PoisonApple is a command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cyber threat emulation purposes.
Install
$ pip3 install poisonapple –user
Note: PoisonApple was written & tested using Python 3.9, it should work using Python 3.6+
Important Notes!
Usage
See PoisonApple switch options (–help):
$ poisonapple –help
usage: poisonapple [-h] [-l] [-t TECHNIQUE] [-n NAME] [-c COMMAND] [-r]
Command-line tool to perform various persistence mechanism techniques on macOS.
Optional Arguments:
-h, –help show this help message and exit
-l, –list list available persistence mechanism techniques
-t TECHNIQUE, –technique TECHNIQUE
persistence mechanism technique to use
-n NAME, –name NAME name for the file or label used for persistence
-c COMMAND, –command COMMAND
command(s) to execute for persistence
-r, –remove remove persistence mechanism
+——————–+
| AtJob |
+——————–+
| Bashrc |
+——————–+
| Cron |
+——————–+
| CronRoot |
+——————–+
| Emond |
+——————–+
| LaunchAgent |
+——————–+
| LaunchAgentUser |
+——————–+
| LaunchDaemon |
+——————–+
| LoginHook |
+——————–+
| LoginHookUser |
+——————–+
| LoginItem |
+——————–+
| LogoutHook |
+——————–+
| LogoutHookUser |
+——————–+
| Periodic |
+——————–+
| Reopen |
+——————–+
| Zshrc |
+——————–+
$ poisonapple -t LaunchAgentUser -n testing
[+] Success! The persistence mechanism action was successful: LaunchAgentUser
$ cat ~/Desktop/PoisonApple-LaunchAgentUser
Triggered @ Tue Mar 23 17:46:02 CDT 2021
Triggered @ Tue Mar 23 17:46:13 CDT 2021
Triggered @ Tue Mar 23 17:46:23 CDT 2021
Triggered @ Tue Mar 23 17:46:33 CDT 2021
Triggered @ Tue Mar 23 17:46:43 CDT 2021
Triggered @ Tue Mar 23 17:46:53 CDT 2021
Triggered @ Tue Mar 23 17:47:03 CDT 2021
Triggered @ Tue Mar 23 17:47:13 CDT 2021
Triggered @ Tue Mar 23 17:48:05 CDT 2021
Triggered @ Tue Mar 23 17:48:15 CDT 2021
$ poisonapple -t LaunchAgentUser -n testing -r
…
$ poisonapple -t LaunchAgentUser -n foo -c “echo foo >> /Users/user/Desktop/foo”
…
WID_LoadLibrary is a custom implementation inspired by the Windows API function LoadLibrary, which is used…
Locksmith is a specialized tool designed to identify and remediate vulnerabilities in Active Directory Certificate…
Uscrapper Vanta is a powerful open-source intelligence (OSINT) tool designed to revolutionize web scraping and…
Pake is an innovative tool designed to convert any webpage into a desktop application with…
Bevy is an open-source, data-driven game engine built in Rust, designed to simplify game development…
AppFlowy Cloud is a robust component of the AppFlowy ecosystem, designed to provide secure user…