logo
DATABASE RESOURCES PRICING ABOUT US

PoisonApple - macOS Persistence Tool

Description

[![](https://1.bp.blogspot.com/-3eJpGzR4jCw/YGvdt_8YhII/AAAAAAAAVz0/tson_bgPELET5D6FG6gpLY8-CfOZ5PMigCNcBGAsYHQ/w400-h400/PoisonApple_1.png)](<https://1.bp.blogspot.com/-3eJpGzR4jCw/YGvdt_8YhII/AAAAAAAAVz0/tson_bgPELET5D6FG6gpLY8-CfOZ5PMigCNcBGAsYHQ/s333/PoisonApple_1.png>) Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by [threat](<https://www.kitploit.com/search/label/Threat> "threat" ) hunters for cyber threat [emulation](<https://www.kitploit.com/search/label/Emulation> "emulation" ) purposes. **Install** Do it up: $ pip3 install poisonapple --user Note: PoisonApple was written & tested using Python 3.9, it should work using Python 3.6+ **Important Notes!** * PoisonApple will make modifications to your macOS system, it's advised to only use PoisonApple on a virtual machine. Although any persistence mechanism technique added using this tool can also be easily removed (-r), **please use with caution**! * Be advised: This tool will likely cause common AV / EDR / other macOS security products to generate alerts. * To understand how any of these techniques work in-depth please see [The Art of Mac Malware, Volume 1: ](<https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf> "The Art of Mac Malware, Volume 1:" )[Analysis](<https://www.kitploit.com/search/label/Analysis> "Analysis" ) \- Chapter 0x2: Persistence by Patrick Wardle of Objective-See. It's a fantastic resource. **Usage** See PoisonApple switch options (--help): $ poisonapple --help usage: poisonapple [-h] [-l] [-t TECHNIQUE] [-n NAME] [-c COMMAND] [-r] Command-line tool to perform various persistence mechanism techniques on macOS. optional arguments: -h, --help show this help message and exit -l, --list list available persistence mechanism techniques -t TECHNIQUE, --technique TECHNIQUE persistence mechanism technique to use -n NAME, --name NAME name for the file or label used for persistence -c COMMAND, --command COMMAND command(s) to execute for persistence -r, --remove remove persistence mechanism List of available techniques: $ poisonapple --list , _______ __ .-.:|.-. | _ .-----|__|-----.-----.-----. .' '. |. | | | | |__ --| | | | | '-."~". .-' |. ____|_____|__|_____|_____|__|__| } ` } { |: | _______ __ } } } { |::.| | _ .-----.-----| |-----. } ` } { `---' |. | | | | | | | -__| .-'"~" '-. |. _ | __| __|__|_____| '. .' |: | |__| |__| '-_.._-' |::.|:. | `--- ---' v0.2.0 +--------------------+ | AtJob | +--------------------+ | Bashrc | +--------------------+ | Cron | +--------------------+ | CronRoot | +--------------------+ | Emond | +--------------------+ | LaunchAgent | +--------------------+ | LaunchAgentUser | +--------------------+ | LaunchDaemon | +--- -----------------+ | LoginHook | +--------------------+ | LoginHookUser | +--------------------+ | LoginItem | +--------------------+ | LogoutHook | +--------------------+ | LogoutHookUser | +--------------------+ | Periodic | +--------------------+ | Reopen | +--------------------+ | Zshrc | +--------------------+ Apply a persistence mechanism: $ poisonapple -t LaunchAgentUser -n testing , _______ __ .-.:|.-. | _ .-----|__|-----.-----.-----. .' '. |. | | | | |__ --| | | | | '-."~". .-' |. ____|_____|__|_____|_____|__|__| } ` } { |: | _______ __ } } } { |::.| | _ .-----.-----| |-----. } ` } { `---' |. | | | | | | | -__| .-'"~" '-. |. _ | __| __|__|_____| '. .' |: | |__| |__| '-_.._-' |::.|:. | `--- ---' v0.2.0 [+] Success! The persistence mechanism action was successful: LaunchAgentUser If no command is specified (-c) a default trigger command will be used which writes to a file on the [Desktop](<https://www.kitploit.com/search/label/Desktop> "Desktop" ) every time the persistence mechanism is triggered: $ cat ~/Desktop/PoisonApple-LaunchAgentUser Triggered @ Tue Mar 23 17:46:02 CDT 2021 Triggered @ Tue Mar 23 17:46:13 CDT 2021 Triggered @ Tue Mar 23 17:46:23 CDT 2021 Triggered @ Tue Mar 23 17:46:33 CDT 2021 Triggered @ Tue Mar 23 17:46:43 CDT 2021 Triggered @ Tue Mar 23 17:46:53 CDT 2021 Triggered @ Tue Mar 23 17:47:03 CDT 2021 Triggered @ Tue Mar 23 17:47:13 CDT 2021 Triggered @ Tue Mar 23 17:48:05 CDT 2021 Triggered @ Tue Mar 23 17:48:15 CDT 2021 Remove a persistence mechanism: $ poisonapple -t LaunchAgentUser -n [testing](<https://www.kitploit.com/search/label/Testing> "testing" ) -r ... Use a custom command: $ poisonapple -t LaunchAgentUser -n foo -c "echo foo >> /Users/user/Desktop/foo" ... **[Download PoisonApple](<https://github.com/CyborgSecurity/PoisonApple> "Download PoisonApple" )**