策略引擎>> PoisonApple>> 返回
项目作者: CyborgSecurity

项目描述 :
macOS persistence tool
高级语言: Python
项目地址: git://github.com/CyborgSecurity/PoisonApple.git
创建时间: 2021-02-27T22:05:20Z
项目社区:https://github.com/CyborgSecurity/PoisonApple
开源协议:MIT License
下载


PoisonApple

This is a command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cyber threat emulation purposes.

Install

Do it up:

  1. $ pip3 install poisonapple --user

Note: PoisonApple was written & tested using Python 3.9, it should work using Python 3.6+

Important Notes!

  • PoisonApple will make modifications to your macOS system, it’s advised to only use PoisonApple on a virtual machine. Although any persistence mechanism technique added using this tool can also be easily removed (-r), please use with caution!
  • Be advised: This tool will likely cause common AV / EDR / other macOS security products to generate alerts.
  • To understand how any of these techniques work in-depth please see The Art of Mac Malware, Volume 1: Analysis - Chapter 0x2: Persistence by Patrick Wardle of Objective-See. It’s a fantastic resource.

Usage

See PoisonApple switch options (—help):

  1. $ poisonapple --help
  2. usage: poisonapple [-h] [-l] [-t TECHNIQUE] [-n NAME] [-c COMMAND] [-r]
  4. Command-line tool to perform various persistence mechanism techniques on macOS.
  6. optional arguments:
  7.   -h, --help            show this help message and exit
  8.   -l, --list            list available persistence mechanism techniques
  9.   -t TECHNIQUE, --technique TECHNIQUE
  10.                         persistence mechanism technique to use
  11.   -n NAME, --name NAME  name for the file or label used for persistence
  12.   -c COMMAND, --command COMMAND
  13.                         command(s) to execute for persistence
  14.   -r, --remove          remove persistence mechanism

List of available techniques:

  1. $ poisonapple --list
  2.       ,       _______       __
  3.   .-.:|.-.   |   _   .-----|__|-----.-----.-----.
  4. .'        '. |.  |   |  |  |  |__ --|  |  |  |  |
  5. '-."~".  .-' |.  ____|_____|__|_____|_____|__|__|
  6.   } ` }  {   |:  |  _______             __
  7.   } } }  {   |::.| |   _   .-----.-----|  |-----.
  8.   } ` }  {   `---' |.  |   |  |  |  |  |  |  -__|
  9. .-'"~"   '-.       |.  _   |   __|   __|__|_____|
  10. '.        .'       |:  |   |__|  |__|
  11.   '-_.._-'         |::.|:. |
  12.                    `--- ---' v0.2.3
  14. +--------------------+
  15. | AtJob              |
  16. +--------------------+
  17. | Bashrc             |
  18. +--------------------+
  19. | Cron               |
  20. +--------------------+
  21. | CronRoot           |
  22. +--------------------+
  23. | Emond              |
  24. +--------------------+
  25. | Iterm2             |
  26. +--------------------+
  27. | LaunchAgent        |
  28. +--------------------+
  29. | LaunchAgentUser    |
  30. +--------------------+
  31. | LaunchDaemon       |
  32. +--------------------+
  33. | LoginHook          |
  34. +--------------------+
  35. | LoginHookUser      |
  36. +--------------------+
  37. | LoginItem          |
  38. +--------------------+
  39. | LogoutHook         |
  40. +--------------------+
  41. | LogoutHookUser     |
  42. +--------------------+
  43. | Periodic           |
  44. +--------------------+
  45. | Reopen             |
  46. +--------------------+
  47. | Zshrc              |
  48. +--------------------+

Apply a persistence mechanism:

  1. $ poisonapple -t LaunchAgentUser -n testing
  2.       ,       _______       __
  3.   .-.:|.-.   |   _   .-----|__|-----.-----.-----.
  4. .'        '. |.  |   |  |  |  |__ --|  |  |  |  |
  5. '-."~".  .-' |.  ____|_____|__|_____|_____|__|__|
  6.   } ` }  {   |:  |  _______             __
  7.   } } }  {   |::.| |   _   .-----.-----|  |-----.
  8.   } ` }  {   `---' |.  |   |  |  |  |  |  |  -__|
  9. .-'"~"   '-.       |.  _   |   __|   __|__|_____|
  10. '.        .'       |:  |   |__|  |__|
  11.   '-_.._-'         |::.|:. |
  12.                    `--- ---' v0.2.3
  14. [+] Success! The persistence mechanism action was successful: LaunchAgentUser

If no command is specified (-c) a default trigger command will be used which writes to a file on the Desktop every time the persistence mechanism is triggered:

  1. $ cat ~/Desktop/PoisonApple-LaunchAgentUser
  2. Triggered @ Tue Mar 23 17:46:02 CDT 2021 
  3. Triggered @ Tue Mar 23 17:46:13 CDT 2021 
  4. Triggered @ Tue Mar 23 17:46:23 CDT 2021 
  5. Triggered @ Tue Mar 23 17:46:33 CDT 2021 
  6. Triggered @ Tue Mar 23 17:46:43 CDT 2021 
  7. Triggered @ Tue Mar 23 17:46:53 CDT 2021 
  8. Triggered @ Tue Mar 23 17:47:03 CDT 2021 
  9. Triggered @ Tue Mar 23 17:47:13 CDT 2021 
  10. Triggered @ Tue Mar 23 17:48:05 CDT 2021 
  11. Triggered @ Tue Mar 23 17:48:15 CDT 2021

Remove a persistence mechanism:

  1. $ poisonapple -t LaunchAgentUser -n testing -r
  2. ...

Use a custom command:

  1. $ poisonapple -t LaunchAgentUser -n foo -c "echo foo >> /Users/user/Desktop/foo"
  2. ...