2. macOS C2 Checklist

macOS C2 Checklist

Given the relative immaturity of endpoint security products for macOS, users rely heavily on Apple’s custom controls such as Entitlements, Gatekeeper, Notarization, SIP, and TCC to prevent malware.  

The macOS C2 assessment thoroughly analyzes the controls in place on a standard device in the customer’s environment. Specifically, the tester will attempt to execute malware in various formats, analyze installed applications for control bypasses, search for local privilege escalation opportunities, and try to exfiltrate data over multiple protocols.

Initial Access Payload Detonation

There are a couple of C2 frameworks that support macOS. Mythic with the Apfell agent is the easiest option for payload testing because of Mystikal: an open source payload generator with several formats.

Mythic C2 Setup

Mythic is a cross-platform C2 framework created by SpecterOps. There are several Mythic Agents available, many of which target macOS. The teamserver is implemented as a set of Docker containers. The repo includes a CLI tool for easy deployment:

1. Install Docker Engine | Docker Documentation
2. Clone the repo and cd into it: git clone https://github.com/its-a-feature/Mythic && cd Mythic
3. Download the agents and C2 profiles needed: sudo ./mythic-cli install github https://github.com/MythicAgents/poseidon sudo ./mythic-cli install github https://github.com/MythicAgents/leviathan sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http sudo ./mythic-cli install github https://github.com/MythicC2Profiles/websocket
4. Edit .env with new secrets and an admin user password.
5. Start the teamserver: sudo ./mythic-cli start

See Also

• Mythic

Link to original

Initial Access Payloads with Mystikal

Mystikal Setup

Mystikal only runs on macOS. If you don’t have a Mac, AWS has support for x64 and AMD64 macOS. Once this is ready, there are a few prerequirements:

1. Follow Mythic C2 Setup instructions.
2. Install XCode command line tools: xcode-select --install
3. Install Google Chrome
4. Clone the repo and cd into it: git clone https://github.com/D00MFist/Mystikal && cd Mystikal
5. Install the PIP requirements: sudo pip3 install -r requirements.txt
6. Edit Settings/MythicSettings.py with your Mythic server details.

Generate Payloads

Start the Mystikal CLI with python3 mystikal.py. Follow the menu options to generate the following payloads:

• Installer Package - 1>4>1
• Chrome Extension - 2
• VBA Word Macro - 4>1
• Disk Image - 6
• PDF - 7
• Python PIP Package - 8>1
• Ruby Gem - 9>2
• NodeJS NPM Package - 10

Host and Execute Payloads

Some of the payloads require more than a double-click to execute.

• Installer Package
  • Double-click the JSpackage.pkg file and click Allow.
• Chrome Extension
  • Local admin is required.
  • Only works on domain-joined hosts.
  • Must host manifest.xml and extension.crx after Mystikal generates them. Intended file URLs most be in MystikalSettings.py before generation.
  • Double-click the .mobileconfig file. Open Settings, go to Profiles, select the profile and click Install.
• VBA Word Macro
  • Create a new Word document. Copy the contents of macro.txt into the macro editor.
• Disk Image
  • More realistic with local admin, but not required.
  • Double-click the .dmg file.
    • If local admin, copy the file to Applications and then double-click it.
    • If not, double-click the file inside of the popup.
• PDF
  • Double-click the .pdf file.
• Python PIP Package
  • Open a terminal and cd to the directory with setup.cfg. Run pip3 install ..
• Ruby Gem
  • Open a terminal and cd to the directory with Gemfile. Run bundle install.
• NodeJS NPM Package
  • Open a terminal and cd to the directory with package.json. Run npm install.

Link to original

TCC Bypass Discovery

Transparency, Consent, and Control (TCC)

TCC Overview

TCC is a security control in macOS that prevents applications (even running as root) from accessing sensitive data and capabilities. The list of protected folders includes Documents, Desktop, and Downloads. The list of protected capabilities includes camera and microphone usage.

Applications are granted access to TCC-protected resources in their signature (Calendar.app is allowed to access the calendar) or by user prompts:

TCC cannot be “bypassed” without a vulnerability in the OS, but it can be avoided or circumvented.

Unprotected, Valuable Directories

• Browser credentials and cookies: ~/Library/Application Support/Google/Chrome/Default ~/Library/Application Support/Firefox/Profiles/[Random ID].default-release/cookies.sqlite
• Slack/Teams cookies (SlackPirate)
• Shell config directories: ~/.ssh ~/.zsh_history ~/.aws ~/.Azure ~/.config/gloud/

Impersonating Applications

Access to a TCC-protected resource can be achieved by injecting into an approved application.

Dylib-Injection

Link to original

Local Privilege Escalation

macOS File Permissions

LPE via File Permissions

Various third-party applications and installers modify default directory permissions to create vulnerable scenarios. Our ability to escalation privileges depends on the applications installed on the system. There are three file permission scenarios we can quickly look for:

1. Direct Write Privileges

Directory privileges can extend or override file permissions. Even if a target file is owned by a different user, directory privileges may allow us to modify the file. Modifying files that applications don’t expect may allow us to replace binaries, change configurations, etc. For static analysis, try using enum_file_permissions.py or enum_file_permissions.sh to quickly discover potential issues (the Python script has been tested more, but th Bash script is a good fallback if Python is removed or blocked).

2. Path Hijacking

The directories listed it the PATH env var dictate how macOS searches for executables on the system. If we can write executables to a directory at the beginning of the path, it may be possible to trick a process running as root to execute the wrong file.

• The default PATH, even for root, begins with /usr/local/bin. This is fine initially because only root can write to it, but third-party applications often misuse this directory. For example, the Brew package manager changes the permissions of the directory so the developer can install packages without root.
• Common developer tools (Gcloud SDK, Node) may also prefix the root path with user-writeable directories.

3. Privileged Write

Applications with root privileges may copy or write files to an accessible path. If we can execute code before this write, we may be able to create a symlink at the write target that points to a file we want to overwrite. This technique can be used to overwrite service or startup scripts execute as root. For dynamic analysis, try using FileMonitor on a test machine with the same applications installed.

Exploitation of these vulnerabilities typically involves creating a symlink at the location a privileged application writes to. This symlink can create a new LaunchAgent/LaunchDaemon or potentially modify sensitive PAM config files.

I haven’t found a way to escalate using arbitrary file deletion.

Additional Resources

• Exploiting directory permissions on macOS · theevilbit blog
• HITB - Exploiting Directory Permissions On Macos - Csaba Fitzl - YouTube

Link to original

XPC

XPC LPE Vulnerabilities

1. Find daemons in /Library/LaunchDaemons.
2. Find a privileged helper tool in /Library/PrivilegedHelperTools/.
3. Use codesign -dv --entitlements :- /Applications/someapp.App/Contents/MacOS/someapp to check for injection opportunities in an XPC client (no hardened runtime, get-task-allow).
4. Open the helper tool in a dissassembler (Hopper, Ghidra), look for the shouldAcceptNewConnection method and check for validation.
5. If there is no signature validation, or there is signature validation but the PID validation uses processIdentifier instead of connection.auditToken you may be able to send data as an arbitrary client, or use PID reuse attack.
6. Use class-dump -C <PROTOCOL NAME> <PATH TO HELPER> to view the available methods. If any appear to be capable of code execution, file creation, or file copy/move, there may be an LPE. Open the associated function in the dissassebler and determine the usage.

Additional Resources

• Abusing & Security XPC in macOS apps
• Learn XPC exploitation - Part 1: Broken cryptography (wojciechregula.blog)
• Learn XPC exploitation - Part 2: Say no to the PID! (wojciechregula.blog)
• Learn XPC exploitation - Part 3: Code injections (wojciechregula.blog)

Link to original

Persistence Attempts

macOS Persistence

LaunchAgent

• Copy persist_launch_agent.plist to ~/Library/LaunchAgents/com.BHIS.user.plist
• Register it with launchctl load -w ~/Library/LaunchAgents/com.BHIS.user.plist

ZSH/Bash Profile

• Add the Python Reverse Shell One-Liner to any of the shell source files in the home directory (.profile, .zshrc)

Cron Job

• Execute the following using the Python Reverse Shell One-Liner echo "* * * * * python -c REVERSE_SHELL" | crontab

Terminal Preferences

• Pass the Python Reverse Shell One-Linerto TermPref.js:
  • In Mythic (Apfell agent): jsimport_call TermPref(REVERSE_SHELL)

Link to original

Data Exfiltration

macOS data exfiltration should be similar to the traditional C2.

• 500 Credit Cards
  • Cleartext in body of email
  • As an attachement with cleartext data
  • As an attachment with base64 encoded data
  • As a zip file with cleartext data
• 25 Social Security Numbers
  • Cleartext in body of email
  • As an attachement with cleartext data
  • As an attachment with base64 encoded data
  • As a zip file with cleartext data