PoisonApple is a command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cyber threat emulation purposes.
Install
$ pip3 install poisonapple –user
Note: PoisonApple was written & tested using Python 3.9, it should work using Python 3.6+
Important Notes!
Usage
See PoisonApple switch options (–help):
$ poisonapple –help
usage: poisonapple [-h] [-l] [-t TECHNIQUE] [-n NAME] [-c COMMAND] [-r]
Command-line tool to perform various persistence mechanism techniques on macOS.
Optional Arguments:
-h, –help show this help message and exit
-l, –list list available persistence mechanism techniques
-t TECHNIQUE, –technique TECHNIQUE
persistence mechanism technique to use
-n NAME, –name NAME name for the file or label used for persistence
-c COMMAND, –command COMMAND
command(s) to execute for persistence
-r, –remove remove persistence mechanism
+——————–+
| AtJob |
+——————–+
| Bashrc |
+——————–+
| Cron |
+——————–+
| CronRoot |
+——————–+
| Emond |
+——————–+
| LaunchAgent |
+——————–+
| LaunchAgentUser |
+——————–+
| LaunchDaemon |
+——————–+
| LoginHook |
+——————–+
| LoginHookUser |
+——————–+
| LoginItem |
+——————–+
| LogoutHook |
+——————–+
| LogoutHookUser |
+——————–+
| Periodic |
+——————–+
| Reopen |
+——————–+
| Zshrc |
+——————–+
$ poisonapple -t LaunchAgentUser -n testing
[+] Success! The persistence mechanism action was successful: LaunchAgentUser
$ cat ~/Desktop/PoisonApple-LaunchAgentUser
Triggered @ Tue Mar 23 17:46:02 CDT 2021
Triggered @ Tue Mar 23 17:46:13 CDT 2021
Triggered @ Tue Mar 23 17:46:23 CDT 2021
Triggered @ Tue Mar 23 17:46:33 CDT 2021
Triggered @ Tue Mar 23 17:46:43 CDT 2021
Triggered @ Tue Mar 23 17:46:53 CDT 2021
Triggered @ Tue Mar 23 17:47:03 CDT 2021
Triggered @ Tue Mar 23 17:47:13 CDT 2021
Triggered @ Tue Mar 23 17:48:05 CDT 2021
Triggered @ Tue Mar 23 17:48:15 CDT 2021
$ poisonapple -t LaunchAgentUser -n testing -r
…
$ poisonapple -t LaunchAgentUser -n foo -c “echo foo >> /Users/user/Desktop/foo”
…
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…