Comparing apples to Apple

right here me okay I didn't lower the mics so that they didn't run my beard so today's talk is comparing apples to apples are apples to apple Jake in the last talk was nice enough to say about five hundred times which is cool it's like he was prepping for me so my name is Adam Mathis little background so I came from doing a lot of work in a lot of different security domains and IT domains vulnerability management security engineering penetration testing all this fun stuff but I worked in an environment where there wasn't a lot of Apple systems and then I switch companies and started working with a lot of it you know companies all over the

the various spectrum and a lot of them were very Apple focused and I started trying to figure out well how do it how's the best way to like defend these systems and what I found is there's now there wasn't a lot of you know research being put into into Apple Systems not a lot of tooling and so I said well let's let's start looking at how we can get in this space so the idea of this talk kind of like the way it's going to work is we're going to look at certain tactics and techniques on the window side and then give you the corollary on the on the Mac OS side so kind of giving you a

baseline foundation of how to find enemy tradecraft on Mac systems and I work for red canary down the bottom so we're gonna go over kind of the the pillars of the Mac security ecosystem and then we're will talk about some individual pieces of tradecraft and how to catch it some detection ideas and then we'll go into some tooling and a little project that I'm working on so we look at the Apple ecosystem and and that kind of income that encompasses iOS watch OS TV OS all these things are starting to kind of converge although Apple will say they're not you're starting to see more and more things come from iOS into the Mac OS world and and a lot of these

things are kind of playing out across all of these different products so really Apple focuses on three main pillars for their security and all of their subsystems kind of interlaced together to enforce these things so this code signing so verifying that something has a legitimate code signature entitlements so even if something is if something is signed and it's running under a privileged user such as root there are certain things that you cannot do in an apple system such as query a an individual process by it's paid or it's process ID or you know various other like modifications to protected system files unless you have very specific entitlements given to you by Apple at the time of the compilation of the

binary you're not going to be able to perform some of these activities and a lot of those sins they have to go through like an apple pipeline where they have to sign everything for you and validate the entitlements you're requesting it's very difficult to to get a binary on a system with privileged entitlements without you know subverting some some of these security system and then sandboxing so the disallowance of one process for talking to another everything has its own little happy place most of that stuff is coming through a pipeline of the Apple Store so all of these things together makes it really really toxic for adversaries that want to bring their own binaries to the

table which is why it's fun to talk about living off the land most of the tech tactics and techniques we're gonna talk about here are things you can do with native Apple binaries but just to start off with just to kind of give you a little taste of what this will look like so on the window side a powershell and you've probably seen some talks today where they go into depth about how powershell is used for evil and in a lot of environments on the apple side the corollary for PowerShell is apple script so apple script is you know apple's scripting language that allows you to not only run things in terminals it allows you to interact with applications

both behind the scenes and graphically you can click buttons you can enter text into text box so if you're thinking from an attacker standpoint you can do like massive amounts of evil with this thing and it's a lot of fun and we'll go into some demos of how you can do some Apple script evil but also there's bash on App systems Python Ruby Perl PHP and then also optionally PowerShell so Apple basically sets us up and says hey like any framework that anyone would ever want to bring to the table let's just let them run it natively now all these all these these things live on the Apple system by default the if you remove them

you will probably break some apple subsystems so so it's it's just just to keep in mind that if someone wants to bring a ruby framework or some Python script they're probably just gonna run it on your system without any hindrance so just a little bit about taxonomy and kind of how we're going to focus on this so at the top of kind of the miter attack framework reference if you're familiar with minor attack or if you're not familiar with minor attack it's a it's a it's a nice open free vendor-neutral document or our wiki rather of adversary tactics and tradecraft techniques the tools they use it's a great way to kind of figure out like who are the evil

people and what are the things they're doing when they get on systems so if you haven't heard of it it's a great way both as an attacker and/or a defender to to use this as a foundation for what are the things I need to hunt for whether things I need to be detecting what are the things I need to be using for attack and then at the bottom we have the the mandiant attack lifecycle this is just kind of another another way to describe what adversaries do when they get on your network we're going to focus primarily in that loop there because that's where the the bad guys are going to spend the most time there's obviously

you know there's there's growing ways every single day to compromise a system initially to get access to it but what we've seen is that most bad guys when they get on a system they do the same things they're lazy just like everyone else so they want to use the same tools that they use it everywhere else they want to persist the same way so that's kind of where we're gonna focus on this talk so to start off with let's look at discovery tactics so on the window side we have Who am I you see on the Apple side we have Who am I very straightforward for the window side we have which is a great tool for admins as well

as bad guys to look and see okay what what is this you know what user is you know am i looking at what kind of groups are they in information on like domain groups it's very useful on the Apple side you can perform the same type of queries against users and groups using D SEL and D S cash retail on the windows there on window side there's a utility called MS info on the Apple side there's a neat utility called system profiler and what's this Fowler does is it collects just a boatload of information so it gives you not only installed software gives you like firewall rules that are enabled all this kind of information on

groups lots of information hardware on your kernel there's just like a ton of discovery information that you can get just by running this one simple command and as you can you can see if you can see on that that diagram there this is a an actual example of an exploited system where one had embedded a macro in an Excel document and executed it and so what it did is run a bunch of scripts to collect information on the system and the one there is using system profiler and specifically querying for us like one section of the system profiler data so lots and lots of information if you just run that by itself without any kind

of command line syntax you'll get crazy amount of data and so if you're familiar with in map in map is obviously not a Windows exclusive but it's obviously it's kind of one of the de-facto port scanners so Apple has a little known port scan utility baked right into the operating system called stroke it is a substance by the the network utility app which is kind of a little-known built-in app by Apple but what it allows you to do is normally if you go into network the network utility app you can go and say hey there's an IP I'm gonna look at its the you know the ports I want to scan between but you can also run it

directly from the command line so this is a great one to look for in any environment just because most people don't know it's there to start out with and there's almost legitimate uses to calling it directly from the command line like this alright let's get into something a little more exciting so credential access and privilege escalation so I want to win on the window side if you use the Doss key command or you know in a terminal you can I think it's f7 is the is the hotkey you can kind of see the history of a DOS command window and on the the Mac side because they use bash you can query the the bash history file which allows you

to see all of the commands that have been executed by the user that you're running on the context now of course you can look at the bash history of any user on the box provided you have the correct privileges each user has their own history file but in there you can find things like you know what are the systems that this you know this this user is talking to and that might help you if you're an attacker figure out what other systems do I already have access to either by virtue of the fact that they're using some identity file which is that second line there if they're if they're pointing to an identity file they has a username and

password to pass along to the server or is it just something there's already keys set up for so SSH keys so I can just immediately pivot to the next box there's other ways that you can kind of escalate your privilege like on the window side you have the concept of DLL hijacking so that's if you have a piece of software that's going to look for a specific dynamic library you can sometimes take a maliciously crafted library and drop it directly in the same folder and if the if the application is not coded very well they may just take whatever library they see first so like oh I have my DLL right here I don't have

to go look anywhere else and now all of a sudden they're running terrible code in a signed app in this case the same exact principle exists on on the Mac side this is actually utility called I think it's just called Die Lib hijack search and this is something written by Patrick Wartell at Objective C it's a great tool actually objective-c sce.com is a it's a great place to find all kinds of Mack utilities so definitely check that one out too and then another way to kind of escalate your privilege inning adds the access to credentials is to just ask the user to give them you know their password so in this case this is actually an Apple script command you can

see here that we're telling the system preferences app application to pop up a box and say hey I need your password to install system updates and then that's going to pass that back to your shell and it looks like this paste this in here we execute it that's legitimate system preferences user types in their password and they hit OK and that passes along to the shell so in most cases the the actor is going to have you know kind of a hidden shell from the user either like through a reverse shell or something like that so it wouldn't be quite as visible to them in this case jump to the next there so there's a

there's a utility called egg shell or it's a post exploit framework written in Python specifically for Mac it's a surveillance based framework so there's there's a little bit of execution but mostly it's there to collect audio-visual file type information on on the victim and so this is kind of what that looks like there so they prompt the Box you the user types in there it goes back along the reverse shell and then immediately you can escalate to root for the most part if you have an apple system and you have one user on it that person is an admin by default so in a lot of places a lot of organizations they don't necessarily think to change

that so you can turn a normal user into root which is kind of like the god of the computer very very quickly so down here the just a quick detection win so look for OSA script if you just look for OSA script in general you he'll if you have a lot of Macan in your environment you might see this a lot because apple script is used by a lot of legitimate utilities to perform actions in the background but it's one of those situations where if you if you're looking for command lines that include the like System Preferences app or the like the word password anything like that is going to be highly suspect so another one so if you're

familiar with mini cats or cane or all these other ways you can kind of extract clear passwords or even sometimes encrypted passwords there's there's a kind of a corollary on the maximum in the way of keychain access so the keychain in the Mac world is kind of a it's a database full of all of your secrets and not just your passwords can be certificates it can be all kinds of different identity information basically Apple will be very helpful if you say hey I'm starting to type in a password to a system it's like you want me to soar that in keychain for you and you say yes and and now it's in this this database which is secure so how do you

access the security base there's you can access it directly from the command line with the security the security app and basically there's a bunch of different a bunch of different switches you can use with security this one is fine internet password which does what you think it does so if you have saved passwords for any sites like your banking information or any internal web apps that you might be using you can query those directly so one of the other thing down here the second one is dump the keychain so you can dump everything out of the keychain into just the text file so both of these can be called from the command a command line apple did add some they did add

some security around this so when you run these commands there will be a physical box that pops up that you have to type your password into to say okay yes I agree that I wanted this password to be removed or collected by this process but there are there are some other ways that you can subvert this so patrick portal from objective-c he wrote a great blog post on using mouse keys which are basically synthetic ways to move the mouse and click buttons just using keyboard input so there are definitely ways to get around some of these things so just looking for the the process of security will probably give you a lot of false positives because

access to the keychain is used by a lot of different processes in the Apple but looking for anything that's trying to find a password or dump the keychain there's almost no legitimate apps I actually have never seen a legitimate app that would do either one of these so those are great switches to look for to find evil the other way to get access to the keychain is just to steal it it is just a file that exists on your your endpoint so you can just copy that thing live over to another system and then when you move it to a second Mac if you already have that password and you go to open it up it's just going to say hey

what's the password to this keychain you give them the user's password you have all of their passwords it's very quiet well it's much quieter than the first method so just looking for any way to to any process at all it's not security that's looking at any of those keychain database files or any kind of file modification involving one of those database files so those are good ones it is also possible as a preventative measure you can actually change the password to your keychain to be different than your login password which is definitely recommended in almost every case just because that gives them another level that they have to bypass to get access to those secrets alright

so for lateral movement so a lot of you might be familiar with PS exec there are obviously a lot of other ways to move laterally in a Windows System Windows environment but that's one of the more popular ones because it just you just pointed a system and say go do this thing and we can do this again with Apple script which is cool so in this case Apple script is telling the application terminal so it's opening up a terminal window and then it's saying run this script and and so with this case you can imagine you can pretty much run any kind of script you want any kind of bash script any kind of Python script

you can run that directly from Apple script so in this case we're going to tell it to open an SSH session to a remote system wait a couple of seconds so we can authenticate and then run a second script which is going to open calculator in the current tab

we're gonna run this it's going to open that second one into the password so you can run whatever you want you can run any kind of script any kind of application behind the scenes it's a and that's a neat little way just to move on to another system but you can also do that with like more directly with Apple script so if you'll see here at the bottom this little picture this remote Apple events is disabled by default but using AppleScript you can turn it on so if you reach out to a system like we just did in our last demo and say hey go and open this up and start clicking this button in turn this thing on now you can

use Apple script to just reach out and directly touch that machine so in this case you can see Apple script says tell this application on this remote system to open this this application which is you know obviously way easier from an attacker standpoint so other ways to detect AppleScript especially the remote commands any kind of Apple script with a network connection it's not a very common function that you'll ever see and anything an any kind of Oso script execution with a command line of do shell script or do script both of those are indicative of trying to run some other kind of scripting language which is uncommon so persistence there's a there's a lot of different ways people can persist in

an apple and so the startup folder on Windows there there used to be a corollary on the on the Apple side called library startup items it's deprecated but it still is honored so if you put something in that folder on a system even if it doesn't exist and you create it you put something there it will still be honored so any kind of file modification to that folder is highly suspect because that's going to either be someone who is someone who is trying to do something evil or an incredibly old piece of software services are kind of like launch demons so in the fact that they execute without the presence of a user so they don't really they don't

necessarily need a user whereas something like your run Keys on the window side the run Keys the run wants the things that are specific to a user are specific to a user logging in that's going to be the launch agents and both of those exist you know in different places on the on the Apple system there's actually many different locations those can live in but there are also some really good tools so objective-c Patrick Worrell he has a tool called knock knock that will look at you know these and all other a lot of other persistence mechanisms on Mac and then schedule tasks we have cron jobs if you're familiar with the Linux world cron jobs are just a way to run a task

on a schedule and then launch CTL is one that's kind of apple specific and it's kind of interesting it's um it's one where you can execute code and it will run as a job and it will continue to run until that job is killed or the system is rebooted so it's kind of a nice way to run something and ensure it runs and then as soon as the system's rebooted cleans up after itself and that looks kind of like this so we're going to run launch CTL we're going to open up a Python script you notice that popped up a box that's just kind of a visual it doesn't necessarily pop up a box on its

own but right there moving my mouse frantically it comes back and so no matter how many times I click that okay button to make it go away it's going to continue to run so imagine a Python script like most of them that does not have a pop-up box it's just running in the background and even if someone does you know they look and see what are my writing processes oh there's some Python let's kill it you kill it it's gonna come right back so it's a fun to look for in any kind of launch CTL especially with a submit as a command line that's a that's a that's definitely something that's some looking at so how do you

gain visibility to your Mac systems so there was a gentleman that had a talk earlier today about OS query it was excellent definitely should go back and watch that recording just kind of the ins and outs of how to start using OS query for hunting for evil in your environment it is retroactive so you can you can run queries against your systems over and over again to get kind of up-to-date information but it's not really a real-time monitoring tools that really meant to be one but it's a great way to find persistence and all other kinds of things on your on your network super odda is one I really like written by Jonathan Levin this is it's more this is a real time

Tool he basically reversed PR audit from from you know old unix fame and came up with a better implementation for mac and so it can it can either output in this format that you see down here or in JSON and it has native syslog so you can pipe that up to unique on that system that you want so that's definitely worth looking at and thence Nouman is is one of the the more recent systems that came to the table this year this is an open source so totally open source it's it's another real-time monitoring it was very processed focus to start out with they've recently added some some network visibility there's definitely one to to

look out for in the future and then some other useful tools if you're trying to protect your mac systems so little cinch in micro snitch those are firewalls you know there's a process-oriented firewall and little snitch micro snitch tells you if your microphone or your video go hot which is very useful if you're not expecting that stuff to happen someone is trying to spy on you you will see these little eyes and ears go live and lets you know that something bad is happening and then I mentioned Objective C a couple of times lots of great tools out there so I wrote a little script the idea being this it's never going to replace it's never going to play so this

query or it's not really meant to but if you're in an environment where you have a handful of Mac's and you don't necessarily to go through all the trouble of getting a new vendor product approved or not vendor product but another product to prove to install on them this is just a bash script so you can deploy this with SSH and it basically what it will do is just give you information on users groups known persistence mechanisms just a lot of information so you can kind of get a baseline of your systems it's still very alpha if you go in looking you're look at it please don't judge me it's okay please feel free to add whatever you want I'm

not very good at code but I do I do make stuff that works occasionally so go check that out if you would like and that is that's that's me so any questions yes sir I'm sure yeah they'll be out there somewhere for sure absolutely and you can come get a prize since you asked a question yeah absolutely any other questions hint hint guy with the glasses so there probably are iOS is not really my forte specifically I know that so when I mentioned eggshell as like an attackers tool that absolutely works for both Mac OS and iOS so from from a defender standpoint I sure there's more stuff out there that I'm aware of but eggshell eggshell can do a

lot of damage on iOS and you also sir get a price yes ma'am

geeky NASA over time

it's a very it's a very different environment just the down to the most basic levels Mac shares a lot with BSD so if you come from a Linux environment there's a lot more coarsely but there's a lot of a lot of newness that you have to learn with Mac so it was really just luckily I had a lot of Linux so it it would I just thought of it like a Linux system with better support so yeah so it's OK in that in that respect yes yeah so some more than others so the discovery ones are the ones we see most commonly