DATABASE RESOURCES PRICING ABOUT US

{"id": "KITPLOIT:8246134195572524001", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "PoisonApple - macOS Persistence Tool", "description": "[](<https://1.bp.blogspot.com/-3eJpGzR4jCw/YGvdt_8YhII/AAAAAAAAVz0/tson_bgPELET5D6FG6gpLY8-CfOZ5PMigCNcBGAsYHQ/s333/PoisonApple_1.png>)\n\n \n\n\nCommand-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by [threat](<https://www.kitploit.com/search/label/Threat> \"threat\" ) hunters for cyber threat [emulation](<https://www.kitploit.com/search/label/Emulation> \"emulation\" ) purposes.\n\n \n\n\n**Install** \n\n\nDo it up:\n \n \n $ pip3 install poisonapple --user \n \n\nNote: PoisonApple was written &amp; tested using Python 3.9, it should work using Python 3.6+\n\n \n**Important Notes!** \n\n\n * PoisonApple will make modifications to your macOS system, it's advised to only use PoisonApple on a virtual machine. Although any persistence mechanism technique added using this tool can also be easily removed (-r), **please use with caution**!\n * Be advised: This tool will likely cause common AV / EDR / other macOS security products to generate alerts.\n * To understand how any of these techniques work in-depth please see [The Art of Mac Malware, Volume 1: ](<https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf> \"The Art of Mac Malware, Volume 1:\" )[Analysis](<https://www.kitploit.com/search/label/Analysis> \"Analysis\" ) \\- Chapter 0x2: Persistence by Patrick Wardle of Objective-See. It's a fantastic resource.\n \n**Usage** \n\n\nSee PoisonApple switch options (--help):\n \n \n $ poisonapple --help \n usage: poisonapple [-h] [-l] [-t TECHNIQUE] [-n NAME] [-c COMMAND] [-r] \n \n Command-line tool to perform various persistence mechanism techniques on macOS. \n \n optional arguments: \n -h, --help show this help message and exit \n -l, --list list available persistence mechanism techniques \n -t TECHNIQUE, --technique TECHNIQUE \n persistence mechanism technique to use \n -n NAME, --name NAME name for the file or label used for persistence \n -c COMMAND, --command COMMAND \n command(s) to execute for persistence \n -r, --remove remove persistence mechanism \n \n\nList of available techniques:\n \n \n $ poisonapple --list \n , _______ __ \n .-.:|.-. | _ .-----|__|-----.-----.-----. \n .' '. |. | | | | |__ --| | | | | \n '-.\"~\". .-' |. ____|_____|__|_____|_____|__|__| \n } ` } { |: | _______ __ \n } } } { |::.| | _ .-----.-----| |-----. \n } ` } { `---' |. | | | | | | | -__| \n .-'\"~\" '-. |. _ | __| __|__|_____| \n '. .' |: | |__| |__| \n '-_.._-' |::.|:. | \n `--- ---' v0.2.0 \n \n +--------------------+ \n | AtJob | \n +--------------------+ \n | Bashrc | \n +--------------------+ \n | Cron | \n +--------------------+ \n | CronRoot | \n +--------------------+ \n | Emond | \n +--------------------+ \n | LaunchAgent | \n +--------------------+ \n | LaunchAgentUser | \n +--------------------+ \n | LaunchDaemon | \n +--- -----------------+ \n | LoginHook | \n +--------------------+ \n | LoginHookUser | \n +--------------------+ \n | LoginItem | \n +--------------------+ \n | LogoutHook | \n +--------------------+ \n | LogoutHookUser | \n +--------------------+ \n | Periodic | \n +--------------------+ \n | Reopen | \n +--------------------+ \n | Zshrc | \n +--------------------+ \n \n\nApply a persistence mechanism:\n \n \n $ poisonapple -t LaunchAgentUser -n testing \n , _______ __ \n .-.:|.-. | _ .-----|__|-----.-----.-----. \n .' '. |. | | | | |__ --| | | | | \n '-.\"~\". .-' |. ____|_____|__|_____|_____|__|__| \n } ` } { |: | _______ __ \n } } } { |::.| | _ .-----.-----| |-----. \n } ` } { `---' |. | | | | | | | -__| \n .-'\"~\" '-. |. _ | __| __|__|_____| \n '. .' |: | |__| |__| \n '-_.._-' |::.|:. | \n `--- ---' v0.2.0 \n \n [+] Success! The persistence mechanism action was successful: LaunchAgentUser \n \n\nIf no command is specified (-c) a default trigger command will be used which writes to a file on the [Desktop](<https://www.kitploit.com/search/label/Desktop> \"Desktop\" ) every time the persistence mechanism is triggered:\n \n \n $ cat ~/Desktop/PoisonApple-LaunchAgentUser \n Triggered @ Tue Mar 23 17:46:02 CDT 2021 \n Triggered @ Tue Mar 23 17:46:13 CDT 2021 \n Triggered @ Tue Mar 23 17:46:23 CDT 2021 \n Triggered @ Tue Mar 23 17:46:33 CDT 2021 \n Triggered @ Tue Mar 23 17:46:43 CDT 2021 \n Triggered @ Tue Mar 23 17:46:53 CDT 2021 \n Triggered @ Tue Mar 23 17:47:03 CDT 2021 \n Triggered @ Tue Mar 23 17:47:13 CDT 2021 \n Triggered @ Tue Mar 23 17:48:05 CDT 2021 \n Triggered @ Tue Mar 23 17:48:15 CDT 2021 \n \n\nRemove a persistence mechanism:\n \n \n $ poisonapple -t LaunchAgentUser -n [testing](<https://www.kitploit.com/search/label/Testing> \"testing\" ) -r \n ... \n \n\nUse a custom command:\n \n \n $ poisonapple -t LaunchAgentUser -n foo -c \"echo foo >> /Users/user/Desktop/foo\" \n ... \n \n\n \n \n\n\n**[Download PoisonApple](<https://github.com/CyborgSecurity/PoisonApple> \"Download PoisonApple\" )**\n", "published": "2021-04-09T21:30:00", "modified": "2021-04-09T21:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/04/poisonapple-macos-persistence-tool.html", "reporter": "KitPloit", "references": ["https://github.com/CyborgSecurity/PoisonApple"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:02:06", "viewCount": 63, "enchantments": {"dependencies": {}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "_state": {"dependencies": 1659895684, "score": 1659843777}, "_internal": {"score_hash": "b17fa31b4dc20bcf8f2a53f04f3d01f3"}, "toolHref": "https://github.com/CyborgSecurity/PoisonApple"}

{}