This is part 33 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. Widgets are application extensions you can place on your desktop to display some key information from your main app. Although Apple says developers shouldn’t implement any functionality there and just use them as a display, they are still apps that run on their own and we can run code inside them.| theevilbit blog
2023 Link to heading Launch and Environment Constraints Deep Dive (MacSysAdmin, Objective By The Sea) Presentation 2022 Link to heading 20+ New Ways to Bypass Your macOS Privacy Mechanisms /CA: Wojciech Regula/ (BlackHat EU) Presentation Video macOS Vulnerabilities Hiding in Plain Sight (BlackHat Asia, Troopers, Zer0Con) Presentation Whitepaper Video The Achilles Heel of Endpoint Security (Objective By The Sea, MacSysAdmin) Presentation Video Beyond the Good Ol’ LaunchAgents (SecurityFest, ...| theevilbit.github.io
This is part 31 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. macOS implements the OpenBSM audit framework created by McAfee, which allows someone to audit system events, like login, file access, etc… This has been part of the system for very long time. Auditing has several components, the main one being the kernel, which handles all the events.| theevilbit.github.io
This is part 30 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. I was watching an old BSidesLuxemburg 2019 talk by Aaron Jewitt, called “Threat Hunting On Linux And Mac With Auditbeat System Module”, it’s up on YouTube. Aaron mentioned in one of the slides that you can persist using man.conf files. It looked really odd, I tried to quickly Google it, but haven’t found...| theevilbit.github.io
This is part 29 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. When doing some research on macOS I came across the following LaunchAgent: /System/Library/LaunchAgents/com.apple.amstoold.plist. Its content is the following. EnablePressuredExitEnableTransactionsLabelcom.apple.amstooldLaunchEventscom.apple.distnoted.matchingcom.| theevilbit.github.io
This is part 28 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. This persistence mechanism was described in very detail by Chris Ross in his blogpost: Persistent Credential Theft with Authorization Plugins. He also developed sample code, which can be found on his GitHub. Thus this blog will only focus on the high level summary, and some changes that happened since he wrote t...| theevilbit.github.io
This is part 27 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. This persistence is another gem I found in Leo Pitt’s Modern macOS Persistence talk. macOS Dock stores shortcuts for applications, that we would like to access through the, well… Dock. It stores all settings in ~/Library/Preferences/com.apple.dock.plist. Although we can edit this PLIST directly, we can also ...| theevilbit.github.io
This is part 26 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. This method was documented very detailed by Patrick Wardle in his blogpost back in 2016. It was also covered by Leo Pitt in his Modern macOS Persistence talk, and he also made a POC, which can be found at his GitHub.| theevilbit.github.io
This is part 25 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. Possibly a less known feature that macOS has a built-in Apache2 web server, which can be enabled anytime. Just as other Apache2 servers, it also supports the load of custom modules, and this is what we will explore here briefly for persistence.| theevilbit.github.io
This is part 24 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. Folder action persistence has been documented by Cody Thomas back in 2019 in his blog. I think he did an awesome job, and everything he wrote still applies today. I wanted to take it a bit further and see if I can persist without any user prompts, and it turned out it is possible.| theevilbit.github.io
This is part 23 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. This post will be about emond, Apple’s Event Monitor daemon. I think almost everything has been already told about this method and emond in general by James Reynolds here and xorrior here so really not much left for me. There is no point for me replicating their awesome posts, so please just read them.| theevilbit.github.io
This is part 22 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. This method is considered deprecated by Apple, yet it still works. LoginHooks and LogoutHooks have been widely documented by many people, so this post is mostly for completeness. The official, Apple documentation can be found here: Customizing Login and Logout| theevilbit.github.io
My name is Csaba Fitzl or also known as “theevilbit”, which comes from RFC 3514. I graduated in 2006 as a computer engineer. I have worked for 6 years as a network engineer, troubleshooting and designing big networks. After that, I have worked for 8 years as a blue and red teamer focusing on network forensics, malware analysis, adversary simulation, and defense bypasses. Currently, I’m working as a content developer at Offensive Security.| theevilbit.github.io
This is part 21 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. This method was also documented by Patrick Wardle, in his original Methods of Malware Persistence white paper and also at MITRE ATT&CK®. When we restart macOS, we are presented with the following window: I guess, most users keep it selected, and then macOS will reopen all apps.| theevilbit.github.io
This is part 20 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. This is another application specific persistence method, related to the Terminal application. In the Terminal Preferences, under the Profiles tab, we can set a command that will be executed upon Terminal’s startup. This is shown in the screen below. This is stored inside Terminal’s preferences PLIST file, lo...| theevilbit.github.io
This is part 19 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. This post has been long due, as it’s one of my favorite persistence tricks. Up until Big Sur 11.5 you could also exploit it for privilege escalation if Homebrew was installed on the system. Periodic scripts have a FreeBSD origin. These scripts are doing some maintenance tasks on the system, and scheduled to be...| theevilbit.github.io
This is part 18 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. I learned about XQuartz while reading Armin Briegel’s macOS Terminal and shell book. It’s one of the alternative third party terminals we can install on macOS. As most terminals, this one also offers unique options to persist on the system.| theevilbit.github.io
This is part 17 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. Color pickers??? It’s this menu, where we can select a color: To my surprise we can install our own color pickers on the system, and add custom ones. There are quite a few of these, some are even open source, like this: GitHub - viktorstrate/color-picker-plus: An Improved Color Picker for macOS.| theevilbit.github.io
This is part 16 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. Screen savers have been detailed recently by Leo Pitton his blog post: “Saving Your Access”. Considering that he already wrote most of the interesting stuff, I will try to show some new information, but there will be some overlap. Screen savers are macOS bundles with the bundle extension of .| theevilbit.github.io
This is part 15 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. I run into this not so exciting persistent method when I was investigating xsanctl for… other… reasons… xsanctl is a “Xsan file system control utility”, which allows us to mount and manage Xsans. The xsanctl binary can be found at /System/Library/Filesystems/acfs.| theevilbit.github.io
This is part 14 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. The at command set is a heritage *nix job scheduler on macOS. Although it’s slowly being deprecated, it’s still available on Big Sur, although disabled by default. Enabling atrun Link to heading As described by atrun’s man page, the scheduler can be enabled using the following command:| theevilbit.github.io
This is part 13 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. This is another one of my favorites for some reason. macOS being a popular audio editing device, supports external audio drivers and plugins. @xorrior wrote a very extensive blog post about these at his website, here: Audio Unit Plug-ins. Legitimate Un-signed Code Execution | by Christopher Ross | Posts By Spect...| theevilbit.github.io
This is part 12 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. TL;DR Link to heading This technique is very similarly to Spotlight Importers, but heavily sandboxed. It’s even more limited as the user need to specifically want to preview the file. Intro Link to heading This will be a short post and it goes hand in hand with my previous one that detailed the use of Spotligh...| theevilbit.github.io
This is part 11 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. TL;DR Link to heading It works, but very limited due to heavy sandboxing, you can only read and copy files to your sandbox folder or consume some CPU power. If you have a way to escape sandbox then go for it, or could be used as part of a multi-part malware.| theevilbit.github.io
This is part 10 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. I started to explore to possibility of persisting on macOS through script files contained in an application. The basic idea is that if we find a script file, which is being executed by a given application, we can edit that script file, put our code inside, and wait for an execution.| theevilbit.github.io
This is part 9 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. Preference panes on macOS are plugins to the System Preferences.app. These panes can extend the functionality of the app, and typically allow you to modify configuration settings for your app. These admins are loaded when the user selects them, so they are not perfect from persistence point of view, as it require...| theevilbit.github.io
This is part 8 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. This idea came from my colleague @dejandayoff. It’s another application specific persistence option, related to Hammerspoon. The app is an automation tool, that allows macOS scripting through LUA scripting language. We can even embed full AppleScript code as well as run shell scripts.| theevilbit.github.io
This is part 7 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. This technique came from @bradleyjkemp in one of his Twitter posts. xbar is an application that can put the output of a script into the menubar. The scripts should be placed in ~/Library/Application\ Support/xbar/plugins/. Standard shell scripts are supported, and so I tried the one listed on their GitHub page as...| theevilbit.github.io
This is part 6 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. I learned about this trick from @0xdade when he posted it on Twitter. If we create a file in the user’s HOME directory at ~/.ssh/rc it will be executed prior to the user’s login shell becomes available. The man page of sshd describes this in more detail.| theevilbit.github.io
This is part 5 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. PAM originated from Red Hat Linux, but made its way to most *nix based system, including macOS. It’s a modular system, that allows third party additions to various authentication related operations. I highly recommend checking out the FreeBSD documentation to get a full picture.| theevilbit.github.io
This is part 4 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. cron is probably one of the most well known persistence mechanisms for macOS and basically any *nix operating system. It was originally developed for Unix back in 1975, and made its way to most platforms, which has Unix origins, like Linux, FreeBSD and thus macOS.| theevilbit.github.io
This is part 3 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. To clear up some expectations. The below tweet is not about this method, that is deferred for now. :) Login items are probably one of the most well documented methods to persist on macOS. It’s widely used by various application to launch themselves upon user login.| theevilbit.github.io
This is part 2 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. If the first part was about Terminal and shell profiles, it’s worth to mention iTerm2, which is a popular Terminal alternative on macOS. It’s being used by many people, especially power users. When we start iTerm2 it starts the same shell environment as Terminal, and thus the same startup files apply here as ...| theevilbit.github.io
This is part 1 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. Shell startup files are executed when our shell environment like zsh or bash is starting up. macOS defaults to /bin/zsh these days, and whenever we open Terminal or SSH into the device, this is the shell environment we are placed into.| theevilbit.github.io
Shield - An app to protect against process injection on macOS Link to heading In this post I would like to tell the story of the Shield.app development and also introduce its features. It’s been a ride over the past year, and I wasn’t sure always that it will happen. Motivation for limiting process injections Link to heading In the past 2 years I started to dig into macOS security research, and along the way it became pretty clear that beyond memory corruption issues the alpha and omega o...| theevilbit.github.io