PoisonApple-macOS持久性工具

  • A+
所属分类:安全工具


    用于在macOS上执行各种持久性机制技术的命令行工具。


PoisonApple-macOS持久性工具



安装:

$ pip3 install poisonapple --user

注意:PoisonApple是使用Python 3.9编写和测试的,应该可以在Python 3.6+上运行


注意!

  • PoisonApple将对您的macOS系统进行修改,建议仅在虚拟机上使用PoisonApple。尽管使用此工具添加的任何持久性机制技术也可以轻松删除(-r),但请谨慎使用

  • 请注意:此工具可能会导致常见的AV / EDR /其他macOS安全产品生成警报。

用法

$ poisonapple --helpusage: poisonapple [-h] [-l] [-t TECHNIQUE] [-n NAME] [-c COMMAND] [-r]
Command-line tool to perform various persistence mechanism techniques on macOS.
optional arguments: -h, --help show this help message and exit -l, --list list available persistence mechanism techniques -t TECHNIQUE, --technique TECHNIQUE persistence mechanism technique to use -n NAME, --name NAME name for the file or label used for persistence -c COMMAND, --command COMMAND command(s) to execute for persistence -r, --remove remove persistence mechanism


$ poisonapple --list      ,       _______       __  .-.:|.-.   |   _   .-----|__|-----.-----.-----..'        '. |.  |   |  |  |  |__ --|  |  |  |  |'-."~".  .-' |.  ____|_____|__|_____|_____|__|__|  } ` }  {   |:  |  _______             __  } } }  {   |::.| |   _   .-----.-----|  |-----.  } ` }  {   `---' |.  |   |  |  |  |  |  |  -__|.-'"~"   '-.       |.  _   |   __|   __|__|_____|'.        .'       |:  |   |__|  |__|  '-_.._-'         |::.|:. |                   `--- ---' v0.2.1
+--------------------+| AtJob |+--------------------+| Bashrc |+--------------------+| Cron |+--------------------+| CronRoot |+--------------------+| Emond |+--------------------+| LaunchAgent |+--------------------+| LaunchAgentUser |+--------------------+| LaunchDaemon |+--------------------+| LoginHook |+--------------------+| LoginHookUser |+--------------------+| LoginItem |+--------------------+| LogoutHook |+--------------------+| LogoutHookUser |+--------------------+| Periodic |+--------------------+| Reopen |+--------------------+| Zshrc |+--------------------+


持久性机制:


$ poisonapple -t LaunchAgentUser -n testing      ,       _______       __  .-.:|.-.   |   _   .-----|__|-----.-----.-----..'        '. |.  |   |  |  |  |__ --|  |  |  |  |'-."~".  .-' |.  ____|_____|__|_____|_____|__|__|  } ` }  {   |:  |  _______             __  } } }  {   |::.| |   _   .-----.-----|  |-----.  } ` }  {   `---' |.  |   |  |  |  |  |  |  -__|.-'"~"   '-.       |.  _   |   __|   __|__|_____|'.        .'       |:  |   |__|  |__|  '-_.._-'         |::.|:. |                   `--- ---' v0.2.1
[+] Success! The persistence mechanism action was successful: LaunchAgentUser


如果未指定任何命令(-c),则将使用默认触发命令,该命令将在每次触发持久性机制时写入Desktop上的文件:


$ cat ~/Desktop/PoisonApple-LaunchAgentUserTriggered @ Tue Mar 23 17:46:02 CDT 2021 Triggered @ Tue Mar 23 17:46:13 CDT 2021 Triggered @ Tue Mar 23 17:46:23 CDT 2021 Triggered @ Tue Mar 23 17:46:33 CDT 2021 Triggered @ Tue Mar 23 17:46:43 CDT 2021 Triggered @ Tue Mar 23 17:46:53 CDT 2021 Triggered @ Tue Mar 23 17:47:03 CDT 2021 Triggered @ Tue Mar 23 17:47:13 CDT 2021 Triggered @ Tue Mar 23 17:48:05 CDT 2021 Triggered @ Tue Mar 23 17:48:15 CDT 2021


删除持久性机制:


$ poisonapple -t LaunchAgentUser -n testing -r


自定义命令:


$ poisonapple -t LaunchAgentUser -n foo -c "echo foo >> /Users/user/Desktop/foo"


本文始发于微信公众号(Khan安全攻防实验室):PoisonApple-macOS持久性工具

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: