Offensive MacOS
This is a collection of macOS specific tooling, blogs, and other related information for offensive macOS assessments.
If you find something that's not on here, open an issue or a merge request and we can get it added.
Tools
JavaScript for Automation (JXA)
- https://github.com/D00MFist/PersistentJXA
- https://github.com/D00MFist/Custom_URL_Scheme
- https://github.com/D00MFist/InjectCheck
- https://github.com/D00MFist/Dylib-Hijack-Scanner
- https://github.com/its-a-feature/Orchard
- https://github.com/its-a-feature/HealthInspector
- https://github.com/FSecureLABS/CalendarPersist
- https://github.com/cedowens/JXA-RemoveQuarantine
C2 Frameworks/Agents
- https://github.com/mishmashclone/BC-SECURITY-Empire
- latest branch of the Empire framework with a Python-based payload for macOS
- https://github.com/cedowens/MacShellSwift
- https://github.com/cedowens/MacShell
- https://github.com/its-a-feature/Mythic/tree/master/Payload_Types/apfell/agent_code
- JXA agent for the Mythic framework
- https://github.com/its-a-feature/Mythic/tree/master/Payload_Types/poseidon/agent_code
- Golang agent for the Mythic framework that uses a lot of CGO with macOS API calls
- https://github.com/Marten4n6/EvilOSX
- https://github.com/neoneggplant/EggShell
Binaries
- https://github.com/cedowens/SwiftBelt
- Swift tool for doing safety checks on a macOS host for red teaming
- https://github.com/xorrior/xpcutil
- Tool for sending XPC messages to launchd
- https://github.com/Tyilo/insert_dylib
- Tool for injecting dylib weak/strong headers into a Mach-O binary
- https://github.com/its-a-feature/bifrost
- Tool for interacting with Kerberos on macOS
Other
- https://github.com/cedowens/Mythic-Macro-Generator
- tool to generate Microsoft Office Macros for running Mythic's apfell payload
- https://github.com/cedowens/macOS-browserhist-parser
- tool for parsing macOS browser history on disk
- https://github.com/xorrior/macOSTools
- repo of a lot of macOS tooling
- https://github.com/its-a-feature/macos_execute_from_memory
- starter code to run macos code from memory
- https://github.com/herrbischoff/awesome-macos-command-line
- Lots of commandline based actions that aren't necessarily offensive, but can be pretty handy
- http://newosxbook.com/ent.jl
- Web resource of entitlements for macOS binaries
- https://github.com/ahhh/macOS_profiles
- Collection of macOS configuration profiles for penetration testing and red teaming
Blogs
- https://theevilbit.github.io/posts/getting_started_in_macos_security/
- Great intro blog that calls out a bunch of awesome resources
- https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/
- https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
- https://wojciechregula.blog/post/abusing-electron-apps-to-bypass-macos-security-controls/
- https://scriptingosx.com/2018/04/demystifying-root-on-macos-part-1/
- https://www.xorrior.com/
- https://www.dssw.co.uk/reference/authorization-rights/
- https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/
- https://blog.xpnsec.com/bypassing-macos-privacy-controls/
- http://lockboxx.blogspot.com/2019/10/macos-red-teaming-211-dylib-hijacking.html
- https://theevilbit.github.io/posts/
- https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c
- https://posts.specterops.io/sparkling-payloads-a2bd017095c
- https://posts.specterops.io/audio-unit-plug-ins-896d3434a882
- https://posts.specterops.io/no-place-like-chrome-122e500e421f
- https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65
- https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d