macOS persistence tool

Last update: Dec 29, 2022

Related tags

Overview

PoisonApple

Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cyber threat emulation purposes.

Install

Do it up:

$ pip3 install poisonapple --user

Note: PoisonApple was written & tested using Python 3.9, it should work using Python 3.6+

Important Notes!

PoisonApple will make modifications to your macOS system, it's advised to only use PoisonApple on a virtual machine. Although any persistence mechanism technique added using this tool can also be easily removed (-r), please use with caution!
Be advised: This tool will likely cause common AV / EDR / other macOS security products to generate alerts.
To understand how any of these techniques work in-depth please see The Art of Mac Malware, Volume 1: Analysis - Chapter 0x2: Persistence by Patrick Wardle of Objective-See. It's a fantastic resource.

Usage

See PoisonApple switch options (--help):

$ poisonapple --help
usage: poisonapple [-h] [-l] [-t TECHNIQUE] [-n NAME] [-c COMMAND] [-r]

Command-line tool to perform various persistence mechanism techniques on macOS.

optional arguments:
  -h, --help            show this help message and exit
  -l, --list            list available persistence mechanism techniques
  -t TECHNIQUE, --technique TECHNIQUE
                        persistence mechanism technique to use
  -n NAME, --name NAME  name for the file or label used for persistence
  -c COMMAND, --command COMMAND
                        command(s) to execute for persistence
  -r, --remove          remove persistence mechanism

List of available techniques:

$ poisonapple --list
      ,       _______       __
  .-.:|.-.   |   _   .-----|__|-----.-----.-----.
.'        '. |.  |   |  |  |  |__ --|  |  |  |  |
'-."~".  .-' |.  ____|_____|__|_____|_____|__|__|
  } ` }  {   |:  |  _______             __
  } } }  {   |::.| |   _   .-----.-----|  |-----.
  } ` }  {   `---' |.  |   |  |  |  |  |  |  -__|
.-'"~"   '-.       |.  _   |   __|   __|__|_____|
'.        .'       |:  |   |__|  |__|
  '-_.._-'         |::.|:. |
                   `--- ---' v0.2.0

+--------------------+
| AtJob              |
+--------------------+
| Bashrc             |
+--------------------+
| Cron               |
+--------------------+
| CronRoot           |
+--------------------+
| Emond              |
+--------------------+
| LaunchAgent        |
+--------------------+
| LaunchAgentUser    |
+--------------------+
| LaunchDaemon       |
+--------------------+
| LoginHook          |
+--------------------+
| LoginHookUser      |
+--------------------+
| LoginItem          |
+--------------------+
| LogoutHook         |
+--------------------+
| LogoutHookUser     |
+--------------------+
| Periodic           |
+--------------------+
| Reopen             |
+--------------------+
| Zshrc              |
+--------------------+

Apply a persistence mechanism:

$ poisonapple -t LaunchAgentUser -n testing
      ,       _______       __
  .-.:|.-.   |   _   .-----|__|-----.-----.-----.
.'        '. |.  |   |  |  |  |__ --|  |  |  |  |
'-."~".  .-' |.  ____|_____|__|_____|_____|__|__|
  } ` }  {   |:  |  _______             __
  } } }  {   |::.| |   _   .-----.-----|  |-----.
  } ` }  {   `---' |.  |   |  |  |  |  |  |  -__|
.-'"~"   '-.       |.  _   |   __|   __|__|_____|
'.        .'       |:  |   |__|  |__|
  '-_.._-'         |::.|:. |
                   `--- ---' v0.2.0

[+] Success! The persistence mechanism action was successful: LaunchAgentUser

If no command is specified (-c) a default trigger command will be used which writes to a file on the Desktop every time the persistence mechanism is triggered:

$ cat ~/Desktop/PoisonApple-LaunchAgentUser
Triggered @ Tue Mar 23 17:46:02 CDT 2021 
Triggered @ Tue Mar 23 17:46:13 CDT 2021 
Triggered @ Tue Mar 23 17:46:23 CDT 2021 
Triggered @ Tue Mar 23 17:46:33 CDT 2021 
Triggered @ Tue Mar 23 17:46:43 CDT 2021 
Triggered @ Tue Mar 23 17:46:53 CDT 2021 
Triggered @ Tue Mar 23 17:47:03 CDT 2021 
Triggered @ Tue Mar 23 17:47:13 CDT 2021 
Triggered @ Tue Mar 23 17:48:05 CDT 2021 
Triggered @ Tue Mar 23 17:48:15 CDT 2021

Remove a persistence mechanism:

$ poisonapple -t LaunchAgentUser -n testing -r
...

Use a custom command:

$ poisonapple -t LaunchAgentUser -n foo -c "echo foo >> /Users/user/Desktop/foo"
...

You might also like...

A tool to brute force a gmail account. Use this tool to crack multiple accounts

A tool to brute force a gmail account. Use this tool to crack multiple accounts. This tool is developed to crack multiple accounts

12 Dec 30, 2022

Osint-Tool - Information collection tool in python

Osint-Tool Herramienta para la recolección de información Pronto más opciones In

3 Apr 9, 2022

An auxiliary tool for iot vulnerability hunter

firmeye - IoT固件漏洞挖掘工具 firmeye 是一个 IDA 插件，基于敏感函数参数回溯来辅助漏洞挖掘。我们知道，在固件漏洞挖掘中，从敏感/危险函数出发，寻找其参数来源，是一种很有效的漏洞挖掘方法，但程序中调用敏感函数的地方非常多，人工分析耗时费力，通过该插件，可以帮助排除大部分的安全

171 Nov 28, 2022

DNS hijacking via dead records automation tool

DeadDNS Multi-threaded DNS hijacking via dead records automation tool How it works 1) Dig provided subdomains file for dead DNS records. 2) Dig the fo

45 Dec 20, 2022

It's a simple tool for test vulnerability shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

88 Dec 23, 2022

Releases(v0.2.3)

v0.2.3(Feb 9, 2022)

Formatted code using black, bump license for 2022, and misc edits.
Source code(tar.gz)
Source code(zip)
v0.2.2(Jul 2, 2021)

Added iTerm2 persistence technique.
Source code(tar.gz)
Source code(zip)
v0.2.1(Apr 9, 2021)

Re-arrange techniques and improve code base by using subclasses.
Source code(tar.gz)
Source code(zip)
v0.2.0(Mar 25, 2021)

Initial public release with 16 techniques.
Source code(tar.gz)
Source code(zip)
PoisonAppleDist.dmg(9.76 MB)

macOS persistence tool

Related tags

Overview

PoisonApple

Install

Important Notes!

Usage

You might also like...

A tool to brute force a gmail account. Use this tool to crack multiple accounts

Osint-Tool - Information collection tool in python

An auxiliary tool for iot vulnerability hunter

DNS hijacking via dead records automation tool

It's a simple tool for test vulnerability shellshock

Bandit is a tool designed to find common security issues in Python code.

Automatic SQL injection and database takeover tool

A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

Dlint is a tool for encouraging best coding practices and helping ensure Python code is secure.

Releases(v0.2.3)

v0.2.3(Feb 9, 2022)

v0.2.2(Jul 2, 2021)

v0.2.1(Apr 9, 2021)

v0.2.0(Mar 25, 2021)

Owner

Cyborg Security, Inc

JS Deobfuscation is a Python script that deobfuscate JS code and it's time saver for you.

Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

Buffer Overflow para SLmail5.5 32 bits

Writeups for wtf-CTF hosted by Manipal Information Security Team as part of Techweek2021- INCOGNITO

Fetch Chrome, Firefox, WiFi password and system info

Flutter Reverse Engineering Framework

Source code for "A Two-Stream AMR-enhanced Model for Document-level Event Argument Extraction" @ NAACL 2022

Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

dos-atack-tor script de python que permite usar conexiones cebollas para atacar paginas .onion o paginas convencionales via tor.

Universal Radio Hacker: Investigate Wireless Protocols Like A Boss

Bilgi Sistemleri Projesi için yapılan keylogger

Exploiting CVE-2021-44228 in Unifi Network Application for remote code execution and more

Exploit grafana Pre-Auth LFI

Repository for a project of the course EP2520 Building Networked Systems Security

Holehe OSINT - Email to Registered Accounts

A fast tool to scan prototype pollution vulnerability

Log4j minecraft with python

A brute force tool for password-protected zip file