10 macOS Persistence Techniques

so without further ado I'll hand you over to Trevor flitzel thank you uh can you hear me yes okay my name is Chava fitzu and I will talk about a couple of Macos persistent techniques um I heard that I'm competing with some free beers so thank you for showing up uh I gave the title beyond the good old launch agents to this talk and you will see soon why uh my name is Chava I'm working for offsec I'm the lead content developer for our Mac OS control bypasses training which is basically all about Mac OS exploitation attacks some fan testing as well I also do Mac OS back hunting in my free time I used to be a red blue teamer

before married have two kids and I'm really into trail running and and Hiking these days so the agenda is uh I will go to uh 10 different techniques uh what Marvels or attackers can use on Mac OS to persist their binary so the idea came um or a little bit history about how this presentation born back in 2014 Patrick Wardle wrote a paper and gave a talk about malware persistence on Mac OS and basically that was the most comprehensive list of techniques about all sorts of resistance you can do on Mac OS there is a guy called Adam who goes by the handle hexacorn on Twitter and he has a really nice serious blog series

about Windows persistence and that's called beyond the good old ranky now run key on Windows is the probably the most classic persistence you can have and Mac osmore 99 uses launch agents launch agents is kinda your run key on Mac OS that's the most classic way to persist um anything on Mac OS and normally if you have like a legit application that's what you use to auto start normally and I started to wonder that okay we have launch agents which is mostly used by malware but can we do better is there anything else we can use and then I started the series of blog posts called beyond the good or launch agents to mimic the name from from hexagon

so the blog post currently has like 30 different techniques and I selected 10 of my favorites uh let's say or or some of the more interesting ones so the first one is shell startup files these share startup files or or configuration files will be started whenever a shell is launched like zsh bash sh and and so on like on Mac OS when you launch terminal um then the default shell is dsh nowadays but it used to be batch uh before that so whenever terminal is launched by the user a shell uh stream is start a session is started and some of the shell startup files will be read and executed now there are many many configuration

files for Shell environments and I find it hard to remember which one is red then because it depends if you have like an interactive shell then difference files are used if you have a login shell then difference files will be read and and so on but probably some of the most common ones are zsh RC bash RC CH zsh and Z login which is for example red uh when you have a login shell and so on these are normally under your home directory but some of the Globus one can be found in the Slash and directory obviously you need to have root access to to edit the global ones uh now the interesting thing is when

terminal is started on Mac OS the shared environment will inherit uh terminals permissions on Mac OS we have this concept of TCC privacy where you can genuinely control um the application what sorts of private resources can they accessed like microphone camera documents your contacts and so on these can be controlled one by one for each application just like on your iPhone you can do it on a Mac as well and there is a very powerful one called Full disk access when if you have that you basically have most of the others as well and typically power users developers or or just um more advanced people we give terminal for this access permission for convenience because they use it for many

many things now if you pair this through this startup files your shell environment will inherit the permissions of terminal and basically you will have access to all of those private resources terminal have access as well and also if you manage to override that file somehow that's also a Sandbox Escape because terminal runs um outside the sandbox now how we can detect this as blue teamers um probably the simplest one is monitored for the change of these files there might be many false positives um because power users might use it for legit reasons to set up their configurations and Etc but still that's probably the the most obvious way way to detect this also we can monitor for CSH

chsh execution which can change the default shell on Mac OS and also the CH pass um executable so let's go to the next one which is the pluggable authentication modules pen now Pam comes from Red Hat origin but nowadays you can find this on most mix based system Linux Unix BSD and Mac OS because Mac OS is BSD has some BSD Origins so this will work more universally just like the previous one will also work on Linux or other NYX based systems so Pam allows you to install external authentication authorization plugins which will be used by the system now it supports four different facilities authentication account session password management and so on and the configuration files for fam can be found

under the slash Etc pem.d now a configuration file looks like this so the one on the screen is for SSH the uh the SSH Daemon uh sorry there is one column for facility there is one for the policy and then there is one column for the actual module which can be your own external module now the facility has various options um like that was the out account and then the the policy field can be set to required optional sufficient and so on uh that will handle the actual uh policy differently so if it's set to require it will if it fails then the result of the operation will fail if it's optional then it will be ignored its results will

be ignored if there is another required one a sufficient one if success then no further policy checks will happen and there is a default pen permit which is like success everything so how we can persist using this file again we can use our own module or if you like want to back to or let's say sudo we can just say Okay um pamper meat is sufficient put it on the first line and whenever we type in sudo it will always success uh but again we can load our own um and the reason we can load our own library is because the services have become upper private security clear Library validation entitlement which allows them to lower to load external

libraries how we can detect this now first of all I think since Mac OS Big Sur or Monterey apple look down this size so you need to have some TCC bypass um exploits to to actually modify these files so only if you have root access you cannot change this file you need to bypass the Privacy protection of Mac OS to update them but if you manage to do so then again we can detect the change of these files there might be Force positive but I think that's less common uh probably these are one of events when you install a third-party software for authentication or maybe an external smartpad reader but that's not something that happens every day

and also we can monitor for weird dialips which are the DLS on Mac OS or or just weird modules being loaded into SSH sudo or or any of the processes that we can configure through Pam so the next persistence is a hammerspoon Hammer spoon is is a third party application so it's not a Mac OS system specific persistence but more like us an application based persistent Hammer spoon when we launch the application we'll look for this init.lure file which is a Lua script and we'll execute it whenever the application is launched we can basically call HS which is hammerspoon execute and we can put our in our own share commands we want to execute and they have more examples on their

website what you can do with this script also hammerspoon has some really nice entitlements which allows it to access your camera your microphone and so on um so if you inject anything into this script and launch hammers on the script will inherit a hammer spoon permissions and if the user provided camera access then you can access the camera from your binary so it also opens the door for some privacy bypasses using this application detection again changing of the init.lua file or simply looking for some weird child processes of of hammer spoon

next one is preference paints um preference space are those basically plugins to the system preferences settings so Mac OS we have these system preferences or on the new versions it's called system settings where you can install your own little plugin which would normally allow you to configure or set some preferences to your own application so this is a legit system functionality and you can place we can also plant the malicious preference plane in the library preference page directory and that will be loaded by the system now the hard thing about this that the user actually have to open the preference pane in order for it to be started uh so it's not perfect but still it's an

option we can create a preference being bundle and in the initiate bundle function which we implement we can put our own code and that's it basically it will be loaded by the Legacy loader process and yeah and basically for detection we can monitor for new files being dropped in the preference pins directory either in the user home directory or the global preference pins directory or looking for weird modus loaded by the Legacy loader process next one is screen savers so screensavers on Mac OS have been very well documented by Leo pit doomfist in his blog post and basically screensaver some Mac OS are other bundles having the dot saver extensions and they are placed under the library

screen savers directory and the system we read the screen savers from there now screensavers has many many functions they implement xcode the the developer environment for Mac OS has a lot as a template project for it uh with pre-populating all the uh all the functions and basically we can put our code in in those functions in all of them or in in one of them as we wish basically when the screen saver window is loaded or the preview the small um preference settings where you can see all the install screensavers then your bundle will be loaded and organ it will be loaded by the Legacy screensaver process which is unfortunately sandbox with not too many rights so if you choose

persisting using a screen saver on Mac OS it's it's not perfect because we will not have too many rights as part of that but for detection again we can monitor for the library screen savers directory or again files loaded by the Legacy screensaver process I would also say we can monitor for new dot saver bundles just to see if the user downloaded a screensaver and and so on color Pickers is the next one uh what are color Pickers now when I first run into this or heard about this uh one I had no idea what it is the second when I learned that okay I know now what it is I didn't know that you can make

your own basically so color Pickers are these small Windows where you can select a color for your font for your background or or whatever basically an option to choose a color for whatever you need turns out that these are bundles uh and also that you can create your own Color Picker and they are located uh surprisingly in the library color Pickers directory and similarly to the previous ones they are also bundles having the dot Color Picker extension now on Mac OS what is bundle side are directories with some special files inside including the the binary itself it will be loaded by the Legacy external Color Picker service process and unfortunately it's also sandbox again with not too many rights so if you

purchase this this way you need a way to always escape the sandbox which it's not convenient but again it's uh it's an option detection just as the others we can monitor for new color Pickers or again files loaded by the Legacy external Color Picker service or any new Color Picker bundle I don't think that this is something really common when I try to search for it I found some really really old GitHub projects with simple code how to write a Color Picker and what functions you need to implement um I I haven't found any anything recent uh let's put it that way next one the seventh is periodic scripts uh one of my favorites actually uh this

is again something that comes from the BSD word it has a free BSD origin and that's where it came from to Mac OS so these periodic scripts are maintenance scripts uh executed by the operating system they can run either daily weekly or monthly for example there is a maintenance script to clear the temp further so that's one example but there are a couple of those and they are organized to run again daily weekly monthly it will be executed by the periodic bash script which is launched by the periodic wrapper binary but eventually all of them have their own launch the configuration file now the periodic scripts are located under the ETC periodic directory and there is a daily weekly monthly

subdirectory with all the all the value Scripts the configuration file the the periodic strip configuration file the ETC defaults periodic.com contains an additional location for periodic scripts which is under the US sub-local Etc periodic which you can also use freely now interestingly upon the Mac OS 11.5 there was a local privilege escalation vulnerability if you had a Homebrew installed as well Homebrew is a Packaging utility for Mac OS which allows you to easily install various binaries through the command line like Brew install your package and and that's it just like on Linux you can do apt get installed now the problem with Homebrew is that it creates that the USR local directory to be owned by the

by the main user so you don't need to have root level access to put anything inside but this Scripts were normally run as root so if you had Homebrew installed you could put a script there as the user and that would be executed as root at one point in time now what Apple did to fix it although it really wasn't there for it it was really Homebrew messing up the permissions whatever Apple did is now they check the owner of the script of the periodic script and they will execute it as the owner of the script so even if you are the user putting their script it will be executed as the user and not

as root now uh there are still options to to persist using other locations using periodic strips like the ETC daily local and so on and actually yesterday I learned that the periodic.com file is a share script in itself so you can change the config file put your own code and that will be executed as well so the config file is a shell script how to detect this persistence [Music] um change or any new periodic confile change of any of the scripts any of the folders containing these Scripts or just weird processes launched by periodic so Mac OS comes with a set of these Scripts not that many so you can easily build a list of what's normally being executed

and basically anything else is likely malicious I don't think that this is really used by third-party applications to put their stuff there next one is terminal preferences uh terminal in its preferences contains an option for a startup command which is basically a share command so what you can do is whenever you launch terminal you can run a custom command you want this is a bit similar to the share startup files but this is something set inside terminals preferences this command can be found in the Terminus preferences file which is under Library preferences home Apple terminal P list and basically you can put your own share Commander detection really the modification of this file next one Iman which is the event monitor

Daemon there has been two very good work on on Eamon or describing how it works and what it can do the first one from James trainord and the next is from Chris Ross it's a bit complicated process and to get it to persist basically the first thing is that the event monitor Daemon is only started if there is a give any file under the private rdb DB email clients directory so first we need to put their file because if we don't it won't be even started next one uh we need to create a rule under the ETC Eman TD rules directory uh which the rule file will Define what um even monitor demon will do

under certain events so let's say there is a network even or this is a logging event or or some startup event then we can set up what email D will do in that case so we need to create a new rule for that and also we have the email the config file which is not a script it's a it's a playlist file where we can set additional paths for for the rules now this is how a rule would look like this is a property list file which is uh everything on Mac OS is configured through previous files really uh which is either XML or binary format but the XML is the more readable one you can also get like a Json output from

this but basically what we have here here is we have an event type uh startup so that's when the system starts up and then we have an action which is a type of command and we can say okay we run a bash command as the root user and we can give some arguments uh to The Bash command and that will be executed when the system starts up since since this is under the ETC directory all these rules and the configuration obviously you need to have root access now detection wise again any any new files on the email clients directory because that's the very first thing we need for the process to even start and new or change of files in the rules

directory change of the config file because in the config file someone can set additional pass for for the rules and again child processes of email D now this demon is so under documented and really no one used it that it's simply gone so in the latest Mac OS version uh Ventura which came out last October this is entirely gone uh so we cannot use it anymore um and the last one is further actions four Direction scores first detailed by Cody Thomas for for a teaming purposes basically we can set up finder the default file manager in Mac OS to monitor certain folders and run a script or run an action when there is a change or or something

happens in those folders now the scripts are located in the library scripts for direction scripts um directory and the config file can be found in the four Direction dispatcher playlist files and this pill is find the the proper to this file is not nice it contains other embedded pivots which contain other embedded P list encoded so it's like a pain to um read it but it can be done now debate normally user create four directions is through the GUI and then Cody Thomas documented this technique he also showed it through the GUI like how you can set up four directions through the GUI but I was really after like okay how can I set it up without any user

interaction can it be done at all maybe not because on Mac OS many things that you can set up are tied to user interactions so maybe do not work Thursday we can do that so first we we need to create the directory for the scripts we need to copy our script script there which is configured bit uh to run then we need to make a directory uh which we will monitor or what we want finder to monitor for us and then we need to configure the preferences uh for the four directions now the easiest way is probably use a Mac device uh set up for directions and just copy that preference file to another one unless

you want to deal with the p list and with the embedded pill is with the embed.plist so I found it the lazy way of doing this so once it's done so you have all the preferences all the scripts set up it still will not work if you need to actually Kick It In so we need to open the further action setup application which we do some other stuff to make it to start it and we need to clear the four directions setup application so we did we really don't need user interaction we need to start the application and then kill it because we don't want the user to see it at all also if our scripts want to do any

privacy bypass it's allowed to prompt the user and what is nice is that the system will say that hey the further action dispatcher what would like to do something um and it will hide the script uh behind basically so the the user will not see the real script or your process behind the action which is nice detection any new or changed files in the script for the relationship directory change of the four Direction dispatcher config file and all the all these scripts are launched by the home Apple Foundation user script service um process so we can monitor for those as well

conclusion um so although these persistent might not be perfect so they are not as good as a lounge demon or as a run key on Windows because they are either sandbox you need to be sandboxed you need to have root access or maybe you need to bypass PCC for some of them um but they can still work in many cases and actually I mentioned that the so yesterday I learned that the periodic confile is a script turns out dot the main page configuration file is a script the SNMP configuration file is a script and there is also another script which is run by ODT and since this stuff coming from the next word so the audd

SNMP um the menu page so these are all coming from BSD these applies answers to to BSD not just uh Mac OS um I think there is more to Explorer but even today so I don't usually delete my quest mother but try to read um the write-ups at least they are still mostly using launch the um to persist um but yeah so yeah if you are interested follow my blog I will post some new ones uh next week with all these SNMP and and all these config files which are really scripts which is nice so that was or from me I'm not sure if there are any questions

thank you do you use any to for monitoring all these Copic files in the folders yes there is a by not all of these but there is a a utility written by Patrick Wardle who does a lot of Mac OS more of a research who did the original white paper or mobile persistence and he has a tool called block block which monitors many of these locations for persistence and will alert you in basically for all of these also he has a utility called clock knock which can which will scan your Mac for not all of these but for many of these items but this is you need to run it on demand so it's not always on

thank you anything else anybody if not then Java thank you very much thank you foreign