ OR /\/var\/tmp/
    )
    )
    )
    To launch a malicious file, the attacker needs to
    add execution rights. This hunt detects the use
    of the chmod\chown utility in the root of
    temporary directories

    View full-size slide

  42. 44
    Execution. Interpreters
    dev_os_type:macos AND
    event_type:ProcessCreate
    cmdline:(
    (*SOCK_STREAM* AND *connect* AND *exec*) OR
    (*INET* AND *PeerAddr* AND *fdopen*) OR
    (*socket* AND *TCPSocket* AND (*exec* OR *popen*)) OR
    (*fsockopen* AND (*exec* OR *shell_exec* OR *system* OR *passthru* OR *popen*))
    )
    The accurate hunt allows to
    identify specific command lines
    to run the reverse shell

    View full-size slide

  43. 45
    Execution. Interpreters
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh") AND
    proc_p_file_path:("/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript")
    Generic hunt will allow to identify suspicious activity of interpreters

    View full-size slide

  44. 46
    Execution
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    cmdline:(*osascript* AND *curl*)
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    cmdline.keyword:/.*curl .* -o .*(\/tmp\/|\/private\/tmp\/|\/private\/var\/tmp\/).*/

    View full-size slide

  45. 47
    Persistence

    View full-size slide

  46. 48
    macOS Persistence

    View full-size slide

  47. 49
    macOS persistence management – what’s new in Ventura
    • With Ventura, comes a the new login and background item management features
    • This new feature helps users see what is running in the background of their Mac, the invisible becomes visible
    • So, now users can see which apps are set up for persistence without having to find search directories in the
    Finder, use the Terminal, or relying on 3rd party software
    Users can now manage Login Items, Launch Agents
    and Launch Daemons all from a single place in
    System Settings
    Also when new Launch Agent, Launch Daemon or
    Login Item is added, the system now generates a
    notification alert
    Login items
    Launch Agents / Daemons

    View full-size slide

  48. 50
    macOS persistence management – 3rd party tools
    BlockBlock monitors common persistence
    locations and alerts whenever a persistent
    component is added.
    KnockKnock performs inventory of
    common persistence location an allows
    uncovers persistently installed software

    View full-size slide

  49. 51
    • Launch Daemons are background processes that run with root privileges and
    executes when system is started
    • Launch Daemons use property list files defined in the:
    • /System/Library/LaunchDaemons/*.plist (SIP protected)
    • /Library/Apple/System/Library/LaunchDaemons/*.plist (SIP protected)
    • /Library/LaunchDaemons/*.plist (only root has access)
    T1543.001 – Create or Modify System Process: Launch Agent
    T1543.004 – Create or Modify System Process: Launch Daemon
    • Launch Agents are per-user background processes that only execute while the
    user is logged in
    • Launch agents are defined in property list files that are in:
    • /System/Library/LaunchAgents/*.plist (SIP protected)
    • /Library/Apple/System/Library/LaunchAgents /*.plist (SIP protected)
    • /Library/LaunchAgents/*.plist (only root has access)
    • /Users/$username/Library/LaunchAgents/*.plist ($username has access)

    View full-size slide

  50. 52
    • Can be anywhere on a macOS system.
    • Three formats – XML, JSON (Dictionary) or binary blobs
    • Used to store configuration settings, permissions,
    preferences, etc
    • Usually named in reverse DNS notation (com.apple.thing)
    • From an offensive perspective, they come into play for:
    • Persistence (Launch Agents/Launch Daemons)
    • Evasion (Entitlements, Application’s Info.plist)
    • Situational Awareness
    (/Library/Receipts/InstallHistory.plist)
    • Launch Agent / Launch Daemon plists must conform to
    the launchd format. Important Keys:
    • Label – a unique string that identifies the agent
    • ProgramArguments – the arguments used to launch
    the agent
    • RunAtLoad – start the agent when the property list
    file is loaded by launchd
    Property List Files (PLIST)

    View full-size slide

  51. 53
    Hunting for suspicious Launch Agents/Daemons

    View full-size slide

  52. 54
    Hunting for suspicious Launch Agents/Daemons
    What telemetry we need?
    • Process Creation monitoring
    • Process Inventory
    • Console Commands monitoring
    • Console Commands History
    • File Creation monitoring
    • File Change monitoring
    • File Inventory
    • Launch Agents/Launch Daemons inventory
    • Launch Items inventory

    View full-size slide

  53. 55
    Downloading Launch Agent/Daemon PLIST by console tool
    OSX.CreativeUpdate:
    OSX.Siggen:
    Some macOS malware, that combines
    EmPyre backdoor and XMRig miner
    It is quite common for malware or adversaries to download Launch Agents/Daemons PLIST files using
    standard tools like curl

    View full-size slide

  54. 56
    Search for command lines that contain combinations of standard downloading tools (like curl) and
    paths to the Launch Agents/Daemons PLIST files location:
    dev_os_type:macos AND
    cmdline:*curl* AND
    (cmdline:("*/LaunchAgents/*" OR "*/LaunchDaemons/*") OR
    cmdline.keyword:*.plist*) AND
    -cmdline:("*/homebrew/Library/Homebrew/*")
    Downloading Launch Agent/Daemon PLIST by console tool
    Let’s hunt it!

    View full-size slide

  55. 57
    Downloading Launch Agent/Daemon PLIST by console tool
    Let’s hunt it!
    Search for PLIST files creation or modification by curl or script interpreters:
    dev_os_type:macos AND
    event_type:(FileCreate OR FileChange) AND
    proc_file_path:(*curl* OR *osascript* OR *python* OR *perl* OR *ruby*) AND
    (file_path.keyword:*.plist OR file_path:("*/LaunchAgents/*" OR
    "*/LaunchDaemons/*"))
    -proc_cmdline:("*/homebrew/Library/Homebrew/*")

    View full-size slide

  56. 58
    Building Launch Agent/Daemon PLIST from the command line
    Silver Sparrow and UpdateAgent malware use PlistBuddy in
    direct mode to add arguments to a PLIST file:
    VPN Trojan (Covid) malware creates PLIST file using echo
    command:

    View full-size slide

  57. 59
    Building Launch Agent/Daemon PLIST from the command line
    Let’s hunt it!
    Search for usage of PlistBuddy or echo to create/modify PLIST:
    cmdline:("echo *" OR *PlistBuddy*) AND
    cmdline:(*RunAtLoad* OR *ProgramArguments*) AND
    -(proc_cwd:"*/Library/InstallerSandboxes/.PKInstallSandboxManager/*" OR
    proc_cwd.keyword:/.+\/tmp\/PKInstallSandbox\.[0-9A-Za-z]+\/Scripts\/.+/ OR
    proc_p_cmdline:"*/Library/InstallerSandboxes/.PKInstallSandboxManager/*" OR
    proc_p_cmdline.keyword:/.+\/tmp\/PKInstallSandbox\.[0-9A-Za-z]+\/Scripts\/.+/)

    View full-size slide

  58. 60
    Decode the content of PLIST from base64
    Another trick that commonly used by malware is to decode the content of PLIST file from base64
    encoded string. Bellow there is example from macOS.GMERA malware:

    View full-size slide

  59. 61
    Decode the content of PLIST from base64. Let’s hunt it!
    Search for command lines that contain combinations of base64 substring and paths
    to the Launch Agents/Daemons PLIST files location:
    dev_os_type:macos AND
    cmdline:(*base64*) AND
    (cmdline:("*/LaunchAgents/*" OR "*/LaunchDaemons/*") OR
    cmdline.keyword:*.plist*)

    View full-size slide

  60. • Calisto malware adds property list file in LaunchAgents using ‘cp’:
    Other ways to create malicious Launch Agent/Daemon
    PLIST files – mv, cp, touch, zip commands
    • Dummy malware adds property list file in LaunchDaemons using ‘mv’:
    • HiddenLotus uses ‘touch’ to create property list file in LaunchDaemons

    View full-size slide

  61. 63
    Suspicious Launch Agent/Daemon PLIST files
    Masquerading as a system service (PLIST file
    name contains: ”com.apple.*”) :
    Adversaries may attempt to manipulate the name of PLIST file to make it appear legitimate or benign:
    • ~/Library/LaunchAgents/com.apple.spx.plist
    • ~/Library/LaunchDaemons/com.apple.acc.installer.v1.plist
    • ~/Library/LaunchAgents/com.apple.softwareupdate.plist
    • ~/Library/LaunchAgents/com.apple.spx.plist
    • ~/Library/LaunchAgents/com.apple.HYQ.plist
    • ~/Library/LaunchAgents/com.apple.2KR.plist
    • ~/Library/LaunchAgents/com.apple.Yahoo.plist
    • ~/Library/LaunchAgents/com.apple.Google.plist
    • /Library/LaunchAgents/com.apple.update.plist
    • ~/Library/LaunchAgents/com.apple.abtpd.plist
    • /Library/LaunchDaemons/com.apple.abtpd.plist
    • ~/Library/LaunchAgents/com.apple.Safari.proxy.plist
    • ~/Library/LaunchAgents/com.apple.Safari.pac.plist
    • /Library/LaunchDaemons/com.apple.marcoagent.voiceinstallerd.plist
    • ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstaller.plist
    • ~/Library/LaunchAgents/com.apple.appstore.checkupdate.plist
    • ~/Library/LaunchAgents/com.apple.usagestatistics.plist
    • ~/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
    • /Library/LaunchDaemons/.com.apple.WindowServer.plist
    • /Library/LaunchAgents/.com.apple.upd.plist
    • ~/Library/LaunchAgents/.com.apple.system.plist
    • ~/Library/LaunchAgents/ com.appIe.stockf.stocks
    • ~/Library/LaunchAgents/ com.appIe.stockfolioses.Stockfoli
    PLIST file name looks similar to ”com.apple” :
    Hidden PLIST file (name starts with dot):
    • ~/Library/LaunchAgents/com.uptodatemac.upd.agent.plist
    • ~/Library/LaunchAgents/MacOSupdate.plist
    • ~/Library/mdworker/MacOSupdate.plist
    Masquerading as macOS update service:
    • ~/Library/k.plist
    • ~/Library/LaunchAgents/a.plist
    • ~/Library/LaunchAgents/1.plist
    Too short PLIST file name:

    View full-size slide

  62. 64
    Suspicious Launch Agent/Daemon PLIST files. Let’s hunt it!
    Search for PLIST files looking like legitimate system services, but located not in typical for system
    Launch Agents/Daemons folders:
    dev_os_type:macos AND
    event_type:(FileCreate OR FileInfo) AND
    file_path:("*/Library/LaunchAgents/*" OR "*/Library/LaunchDaemons/*")AND
    file_path:(*com.apple* OR *com.appie* OR (*update* AND *mac*) OR (*update* AND *system*))
    -file_path:("/Library/Apple/System/Library/LaunchAgents/*" OR
    "/Library/Apple/System/Library/LaunchDaemons/*" OR "/System/Library/LaunchDaemons/*" OR
    "/System/Library/LaunchAgents/*")

    View full-size slide

  63. 65
    Suspicious Launch Agent/Daemon PLIST files. Let’s hunt it!
    Search for PLIST files with short names:
    dev_os_type:macos AND
    event_type:(FileCreate OR FileInfo) AND
    file_path:("*/Library/LaunchAgents/*" OR "*/Library/LaunchDaemons/*") AND
    file_path.keyword:/.+\/.{1,3}.plist/

    View full-size slide

  64. 66
    Search for hidden PLIST files:
    dev_os_type:macos AND
    event_type:(FileCreate OR FileInfo) AND
    file_path:("*/Library/LaunchAgents/*" OR "*/Library/LaunchDaemons/*") AND
    file_path.keyword:/.+\/\..+/ AND
    -proc_file_path:"/Library/Application Support/AirWatch/hubd"
    Suspicious Launch Agent/Daemon PLIST files. Let’s hunt it!

    View full-size slide

  65. 67
    Hunting for suspicious Launch Agents/Daemons

    View full-size slide

  66. 68
    Hunting suspicious PLIST targets – Telemetry
    Osquery launchd table KnockKnoc command line scan with output to a file:

    View full-size slide

  67. 69
    Xloader stealer Launch Agent starts
    file from hidden folder (.URzH)
    OSX.LamePyre backdoor
    starts two hidden files
    (.system and .helper)
    Hidden files or files from hidden folders as Launch
    Agent/Daemon targets

    View full-size slide

  68. 70
    Hidden files or files from hidden folders as Launch
    Agent/Daemon targets. Let’s hunt it!
    Search for Launch Agents and Launch Daemons that start hidden files or files from hidden folders:
    sensor_type:osquery AND
    rule_name:"pack_inventory_launchd" AND
    service_autorun:true AND
    file_path.keyword:/.+\/\..+/

    View full-size slide

  69. 71
    Search for Launch Agents and Launch Daemons that start files from temporal folders:
    sensor_type:osquery AND
    rule_name.keyword:"pack_inventory_launchd" AND
    service_autorun:true AND
    file_path:("/tmp/*" OR "/var/tmp/*" OR "/private/var/tmp/*" OR
    "/private/tmp/*" OR "*/etc/*")
    Files from temporal folder as Launch Agent/Daemon targets
    Let’s hunt it!

    View full-size slide

  70. 72
    Search for execution of files from temporal folders with /sbin/launchd as a parent:
    dev_os_type:macos AND
    event_type:(ProcessCreate OR ProcessInfo) AND
    proc_p_file_path:"/sbin/launchd" AND
    proc_file_path:("/tmp/*" OR "/var/tmp/*" OR "/private/var/tmp/*" OR
    "/private/tmp/*" OR "*/etc/*") AND
    -proc_file_path.keyword:/.+\/tmp\/PKInstallSandbox\.[0-9A-Za-z]+\/Scripts\/.+/
    Files from temporal folder as Launch Agent/Daemon targets
    Let’s hunt it!

    View full-size slide

  71. 73
    OSX.Siggen – a fake WhatsApp Trojan.
    The Launch Agent is downloaded via
    curl and starts bash script
    XcodeSpy is a malicious Xcode project that installs a
    custom variant of the EggShell backdoor and uses Launch
    Agent as a persistence mechanism that starts bash
    Script interpreters or shells as Launch Agents/Daemons targets

    View full-size slide

  72. 74
    WildPressure malware
    decodes the XML, fills
    [pyscript] placeholder
    with the path to the
    python script and
    drops .plist file for
    persistence
    Silver Sparrow sets up
    persistence with the
    Launch Agent that
    starts /bin/sh
    Script interpreters or shells as Launch Agents/Daemons targets

    View full-size slide

  73. 75
    OSX.ppminer – the trojan
    installs Launch Agent that
    starts compiled AppleScript
    using osasscript tool
    Script interpreters or shells as Launch Agents/Daemons targets
    CrossRAT persists as a
    Launch Agent that starts .jar
    file using java interpreter

    View full-size slide

  74. 76
    Search for Launch Agents and Launch Daemons that start interpreters:
    dev_os_type:macos AND
    sensor_type:osquery AND
    rule_name:"pack_inventory_launchd" AND
    service_autorun:true AND
    (cmdline:(*bash* OR *zsh* OR *ksh* OR *tcsh* OR *dash* OR *tclsh* OR *fish* OR
    "*/bin/sh*" OR *perl* OR *ruby* OR *python* OR *osascript* OR *javascript* OR
    *curl* OR *wget* OR *java*) OR file_path.keyword:(*.sh OR *.bash OR *.py OR
    *.pl OR *.rb OR *.scpt OR *.scptd OR *.jar))
    Launch Agents/Daemons that start interpreters. Let’s hunt it!

    View full-size slide

  75. 77
    T1547.015 – Boot or Logon Autostart Execution: Login Items
    • Login items are launched when the user logs in, and continue
    running until the user logs out or manually quits them
    • There are two ways to add a login item: using the Service
    Management framework, and using a shared file list
    • Shared file list login items can be set using scripting languages
    such as AppleScript or LSSharedFileListInsertItemURL API,
    whereas the Service Management Framework uses the API call
    SMLoginItemSetEnabled.
    • The entries of "Login Items" are stored in:
    • ~/Library/Preferences/com.apple.loginitems.plist - before High Sierra
    • ~/Library/Application Support/ com.apple.backgroundtaskmanagementagent/
    backgrounditems.btm – since High Sierra
    • /private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-
    v*.btm (for example, BackgroundItems-v7.btm) – since Ventura
    • Since macOS 13 Ventura when a Login Item is added, the system
    generates a notification alert :
    Before macOS 13 Ventura
    Since macOS 13 Ventura

    View full-size slide

  76. 78
    T1547.015 – Boot or Logon Autostart Execution: Login Items
    OSX/Dok utilizes AppleScript to create the Login Item named “AppStore”:
    Apfell Mythic framework agent has command persist_loginitem_allusers
    that add a login item for all users via the LSSharedFileListInsertItemURL:

    View full-size slide

  77. 79
    Create Login Item using osascript. Let’s hunt it!
    Search for osascript usage to create Login Item:
    dev_os_type:macos AND
    cmdline:*osascript* AND
    cmdline:"*System Events*" AND
    cmdline:"*login item*" AND cmdline:*path* AND
    -proc_p_cmdline:*PKInstallSandbox*

    View full-size slide

  78. 80
    Generic detection of Login Items creation/deletion
    Modification of Background Items database file can be the sign of Login Item creation/deletion:
    dev_os_type:macos AND
    event_type:FileChange AND
    file_path:(*BackgroundItems* OR "*/com.apple.loginitems.plist")

    View full-size slide

  79. 81
    Search for recently created non signed files started by launchd – can be the sign of newly created
    Launch Agent, Launch Daemon or Login Item:
    dev_os_type:macos AND
    event_type:ProcessCreate AND
    proc_p_file_path:"/sbin/launchd" AND
    proc_file_age:<600 AND
    -proc_file_sig_result:good
    Generic detection of suspicious Launch Agents,
    Launch Daemons or Login Items

    View full-size slide

  80. 82
    Credential Access

    View full-size slide

  81. macOS Credential Access

    View full-size slide

  82. Spoofing credentials dialog using AppleScript (osascript)
    MacStealer uses standard osasscript tool to show
    fake password prompts for gathering credentials:
    Atomic Stealer uses a crude but effective means of
    extracting the user’s login password via AppleScript spoofing:

    View full-size slide

  83. Spoofing credentials dialog using AppleScript. Attack Flow
    1. Show spoofed
    credentials dialog box
    2. Check entered
    password using sudo
    or dscl comands
    3. Repeatedly shows
    spoofed credentials
    dialog box until the
    correct password is
    supplied

    View full-size slide

  84. 86
    Spoofing credentials dialog with osascript. Let’s hunt it!
    Search for osascript usage to spoof credentials dialog:
    dev_os_type:macos AND
    cmdline:*osascript* AND
    cmdline:"*display dialog*" AND
    cmdline:(*password* OR *пароль* "*hidden answer*")

    View full-size slide

  85. 87
    Checking passwords via sudo or dscl. Let’s hunt it!
    Search for sudo and dscl tool usage to check password:
    dev_os_type:macos AND
    (
    cmdline.keyword:/.*echo .+\|.*sudo \-S .+/ OR
    (cmdline:*dscl* AND cmdline:*authonly*)
    ) AND
    -cmdline:*ssh*

    View full-size slide

  86. 88
    Metasploit password_pompt_spoof module
    osx/gather/password_prompt_spoof msf module drops
    script to hidden folder inside /tmp and executes it with
    ossascipt tool
    88

    View full-size slide

  87. Metasploit password_pompt_spoof module. Let’s hunt it!
    89
    Search for usage of osascript tool to run scripts from tmp:
    dev_os_type:macos AND((cmdline.keyword:(/.*osascript .{0,10}\/tmp\/.+/ OR
    /.*osascript .{0,10}\/var\/tmp\/.+/ OR /.*osascript
    .{0,10}\/private\/var\/tmp\/.+/)) OR (event_type:(ProcessCreate OR
    ProcessInfo) AND cmdline:*osascript* AND proc_cwd:*tmp*) )

    View full-size slide

  88. Spoofing credentials dialog using API calls
    It is possible to spoof credentials dialog via NSAAlert API calls. Bellow
    there is an example from Swift-Attack testing tools:
    90

    View full-size slide

  89. Keychain – wtf?
    • The infrastructure and a set of APIs used by Apple operating systems
    and third-party apps to store and retrieve passwords, keys and other
    sensitive credentials
    • Applications need to handle secure information, such as keys and
    login tokens. The keychain provides a secure way to store these items
    – it is like DPAPI on Windows hosts
    • There are three types of Keychains: Login Keychain, System Keychain,
    and Local Items (iCloud) Keychain
    • The Login Keychain stores user passwords and information:
    • ~/Library/Keychains/login.keychain-db (but may differ)
    • The System Keychain stores items accessed by the operating system,
    such as items shared among users on a host:
    • /Library/Keychains/System.keychain
    • The Local Items (iCloud) Keychain is used for items synced with
    Apple’s iCloud service
    • Native tools for interacting with Keychains – security (CLI), Keychain
    Access (GUI)
    91
    “Keychain Access is a macOS
    app that stores your
    passwords and account
    information, and reduces the
    number of passwords you
    have to remember and
    manage.”
    - Apple

    View full-size slide

  90. Keychain Dumping
    92

    View full-size slide

  91. Grab Keychain files
    Meterpreter enum_osx post-exploitation module get
    Keychains file using cat command (/bin/cat
    "/Users/name/Library/Keychains/login.keychain-db):
    Atomic Stealer steal the user’s keychain
    contents. A process called ‘unix1’ is spawned in
    memory to obtain the keychain.:
    93

    View full-size slide

  92. OSX/Proton backdoor collects user Keychains using zip command
    (zip -r %@/KC.zip ~/Library/Keychains/ /Library/Keychains/;):
    Calisto trojan is able to steal the contents of Keychain and archive it using zip command:
    94
    Grab Keychain files

    View full-size slide

  93. 95
    Metasplot enum_osx
    module
    Search for Keychains paths or well-known Keychain dumping tools names in the command line:
    cmdline:("*/Library/Keychains/*" OR "*login.keychain*" OR "*System.keychai*" OR
    "*keychain_dumper*" OR *libkeystealClient* OR *chainbreaker* OR *keychaindump*
    OR "*dump-keychain*") AND
    -proc_file_path:"/usr/bin/security" AND
    -cmdline:("*/usr/bin/security*" OR *chown* OR *chmod*)AND
    -cmdline.keyword:(/ls .+/ OR /cd .+/ OR /.*security .+/)
    Grab Keychain files. Let’s hunt it!

    View full-size slide

  94. 96
    Grab Keychain files. Let’s hunt it!
    Search for files whose names contain the word ”keychain” or names of the well-known Keychain
    dumping tools:
    dev_os_type:macos AND
    event_type:(FileCreate OR FileInfo) AND
    file_path:(*keychain* OR *chainbreaker*) AND
    -file_path:(”/usr/local/bin/git-credential-osxkeychain" OR
    ”/usr/sbin/systemkeychain" OR ”/usr/local/bin/docker-credential-osxkeychain" OR
    "*/Library/Keychains*")

    View full-size slide

  95. Dumping of Keychain content via Security command
    ”security dump-keychains” command can be used to dump the content of the keychain storage data :
    97

    View full-size slide

  96. 98
    Dumping of Keychain Content via Security Command
    Let’s hunt it!
    Search for security tool usage with dump-keychain option:
    dev_os_type:macos AND
    cmdline:*security* AND
    cmdline:"*dump-keychain*" AND
    cmdline.keyword:(/.+ \-d.*/ OR /.+ \-r.*/)

    View full-size slide

  97. Browsers cookies and credentials theft
    Cookies storage locations:
    • Chrome: ~/Library/Application Support/Google/Chrome/Default/Cookies
    • Firefox:~/Library/ApplicationSupport/Firefox/Profiles/*.default/cookies.sqlite
    • Safari: ~/Library/Safari/LocalStorage/*, ~/Library/Cookies/*
    Credentials storage locations:
    • Chrome:~/Library/Application Support/Google/Chrome/Default/Login Data
    • Firefox:~/Library/ApplicationSupport/Firefox/Profiles/*.default/login.json"
    • Safari: ~/Library/Safari/Form Values/*
    Credentials from Password
    Stores: Credentials from Web Browsers
    Steal Web Session Cookie
    • Browser cookies and saved passwords are highly valuable to attackers
    • Stolen cookies and passwords can be used to gain access to
    internal/external applications
    99

    View full-size slide

  98. Browsers cookies and credentials theft examples
    OSX/Proton collects private browser data using zip command:
    XCSSET safari_cookie module thefts Safari cookie using scp command:
    10
    0

    View full-size slide

  99. 10
    1
    Browsers cookies theft. Let’s hunt it!
    Search for paths to the browser cookies storage in the command lines:
    dev_os_type:macos AND
    cmdline:("*/Library/Cookies*" OR ("*/Firefox/Profiles/*" AND "*cookies.sqlite*")
    OR "*/Library/Application Support/Google/Chrome/Default/Cookies*" OR
    "*/Google/Chrome Beta/Default/Cookies*" OR "*/Chromium/Default/Cookies*" OR
    "*/Microsoft Edge/Default/Cookies*" OR "*/BraveSoftware/Brave-
    Browser/Default/Cookies*" OR "*/com.operasoftware.Opera/Default/Cookies*" OR
    "*/com.operasoftware.OperaGX/Default/Cookies*" OR "*/Vivaldi/Default/Cookies*"
    OR "*/Coccoc/Default/Cookies*" OR "*/Yandex/YandexBrowser/Default/Cookies")

    View full-size slide

  100. 10
    2
    Browsers credentials theft. Let’s hunt it!
    Search for paths to the browser credentials storage in the command lines:
    dev_os_type:macos AND
    cmdline:("*/Library/Safari/Form Values/*" OR ("*/Firefox/Profiles/*" AND
    "*login.json*") OR "*/Library/Application Support/Google/Chrome/Default/Login
    Data*" OR "*/Google/Chrome Beta/Default/Login Data*" OR "*/Chromium/Default/Login
    Data*" OR "*/Microsoft Edge/Default/Login Data*" OR "*/BraveSoftware/Brave-
    Browser/Default/Login Data*" OR "*/com.operasoftware.Opera/Default/Login Data*"
    OR "*/com.operasoftware.OperaGX/Default/Login Data*" OR "*/Vivaldi/Default/Login
    Data*" OR "*/Coccoc/Default/Login Data*" OR "*/YandexBrowser/Default/Login Data")

    View full-size slide

  101. Decryption of stolen browser’s data
    • Chrome encrypts all user data files with a key stored in
    the login keychain.
    • Cookies
    • History
    • Passwords
    • Saved Payment information
    • The encryption key is base64 encoded and stored as the
    Chrome Safe Storage key in the User's Keychain
    • Attacker can get this key from the grabbed copy of the
    login keychain
    • Another way to get Chrome Safe Storage is to use security
    tool with “find-generic-password” option
    • After obtaining the key ChromeCookieDecryptor tool
    (https://github.com/marx-yu/ChromeCookieDecryptor)
    can be used to decrypt data
    10
    3

    View full-size slide

  102. 10
    4
    HackBrowserData credentials dumping tool
    HackBrowserData gets the chromium master key from the keychain using security tool with
    “find-generic-password” option:

    View full-size slide

  103. 105
    Using security tool to get browser’s master key. Let’s hunt it!
    Search for security tool usage to get browser’s master key from user's Keychain:
    dev_os_type:macos AND
    cmdline:*security* AND
    cmdline:("*find-generic-password*" OR "*find-internet-password*") AND
    cmdline:(*Chrome* OR *Chromium* OR *Opera* OR *Safari* OR *Brave* OR
    *Microsoft Edge* OR *Edge* OR *Firefox*)
    AND -proc_p_file_path:("*/Applications/Keeper Password Manager.app/Contents/*"
    OR "*/Contents/MacOS/Keeper Password Manager Helper*")

    View full-size slide

  104. 10
    6
    To be continued… Privilege Escalation, Defense Evasion,
    Discovery AND Lateral Movement

    View full-size slide

  105. 10
    7
    Questions?

    View full-size slide