Command-line tool to perform various persistence mechanism techniques on macOS.
Project description
PoisonApple
This is a command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cyber threat emulation purposes.
Install
Do it up:
$ pip3 install poisonapple --user
Note: PoisonApple was written & tested using Python 3.9, it should work using Python 3.6+
Important Notes!
- PoisonApple will make modifications to your macOS system, it's advised to only use PoisonApple on a virtual machine. Although any persistence mechanism technique added using this tool can also be easily removed (-r), please use with caution!
- Be advised: This tool will likely cause common AV / EDR / other macOS security products to generate alerts.
- To understand how any of these techniques work in-depth please see The Art of Mac Malware, Volume 1: Analysis - Chapter 0x2: Persistence by Patrick Wardle of Objective-See. It's a fantastic resource.
Usage
See PoisonApple switch options (--help):
$ poisonapple --help
usage: poisonapple [-h] [-l] [-t TECHNIQUE] [-n NAME] [-c COMMAND] [-r]
Command-line tool to perform various persistence mechanism techniques on macOS.
optional arguments:
-h, --help show this help message and exit
-l, --list list available persistence mechanism techniques
-t TECHNIQUE, --technique TECHNIQUE
persistence mechanism technique to use
-n NAME, --name NAME name for the file or label used for persistence
-c COMMAND, --command COMMAND
command(s) to execute for persistence
-r, --remove remove persistence mechanism
List of available techniques:
$ poisonapple --list
, _______ __
.-.:|.-. | _ .-----|__|-----.-----.-----.
.' '. |. | | | | |__ --| | | | |
'-."~". .-' |. ____|_____|__|_____|_____|__|__|
} ` } { |: | _______ __
} } } { |::.| | _ .-----.-----| |-----.
} ` } { `---' |. | | | | | | | -__|
.-'"~" '-. |. _ | __| __|__|_____|
'. .' |: | |__| |__|
'-_.._-' |::.|:. |
`--- ---' v0.2.3
+--------------------+
| AtJob |
+--------------------+
| Bashrc |
+--------------------+
| Cron |
+--------------------+
| CronRoot |
+--------------------+
| Emond |
+--------------------+
| Iterm2 |
+--------------------+
| LaunchAgent |
+--------------------+
| LaunchAgentUser |
+--------------------+
| LaunchDaemon |
+--------------------+
| LoginHook |
+--------------------+
| LoginHookUser |
+--------------------+
| LoginItem |
+--------------------+
| LogoutHook |
+--------------------+
| LogoutHookUser |
+--------------------+
| Periodic |
+--------------------+
| Reopen |
+--------------------+
| Zshrc |
+--------------------+
Apply a persistence mechanism:
$ poisonapple -t LaunchAgentUser -n testing
, _______ __
.-.:|.-. | _ .-----|__|-----.-----.-----.
.' '. |. | | | | |__ --| | | | |
'-."~". .-' |. ____|_____|__|_____|_____|__|__|
} ` } { |: | _______ __
} } } { |::.| | _ .-----.-----| |-----.
} ` } { `---' |. | | | | | | | -__|
.-'"~" '-. |. _ | __| __|__|_____|
'. .' |: | |__| |__|
'-_.._-' |::.|:. |
`--- ---' v0.2.3
[+] Success! The persistence mechanism action was successful: LaunchAgentUser
If no command is specified (-c) a default trigger command will be used which writes to a file on the Desktop every time the persistence mechanism is triggered:
$ cat ~/Desktop/PoisonApple-LaunchAgentUser
Triggered @ Tue Mar 23 17:46:02 CDT 2021
Triggered @ Tue Mar 23 17:46:13 CDT 2021
Triggered @ Tue Mar 23 17:46:23 CDT 2021
Triggered @ Tue Mar 23 17:46:33 CDT 2021
Triggered @ Tue Mar 23 17:46:43 CDT 2021
Triggered @ Tue Mar 23 17:46:53 CDT 2021
Triggered @ Tue Mar 23 17:47:03 CDT 2021
Triggered @ Tue Mar 23 17:47:13 CDT 2021
Triggered @ Tue Mar 23 17:48:05 CDT 2021
Triggered @ Tue Mar 23 17:48:15 CDT 2021
Remove a persistence mechanism:
$ poisonapple -t LaunchAgentUser -n testing -r
...
Use a custom command:
$ poisonapple -t LaunchAgentUser -n foo -c "echo foo >> /Users/user/Desktop/foo"
...
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
poisonapple-0.2.3.tar.gz
(9.3 kB
view details)
File details
Details for the file poisonapple-0.2.3.tar.gz.
File metadata
- Download URL: poisonapple-0.2.3.tar.gz
- Upload date:
- Size: 9.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.26.0 requests-toolbelt/0.9.1 urllib3/1.26.6 tqdm/4.62.3 importlib-metadata/4.10.1 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.9.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 81f494982e750368046bf139acbb17c5b9f90f065bfe54ee62b4ec9ec704bb40 |
|
| MD5 | ec5e3646bd5a20a5e8632d4825e40b5c |
|
| BLAKE2b-256 | 7a25885ea3ef1048b598c07c065a5bb8877a42c30ed9c0f91ddbcd209ac4f293 |
