PoisonApple : macOS Persistence Tool

PoisonApple is a command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cyber threat emulation purposes.

Install

  • Do it up:

$ pip3 install poisonapple –user

Note: PoisonApple was written & tested using Python 3.9, it should work using Python 3.6+

Important Notes!

  • PoisonApple will make modifications to your macOS system, it’s advised to only use PoisonApple on a virtual machine. Although any persistence mechanism technique added using this tool can also be easily removed (-r), please use with caution!
  • Be advised: This tool will likely cause common AV / EDR / other macOS security products to generate alerts.
  • To understand how any of these techniques work in-depth please see The Art of Mac Malware, Volume 1: Analysis – Chapter 0x2: Persistence by Patrick Wardle of Objective-See. It’s a fantastic resource.

Usage

See PoisonApple switch options (–help):

$ poisonapple –help
usage: poisonapple [-h] [-l] [-t TECHNIQUE] [-n NAME] [-c COMMAND] [-r]

Command-line tool to perform various persistence mechanism techniques on macOS.

Optional Arguments:
-h, –help show this help message and exit
-l, –list list available persistence mechanism techniques
-t TECHNIQUE, –technique TECHNIQUE
persistence mechanism technique to use
-n NAME, –name NAME name for the file or label used for persistence
-c COMMAND, –command COMMAND
command(s) to execute for persistence
-r, –remove remove persistence mechanism

  • List of available techniques:

+——————–+
| AtJob |
+——————–+
| Bashrc |
+——————–+
| Cron |
+——————–+
| CronRoot |
+——————–+
| Emond |
+——————–+
| LaunchAgent |
+——————–+
| LaunchAgentUser |
+——————–+
| LaunchDaemon |
+——————–+
| LoginHook |
+——————–+
| LoginHookUser |
+——————–+
| LoginItem |
+——————–+
| LogoutHook |
+——————–+
| LogoutHookUser |
+——————–+
| Periodic |
+——————–+
| Reopen |
+——————–+
| Zshrc |
+——————–+

  • Apply a persistence mechanism:

$ poisonapple -t LaunchAgentUser -n testing
[+] Success! The persistence mechanism action was successful: LaunchAgentUser

  • If no command is specified (-c) a default trigger command will be used which writes to a file on the Desktop every time the persistence mechanism is triggered:

$ cat ~/Desktop/PoisonApple-LaunchAgentUser
Triggered @ Tue Mar 23 17:46:02 CDT 2021
Triggered @ Tue Mar 23 17:46:13 CDT 2021
Triggered @ Tue Mar 23 17:46:23 CDT 2021
Triggered @ Tue Mar 23 17:46:33 CDT 2021
Triggered @ Tue Mar 23 17:46:43 CDT 2021
Triggered @ Tue Mar 23 17:46:53 CDT 2021
Triggered @ Tue Mar 23 17:47:03 CDT 2021
Triggered @ Tue Mar 23 17:47:13 CDT 2021
Triggered @ Tue Mar 23 17:48:05 CDT 2021
Triggered @ Tue Mar 23 17:48:15 CDT 2021

  • Remove a persistence mechanism:

$ poisonapple -t LaunchAgentUser -n testing -r

  • Use a custom command:

$ poisonapple -t LaunchAgentUser -n foo -c “echo foo >> /Users/user/Desktop/foo”

Download

R K

Share
Published by
R K
Tags: MacOSPoisonApple
5 years ago

Recent Posts

Bash Scripting Best Practices Every Beginner Should Know

Introduction Bash scripting is a powerful way to automate Linux tasks, but writing a script…

12 hours ago

How To Create A Self-Signed SSL Certificate Using Bash And OpenSSL

Introduction A self-signed SSL certificate is a certificate that is created and signed by the…

13 hours ago

How To Debug Bash Scripts Using bash -x And set Commands

Introduction Debugging is an important part of Bash scripting. When a script does not work…

18 hours ago

How To Use Cron Jobs With Bash Scripts For Automation

Introduction Cron jobs are used in Linux to run commands or Bash scripts automatically at…

19 hours ago

How To Use Pipes In Bash Scripts For Command Chaining

Introduction Pipes are an important feature in Linux and Bash scripting. A pipe allows you…

20 hours ago

How To Use grep, awk, And sed In Bash Scripts

Introduction The grep, awk, and sed commands are powerful text-processing tools in Linux. They are…

21 hours ago