├── LICENSE
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2023, Mythic Meta Configuration Information
 4 | 
 5 | Redistribution and use in source and binary forms, with or without
 6 | modification, are permitted provided that the following conditions are met:
 7 | 
 8 | 1. Redistributions of source code must retain the above copyright notice, this
 9 |    list of conditions and the following disclaimer.
10 | 
11 | 2. Redistributions in binary form must reproduce the above copyright notice,
12 |    this list of conditions and the following disclaimer in the documentation
13 |    and/or other materials provided with the distribution.
14 | 
15 | 3. Neither the name of the copyright holder nor the names of its
16 |    contributors may be used to endorse or promote products derived from
17 |    this software without specific prior written permission.
18 | 
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # macOS Pop-Ups
 2 | 
 3 | This repo serves as a collection of Red Team techniques and administrative tasks for various macOS versions that cause popups, what those popups look like, what permissions are being requested, where they're stored, and hopefully how to check for them before causing popups.
 4 | 
 5 | All scenarios consider a basic macOS host with userA, userB, and root users.
 6 | 
 7 | When testing, you can reset the permissions back to default with `tccutil reset All` or you can specify a specific service. All TCC information for the current user is saved in an sqlite database located at `~/Library/Application Support/com.apple.TCC/TCC.db`. 
 8 | 
 9 | # Table of Contents
10 | - [macOS Mojave (10.14)](#macos-mojave)
11 |   - [InterProcess Apple Events](#interprocess-apple-events)
12 | - [macOS Catalina (10.15)](#macos-catalina)
13 |   - [File Accesses](#file-accesses)
14 |   - [Auto Approved Accesses](#auto-approved-accesses)
15 | 
16 | ## macOS Mojave
17 | 
18 | ### InterProcess Apple Events
19 | 
20 | ## macOS Catalina
21 | 
22 | - Using ObjC APIs to capture the screen causes a popup for `"Terminal.app" would like to record this computer's screen`. To approve it, the user must go to System Preferences, Screen Recording, and select the checkbox next to `Terminal.app`. Even then, `Terminal.app` will not be able to record the contents of your screen until it is quit dialog box is presented to the user.
23 | - Using ObjC APIs to read the clipboard seems fine.
24 | - Using AppleScript to read security settings from System vents causes popup for `"Terminal.app" wants access to coontrool "System Events.app". Allowing coontrol will proovide access to documents and data in "System Events.app", and to perform actions within that app"`. Provides a simple "OK" or "Don't Allow" box. Adds a new entry to "Automation" TCC entry with a specific pairing for "Terminal" and "System Events.app"
25 | 
26 | ### File Accesses
27 | |Current User | Process | Path | Popup | TCC permission | Details | Version |
28 | | ----------- | ------- | ---- | ----- | -------------- | ------  | ------- |
29 | | userA | ls | ~/Desktop | "Terminal.app" would like to access files in your Desktop folder. | Files and Folders | Specific pairing between Terminal and Desktop Folder| 10.15.2 |
30 | | userA | ls | ~/Downloads | "Terminal.app" would like to access files in your Downloads folder. | Files and Folders | Specific pairing between Terminal and Downloads Folder| 10.15.2 |
31 | | root | osascript using ObjC APIs from Terminal.app | /Users/userA/Library | "Terminal.app" would like to access your reminders | Reminders | Entry for terminal for reminders | 10.15.2 |
32 | 
33 | ### Auto Approved Accesses
34 | | binary | TCC permission | Details | version |
35 | | -----  | -------------  | ------- | ------- |
36 | | sshd-keygen-wrapper | Full Disk Access | Enabling "Remote Login" via Sharing for SSH access | 10.15.2 |
37 | 


--------------------------------------------------------------------------------