├── LICENSE └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2023, Mythic Meta Configuration Information 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions are met: 7 | 8 | 1. Redistributions of source code must retain the above copyright notice, this 9 | list of conditions and the following disclaimer. 10 | 11 | 2. Redistributions in binary form must reproduce the above copyright notice, 12 | this list of conditions and the following disclaimer in the documentation 13 | and/or other materials provided with the distribution. 14 | 15 | 3. Neither the name of the copyright holder nor the names of its 16 | contributors may be used to endorse or promote products derived from 17 | this software without specific prior written permission. 18 | 19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Offensive MacOS 2 | This is a collection of macOS specific tooling, blogs, and other related information for offensive macOS assessments. 3 | 4 | If you find something that's not on here, open an issue or a merge request and we can get it added. 5 | 6 | ## Tools 7 | 8 | ### JavaScript for Automation (JXA) 9 | * https://github.com/D00MFist/PersistentJXA 10 | * https://github.com/D00MFist/Custom_URL_Scheme 11 | * https://github.com/D00MFist/InjectCheck 12 | * https://github.com/D00MFist/Dylib-Hijack-Scanner 13 | * https://github.com/its-a-feature/Orchard 14 | * https://github.com/its-a-feature/HealthInspector 15 | * https://github.com/FSecureLABS/CalendarPersist 16 | * https://github.com/cedowens/JXA-RemoveQuarantine 17 | 18 | ### C2 Frameworks/Agents 19 | * https://github.com/mishmashclone/BC-SECURITY-Empire 20 | * latest branch of the Empire framework with a Python-based payload for macOS 21 | * https://github.com/cedowens/MacShellSwift 22 | * https://github.com/cedowens/MacShell 23 | * https://github.com/its-a-feature/Mythic/tree/master/Payload_Types/apfell/agent_code 24 | * JXA agent for the Mythic framework 25 | * https://github.com/its-a-feature/Mythic/tree/master/Payload_Types/poseidon/agent_code 26 | * Golang agent for the Mythic framework that uses a lot of CGO with macOS API calls 27 | * https://github.com/Marten4n6/EvilOSX 28 | * https://github.com/neoneggplant/EggShell 29 | 30 | ### Binaries 31 | * https://github.com/cedowens/SwiftBelt 32 | * Swift tool for doing safety checks on a macOS host for red teaming 33 | * https://github.com/xorrior/xpcutil 34 | * Tool for sending XPC messages to launchd 35 | * https://github.com/Tyilo/insert_dylib 36 | * Tool for injecting dylib weak/strong headers into a Mach-O binary 37 | * https://github.com/its-a-feature/bifrost 38 | * Tool for interacting with Kerberos on macOS 39 | 40 | ### Other 41 | * https://github.com/cedowens/Mythic-Macro-Generator 42 | * tool to generate Microsoft Office Macros for running Mythic's apfell payload 43 | * https://github.com/cedowens/macOS-browserhist-parser 44 | * tool for parsing macOS browser history on disk 45 | * https://github.com/xorrior/macOSTools 46 | * repo of a lot of macOS tooling 47 | * https://github.com/its-a-feature/macos_execute_from_memory 48 | * starter code to run macos code from memory 49 | * https://github.com/herrbischoff/awesome-macos-command-line 50 | * Lots of commandline based actions that aren't necessarily offensive, but can be pretty handy 51 | * http://newosxbook.com/ent.jl 52 | * Web resource of entitlements for macOS binaries 53 | * https://github.com/ahhh/macOS_profiles 54 | * Collection of macOS configuration profiles for penetration testing and red teaming 55 | 56 | ## Blogs 57 | * https://theevilbit.github.io/posts/getting_started_in_macos_security/ 58 | * Great intro blog that calls out a bunch of awesome resources 59 | * https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/ 60 | * https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/ 61 | * https://wojciechregula.blog/post/abusing-electron-apps-to-bypass-macos-security-controls/ 62 | * https://scriptingosx.com/2018/04/demystifying-root-on-macos-part-1/ 63 | * https://www.xorrior.com/ 64 | * https://www.dssw.co.uk/reference/authorization-rights/ 65 | * https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/ 66 | * https://blog.xpnsec.com/bypassing-macos-privacy-controls/ 67 | * http://lockboxx.blogspot.com/2019/10/macos-red-teaming-211-dylib-hijacking.html 68 | * https://theevilbit.github.io/posts/ 69 | * https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c 70 | * https://posts.specterops.io/sparkling-payloads-a2bd017095c 71 | * https://posts.specterops.io/audio-unit-plug-ins-896d3434a882 72 | * https://posts.specterops.io/no-place-like-chrome-122e500e421f 73 | * https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65 74 | * https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d 75 | --------------------------------------------------------------------------------