Red Teaming macOS Environments with Hermes the Swift Messenger

alrighty we're ready to get started our next talk is red teaming mac os environments with hermes the swift messenger our speaker is justin oh sorry our speaker is justin bowie uh justin bowie is a red teamer at zoom and was previously a red teamer red team consultant at spectreops he's passionate about all things security and helping organizations improve their security posture all right take it away cool all right uh cool that's working all right just reset my timer all right hello everybody my name is justin bowie and today i'll be talking about red teaming mac os environments with hermes the swift messenger so small introduction on who i am like i said my name is justin bowie i go by the

handle of at slydog you can find me using that handle on things like twitter github or medium i'm currently a red tumor at zoom where i lead red team operations purple team assessments and perform research and development prior to zoom i was a red team consultant at spectre ops basically doing red team work there and then also teaching the red team operations training it should go without saying but views and research represented are all my own when i'm not messing with computers i'm usually out skateboarding with friends and trying to learn a new trick so here's a quick summary of what we'll be talking about today first we'll talk about the swift programming language how

it works and examples of post-exploitation tooling next we'll introduce the mythic framework we'll talk about how it can be used in red team operations after we'll discuss the hermes payload and how how it hooks into the mythic framework we'll dive into development of the agent as well as functionality and lastly to round things out we'll look into apple's endpoint security framework or esf and how it can be used to detect different ttps implemented within hermes so in this first section we'll be talking about everything swift what is swift pros and cons is a post exploitation language and some examples of current swift tooling swift is a high-level programming language that was developed by apple swift 1.0 was released in 2014 and

initially only supported mac os as of swift 5.3 cross-platform support was enabled for mac os windows as well as linux swift was designed to be safer faster and more optimized than its predecessor objective-c swift leverages the objective-c runtime library under the hood and this is particularly great for attackers because within a single swift program we can call c c plus and objective c code so if we need lower level functionality we can access it through these bridging headers i'll mostly be talking about swift for mac os but you can also write ios and tv os applications for swift or ios and tbos malware for swift so let's go through an example of compiling executing swift

if you take a look at the image you'll see that we have b-sides sf.swift and the contents of that file are just a simple print statement saying hello b-sides sf now what happens if we pass this source code file to the swift binary so here we run swift b-sides sf.swift the swift binary is going to compile and execute this code in memory and so you'll see that we're presented with hello b-sides sf to the terminal alternatively if we want to compile this code into an executable format we can use the swift compiler or the swift c binary using the swift c binary we can compile it and then if we pass in the tac o flag

we can specify the output file name and so in this case it's going to be a b size sf and it's going to be a micro binary we're going to flip the executable bit on that using chmod and then kick it off on the terminal using dot slash b-sides sf and you see again we're presented with hello b-sides sf to the terminal alternatively swift can be compiled using xcode which will basically call swift the swift compiler under the hood it should be noted that the swift compiler is not installed by default so if you attempt to call swift or the swift compiler when it's not installed the user is going to be prompted to install command

line tools and this could blow your red team operation the compiler is not installed the swift libraries are installed as of mac os mojave 10.14.4 these are runtime support libraries that exist on modern versions of mac os since they exist on disk swift applications no longer need to package them within them so the binary the size of the binary is smaller as a result of this and so this is another plus for attackers here are some different languages for mac os post exploitation notably i'm missing languages such as c c plus objective c and rust i list out some pros and cons but these are all fairly high level so definitely take them with a grain of salt i kind of

pick and chose the ones that made the most sense to me the first language i want to talk about is jxa or javascript for automation jake say with jxa you can leverage it using a lull bin for execution a lullabin is a living off the land binary so a native binary on disk that you can use to execute code perform malicious actions post-exploitation things like that in this case that binary is osa script additionally with the jxa language if you couldn't do something in pure jxa you could likely do it using objective-c jxa exposes an objective-c bridge which allows you to call objective-c api calls and so anything you can do in jxa you could probably do an objective-c

some notable cons for jxa are that it's single threaded so if you're trying to run something like multi-threaded or run multiple jobs concurrently with jxa that wouldn't really be possible perhaps the biggest con of all is that development of the jxa language has been completely abandoned by the apple team it's pretty much like this no man's land language currently exists we don't know how long it'll exist for but abuse it while you can some examples of jxa tooling include apfel a jxa agent for the mythic framework swift belt jxa some situational awareness for mac os written in jxa and persistent jxa a collection of mac os persistence techniques written in jxa the next language i want to talk about

is python python also leverages a lull bin for execution in the form of python and python 3. some notable cons for python are that apple has publicly stated that scripting languages are going to be deprecated and removed in future versions of mac os and they specifically called out python in this case another con for python is that it's a bit more heavily signatured by mac os defensive products such as xprotect and malware removal tool and this is because python has traditionally been used in mac os malware and macos intrusions and so some of those rats have been signatured some examples of python tooling include medusa a python agent for the mythic framework empire a command control

server this command control server had a mac os agent also written in python and then chain breaker a script that you can interact with the mac os keychain from python the last language i will talk about is golang now golang is a fantastic language you can write something once and then cross compile it to many different operating systems so like windows linux mac os you can also very easily integrate objective c c and c plus plus code so you can very easily integrate and interact with all the different mac os apis one of the notable cons for golang is generally the binaries that you compile are a bit larger in size and some examples of goling post

exploitation tooling include poseidon the golden agent for the mythic framework and sliver a command and control server and agent uh written in golang so you might ask the question why would you use swift for post exploitation well one swift like most modern day languages has the ability to perform multi-threading so you can run multiple jobs concurrently additionally with swift you have very easy access to all the different mac os apis so coco foundation app kit osha kit all very easy to use and integrate with in my opinion swift is easier to develop than objective c and jxa and i think this has to do with the fact that it's the kind of the modern day language

being pushed by apple so there's lots of documentation examples on google stack overflow apple forums things like that now while swift is a higher level language that allows for rapid development we also have the ability to call lower level languages and apis so you can call c c plus plus and objective c using uh these bridging headers that i talked about so when we need that lower level functionality we can we can utilize it lastly an app whitelisting bypass or a living off the lan binary situation exists when the swift compiler is installed you can use the swift binary to execute code unfortunately the swift compiler is not installed by default and so we often have to resort to

dropping unsound binaries to disk which may be maybe a bit harder than landing a python script or a jxa script and then kicking that off with osuscript or python here are a couple different examples of swift tooling for mac os uh we have swift belt this is a variety of safety checks for situational awareness we have max shell swift this is like a swift command control server swift attack think of this kind of like atomic red teaming for mac os swift spy a key keylogger clipboard monitor and screenshotter swift parse tcc a tcc database parser and then some defensive products venator swift this is a data gathering agent to aid hunting on mac os and lastly there's crescendo a real-time

event viewer that hooks into apple's endpoint security framework notably in the final section this presentation will be using crescendo to detect different ttps within hermes so in this section we're going to be talking about the mythic framework we're going to dive into what mythic is how it can be used in red teams its architecture and then current mythic implants targeting mac os from the github this is a pretty good summary of mythic mythic is a cross-platform post-exploit red teaming framework built with python 3 docker docker compose and web browser ui it's designed to provide a collaborative and user-friendly interface for operators managers and reporting throughout red teaming in a nutshell mythic is a command control server that has lots of neat

features like a web ui user access control and reporting it does a really good job of centralizing all actions performed during a red team operation it's open source at github.com it's a feature mythic and there's documentation for developers and users at docs.mythicc2.net mythic is an extremely modular and customizable framework it allows the implant developer full control over how their implant interacts with the mythic framework it does this by using docker to separate out all of its different components the primary mythic server the database the payloads the c2 containers the documentation containers are all separated out into different docker containers perhaps my favorite feature of all is that operators can simply connect to mythic using a web browser there's no

need to install some sort of heavyweight client application just to connect to your c2 server so technically you could own things from your phone and just manage it all from your mobile device let's take a look at how traffic flows uh in mythic uh in this example we're gonna go through uh what happens when me as an operator execute an ls command on the home directory and how that gets executed on the implant and then how that information travels back to us so in the left corner you'll see the operator's browser here's where the operator interacts with mythic so here we're going to use we're going to execute the ls command on the user's home directory

the mythic server is going to receive that command and then pass that command and arguments to the payload container in the top right that payload container is responsible for pre-processing of the command and arguments so it's going to clean up things like spaces it's going to make sure that that command arguments by the time it reaches the implant the implant doesn't have to do any additional work and so this saves the amount of kind of code that you have to write in your implant once that commanded arguments have been cleaned up those are stored on the mythic server now if you look at the bottom right we have the agent calling back this is the

computer that we've compromised this agent calling back is going to send an http request to the http c2 container the http c2 container is going to parse the agent message from the http request and then pass that agent message to the mythic server the mythic server is going to respond with the command in arguments so it's going to respond with that ls command on the user's home directory once the agent receives that command it's going to execute that ls on the user's home directory and then pass that um the data that it gets back to the mythic server so all of the files and folders on the home directory the names size etc are being passed to the mythic

server once the mythic server receives that information it renders that in the operator's browser and that's kind of how end to end an operator issues a command it gets cleaned up gets sent down to the myth to get sent down to the agent and then the output is rendered in the operator's browser now let's talk about existing mythic payloads that can be used to target mac os it should be noted uh that the following payloads all use the objective-c api calls to interact with macos the first one i want to talk about is the app file agent appfel is the jxa agent for the mythic framework apple is great for initial access because it supports a download

cradle where you can download and execute jxa in memory using that osuscript binary if you come from a windows background think of this like a powershell one-liner you can pull down a malicious powershell script and execute it in memory this is the same thing on mac os the next one i'll talk about is poseidon poseidon's the goaling agent for the mythic framework poseidon is a bit larger in size but more fully featured it includes things like socks procsing as well as multi-threading so you can proxy in your own tools if you need to this makes it great for a second stage payload after you've gotten initial access with something like apple the last one i want to talk about is

medusa the python agent medusa also leverages a lull bin for execution in the form of python and python 3. one particular cool thing about medusa is you can send down a small medusa agent with only the load command and then you can load all of your agent modules on the fly so you can send down this very small payload and then load in all of your agent modules later on and this makes it a bit harder to fingerprint another neat feature is you can run third-party python scripts as well as execute python code dynamically all in memory this is really just a brief summary of all these payloads and i'm really not doing them any justice so i

highly recommend you go out and try them for yourselves as you may have guessed hermes is a swift payload for the mythic framework in this section i'll be going over the development of hermes and in a follow-up section we'll dive into functionality so what is hermes hermes is a mythic payload targeting mac os written in swift 5. it's been tested on big sur as well as monterey and hermes implements an encrypted key exchange for secure communications and what this means is that each implant goes through this key exchange to securely generate a unique session key to encrypt all future agent traffic hermes includes various post exploitation modules that include situational awareness upload download execution as well as job control

before i dive into hermes development i want to talk about my motivation for writing hermes i find that writing implants is a straightforward and fun way to learn operating system internals as well as pick up a new programming language you can start small and write things like ls print working directory who am i and then eventually move on to implement more complex things such as encryption command and control over http requests and a job control manager previously i'd written the command control server and agent called skate rat and skatepark skate route was the implant portion and skatepark was the server side and i quickly realized that i hated writing the server component and i hated writing

the front end component with mythic i only had to write the part that interested me the implant side and so like i highly encourage if you want to dive into mythic like definitely doing retro and implant i want to start off by saying that cross compiling for mac os is a pain my goal was to compile swift code to a maco executable from a linux container and the reason for this is that since mythic uses containers under the hood i wanted to make it as easy as possible for an end user to download mythic download hermes and then compile a payload from directly from mythic without any form of external build systems the first project i took a look at was

osx cross poseidon uses osx cross to cross-compile goling to mac os but unfortunately a quick look at the readme i found that it doesn't support swift so this wouldn't be the answer for me the next project i looked at was docker osx this seemingly was the answer to my problems unfortunately docker os x needs to be run on a macos host whereas most c2 servers traditionally run on linux servers the last solution i looked at was aws pipeline and github actions i looked at the free tier and didn't really like that there was an upper limit on how much you could compile i really wanted a free solution that kept the payload config under end user

control and what i mean by that is within hermes there's a file that determines that defines various secrets such as encryption keys c2 callback domains ports and other agent-specific secrets i wanted to keep that information out of third-party control if possible after a bit of searching i discovered the answer to all of my problems darling darling is a mac os emulation layer for linux it's free and open source and if you're not familiar with wine wine lets you run windows software on a linux host darling does the exact same thing but for mac os software you could install software such as xcode command line tools etc and you could also compile and run programs compiling programs is really all i

needed it for so let's walk through an example of that here's an example of cross compilation with darling first we run the u name command to show that we're on a linux host then we drop into a darling shell using darling shell and then we run the u name command again and it returns the darwin so we're on this kind of mac os emulated layer at this point so now let's go through that process of compiling swift code so again we have b-sides sf.swift it just says print hello b-sides sf-2022 we're going to compile that using the swift compiler so swift c and then we'll be output the b sides sf executable we're going to flip the executable bit

on that using chmod and then we're going to kick that off with dot slash b sides sf and you'll see that we're presented with hello besides sf 2022 so at this point we're able to compile swift code to a mocko executable from a linux server in the previous example i was testing darling on a linux server my next goal was to get darling working with docker since mythic uses docker for everything under the hood and there are a couple tricks i had to do to get darling and docker to cooperate nicely first the darling linux kernel module must be installed on the host and loaded prior to the container start and the reason for this is that the

darling kernel module is the core to darling it allows for features that would be otherwise difficult or impossible to do purely from user land next the container must be run in privileged mode and this will basically allow the container to access the underlying driver on the host with these tricks swift code could be compiled within with a docker container on a linux host previously your first hermes build took about 10 minutes because i had to install command line tools manually every time the container started i did a little bit of extra work and was able to pre-install it within the container so now you can build payloads within a minute you can download mythic install hermes and then you'll have a

payload running within a minute cross compilation was honestly one of the hardest parts of this project once that was out of the way it was just writing swift code in this section i'll dive into hermes functionality and some of the code behind it as i mentioned earlier hermes implements an encrypted key exchange for secure communications each implant goes through a process that securely generates a unique session key to encrypt all future agent messages if that session key is compromised for whatever reason other implants are not affected the encrypted key exchange grants us what's called forward secrecy and this means that even if long-term secrets are compromised such as a pre-shared key the negotiated session keys will not be compromised

let's kind of walk through what this process looks like so starting from the top mythic and hermes start with a pre-shared key when you first execute hermes it's going to generate an rsa key pair in memory so an rsa public key and an rsa private key it's going to use that pre-shared key encrypt the rsa public key and send that up to the mythic server the mythic server of course has the pre-shared key so is able to decrypt that rsa public key mythic will then generate an aes session key it encrypts this aes session key with that rsa public key that was received from hermes hermes of course has the corresponding rsa private key and is able to decrypt

that aes session key and so now hermes has the ais session key generated by mythic hermes will then gather various basic system information such as networking information process lists username process id things like that encrypt all that system information with the aes session key and send that up to the mythic server mythic will confirm this check-in as a new callback and then send back down an encrypted acknowledged message once hermes receives this encrypted acknowledged message hermes will begin beginning so once hermes is beaconing let's talk about what happens when an operator issues a command to hermes every command and parameter issued on the mythic side turn into a hermes job each job is executed in a separate

thread and then when we create this thread we track the thread id so that we can kill the job at any time so any rogue jobs or long-running jobs that we don't want to run anymore we can easily kill those since since each job runs in a separate thread hermes supports long-running jobs and jobs that don't return output immediately if you look at the image on the right side you'll see the jobs command will return all the current jobs with their command and the parameters you have job control using the job kill command so you can kill any jobs that you don't want running anymore using job kill and just specify the job id hermes has the ability to download files

from the target and upload files to the target this is performed in 512 kilobyte chunks and occur within normal command control traffic the url request structure defines the http method the headers the url and the path the url session class is what is responsible for making the actual web request for upload the operator wants to upload a file to the target in this case mythic is going to take the file size of the file you want to upload determine how many chunks it will take to send down to the target and then start sending portions of that file down to target hermes will incrementally create this file on target so when it receives chunk one it's gonna

first create the file when it receives chunk two it'll just keep adding data to this file and so the benefit of this is that the entire file is never stored in implant memory all at once so theoretically you could upload arbitrarily large files to the target download works the inverse to upload for download we want to download a file from the target and transfer it to our command control server in that case hermes is going to take the file size and determining how many chunks it'll take to send it up to the mythic server hermes will then start reading chunks of that file and sending them up to the mythic server once mythic receives all the chunks the

file is recreated on the server and made readily available for the operator to download upload and download can also be performed from mythic's file browser which i'll also be showing in a later slide of course as uh with any implant you have to be able to interact with the file system hermes implements all of this using the file manager class so you have all of your classic file commands such as change directory list contents of a directory print working directory making new directories moving or copying files or directories and then also removing files or directories you can also perform file listings and file removals from the file browser which i'll show so here's an example of running the ls

command on the user's home directory you see the various data that's returned includes the size of the filer folder the name of the file folder the owner the group the posix permissions and then on the left side you'll see an actions button if you click the actions button you can issue further hermes commands such as downloading that file or removing that file additionally you can view extended attributes such as com.apple.quarantine from that view so here's what the file browser looks like on the left side you see the various host names of hosts that have been compromised if you expand the host names you'll see all the files and folders that have already been enumerated as denoted by

the green check mark the file browser is a nice way to to kind of move around the operating system as you click through folders you can issue further ls commands and kind of enumerate those contents you can even upload files directly to the folder from this view on the right side you have a bit more information about the file you have the file the size when it was last modified things like that if you click the actions button in that view you can do things such as issue further ls commands download the file or even delete the file one of my favorite features of mythic's file browser is you can actually add a comment and so if you discover a file with

important credentials or you know this file is important for whatever reason you can make a comment and so that when your team is browsing to this particular directory they'll see your comment and kind of just like all that information is kind of all readily available and shared so what would an agent be if you couldn't execute things on the target hermes implements this in two different ways one using the run command the run command will execute a binary on disk with arguments and it does this by using the process class to execute the binary and then the pipe class to capture any output if you look at the image on the right we're running the ifconfig binary so

just printing out network information and then passing in the en9 network interface and you can see that that output is returned properly next hermes has the shell command to basically execute a bash command with bin bash tax c this works extremely similar to the run command but instead of passing in a particular binary the binary we're passing in is bin bash and then the arguments are tax c and then whatever the operator wants to execute with the shell command this is particularly useful if you need input and output redirection so if you look at the example on the right we have shell ls applications and then we're able to pipe that output to grep slack and then we return it with

slack.app so here's kind of how the shell command works under the hood uh first we have that process object and that pipe object and then you set that you set up that process object by setting the executable url in this case we're kicking off bin bash and then for the arguments we're passing in taxi and then all of the arguments that the user or the operator wants to execute using the shell command we redirect standard output to our output pipe and then we run that process once that process is run the last command is what actually reads the data from the pipe and then we take that data and send it back up to the command and

control server so binary and process execution is cool and all but what's even cooler is executing jxa or javascript for automation in memory this is achieved using the osa script class osa or osa and ososcript stands for open scripting architecture this includes languages such as jxa and applescript you can execute both of these languages in memory hermes implements this three different ways one is with the jxa command the jxa command will basically execute any arbitrary jxa and so if you look at the image i pass in math.pi and it returns a couple digits of pi more interestingly is the jx8 import command you can use the jxa import command to load jxa scripts into memory

and this works very similar to the upload command that we went over earlier except instead of writing out the script to the target we store it with an implant memory for for later use once that script is stored within implant memory we can call various functionality within it using jxa call this way using jxa import in jxa call you can load up lots of third-party tooling and so if you look at the image on the right i'm loading up health inspector which is a kind of jxa tool into memory and then we're calling the all checks function and lots of mac os post exploitation tooling is written in jxa so this is very handy to have

hermes has a few different ways to enumerate and interact with running processes using the ps command you can gather a list of running processes by parsing the k info proc struct from the assist control routine this will return all bsd processes including linux daemons next we have the list apps command oh this image totally got messed up sorry i don't know when that happened uh next we have the list apps command and that will return all applications running within carbon cocoa or classic environments and so this is basically all applications that you see in your dock things like slack zoom things like that what got covered up here was the last command which is kill

for kill if you pass in a process id it'll basically kill that process using the kill system call in the image below you can see an example of the list apps output you can see that we have the name the bundle the size things like that if you click actions you can see additional information such as the full path to the binary additionally there's a browser script that exists that will highlight the front-most application so if the user is currently using zoom or slack that will be highlighted and presented to you and that kind of gives you additional context on what the end user is doing on their day-to-day basis so here's how the process browser looks

like in mythic on the left side you have the process tree with most things as a child of launch d on the right side you have a bit more detail on the different running processes you have things like process id parent process id architecture process name and process owner if you click actions on that right view you can do things such as kill the process as well an interesting feature that i haven't shown here is that you can actually issue a new process listing from this view and you can actually diff between the old and new process listing to see old processes that have died and new processes that have started over time and this just gives you additional

context on um yeah like what the operating system is doing over time so hermes also has the ability to take screenshots of what the end user is doing it should be noted that this requires the screen recording permission within tcc if you do not have this permission the user may be prompted to allow your application permission and this can potentially blow your operation or if they have denied it in the past you will get you will get a screenshot back but it's going to be an empty desktop with no applications and no windows not very useful screenshot works using the core graphics api it does this by performing a screen capture of all the different displays

first you call cg get active display list this will return the number of active displays so if you have a laptop that'll be one if you have a laptop and monitor there'll be two so on and so forth you pass in this number to cg get active display list again this will return a list of active displays that you can actually iterate through once you have that list of active displays you can loop through those displays and grab an image with cg display create image these images are sent up to the mythic command control server in normal c2 traffic and then they're displayed to the operator screenshot is great because you can gather additional context on what the

user might be doing on a day-to-day basis hermes also has a clipboard monitor to perform clipboard also has a clipboard command to perform clipboard monitoring and this works by monitoring the change count property within the nspaceboard class if that number increases we know that clipboard ownership has changed and that something new has been copied to the clipboard and to retrieve it unfortunately there's no clipboard event that we can kind of listen for so we have to resort to this very primitive polling it should be noted that root does not have access to the general pasteboard and so if you've landed in a privileged context you actually don't have the ability to access the system clipboard

clipboard monitoring is particularly great for things like password managers because if people are copying pasting passwords from the password managers you can easily nab them using this it can net your credentials or just give you more context on what the end user is copying so like maybe they're copying internal links things like that hermes has lots of built-in situational awareness commands and safety checks for macos most of these safety checks are inspired by cedric owens awesome research so definitely check him out if you get the chance i've linked a lot of his work in the references the first one i want to talk about is get execution context this will read various environment variables to

determine your execution context and so reading environment variables we're able to determine if we're running in a terminal context if we were kicked off from an application bundle or an installer package the next situational awareness check i want to talk about is fda check or full disk access check this will check if our current process has full disk access permissions and there are two methods of doing this the first is using the md query api the md query api can be used to determine if the tcc database exists within the spotlight database basically if spotlight has if spotlight has indexed the tccdb then we know we have full disk access permissions the second method is the file handle method in this case

hermes will attempt to open up a file handle to the user's tcc database if that file handle is returned properly that means we have full disk access permissions if it does not then we do not the next thing i want to talk about is tcc folder checker this uses the md query apis to check for access to tcc protected folders such as desktop documents and downloads very similarly to the fda check if we identify the desktop documents and downloads folder within the within that mdquery api then that means we have access to those tcc protected folders the last kind of check we have is the accessibility check this uses the ax is process trusted to

check for accessibility permissions big shout out to dazzle spy malware which kind of introduced me to this technique and my co-worker chris ross who basically reverse engineered that malware and identified the safety check and so i was able to add it to hermes and the last thing is being able to enumerate the tcc database you can do this using list tcc a list tcc will list out all the entries in a specified tcc database this requires full disk access permissions to read from that sqlite database the tcc database schema changes over time and so this command currently supports big sur and above so big sur and monterey here i want to talk about how hermes can

enumerate p-list files if you come from a windows background p-list files on mac os are very similar to the windows registry they serve as configuration files for applications as well as parts of the operating system they can be of the format xml json or binary using the property list serialization class we're able to parse any type of plist in the image below i show the universal access auth warning plist and this is a particularly interesting p-list because it shows us any application that has caused a prompt before and so this may give us insight into what applications are used by the user that may have triggered a tcc prompt and potentially have interesting tcc permissions and this this is a method of

potentially enumerating tcc permissions without triggering any prompts hermes has the ability to enumerate and interact with with all the environment variables you can list out environment variables using the env command and this how this works is by reading the environment field within the process info class you can also set and unset environment variables using set end and unset end these just use the darwin standard library it should be noted that if you try to set an environment variable that currently exists you will overwrite it so just something to be careful of in this last section i want to talk about how we can detect some of the different ttps we went over within hermes using apple's endpoint security

framework here we're going to talk about apple's endpoint security framework if you're familiar with windows think of event tracing for windows as of big sur apple pushed all third-party developers out of the kernel and so this included security products and so this puts security products and security researchers on the same playing field we had access to the same data using esf you can hook into various events such as process events file events as well as memory events there are several free and open source tools that leverage apple's esf some of them include atmon by exoria crescendo by super hacker steve and file and process monitor by patrick wardle we'll be using crescendo as well as file

monitor to kind of identify malicious activity so here's an example of how we can detect shell commands with hermes so on the left side we're running shell ls tac lih from the mythic server on the on the endpoint side we see that a process process exec event fires within crescendo you have various information such as the timestamp that occurred the arguments that occurred the process that performed the process exec the username process id parent process id things like that that can age your investigation and so this is one way of kind of detecting shell commands run through an implant so before i talk about how we can detect launch agents i just want to give a

quick primer on what launch agents are on macos launch agents are a background process that launches whenever a user logs in think of this like the startup folder on windows launch agents are defined with a property list file or a plist file in the following locations library launch agents uh users username library launch agents and system library launch agents the third one is protected by sip or system integrity protection so it's less of a concern most of the time an attacker won't be able to write to that file or that directory sorry launch agents are great because the attackers can utilize this for persistence so this is an example of what a malicious launch agent might look like

this is in the form of xml you'll see that there's this program arguments key and then the program arguments key has the value slash temp hermes so if we place this plist file into one of those directories from the previous slide every time the user logs in the program slash temp hermes will be executed so how can we potentially detect this so on the left side we're uploading a malicious launch agent to target we're uploading that com.hermes.plist to one of the launch agent directories on the right side this file um file create event occurs within crescendo the file create event um tracks information such as the process that performed the file create the time stamp

process id parent process id and that various information and so if we kind of did if we kind of look for file creation events within these directories we can potentially detect any launch agents that are created now here i want to go over how we can detect the fda check command or the full disk access check command um on the left side we're running the fda check command with the file handle with the file handle technique and remember the file handle technique opens up a file handle to the user's tcc database on the right side we use file monitor to detect this activity basically this es event type notify open event occurs every time file handles are

opened so if we look for these file handles being opened we can potentially detect this type of post exploitation it records various information such as the proc the process that performed that file handle open the time stamp and various information like that that pretty much wraps up the defensive portion i just want to go last slide is kind of just how to install hermes if you want to go out and sell hermes first you'll have to install mythic mythic is the command control server from github on ubuntu 20.10 you're going to install the darling kernel module which is how we perform that cross compilation from github as well and then you're going to load up that kernel module

using modprobe darling-mock once that kernel module is loaded you can install hermes from github using the mythic cli and this is included in the mythic repo and then from the mythic cli you can also start up the payload container and if all goes well in your mythic instance you'll be able to go to the payload section and see hermes with a little green kind of box or circle showing that the docker container is up and running successfully here are kind of some various references that i refer to in my presentation um give it a time for people to screenshot or whatever and that's pretty much it uh i just want to give a big shout out to uh cody

thomas or the developer of mythic it's a feature who helped me endlessly when i ran into bugs during development on the agent side as well as the server side big thanks to my old co-worker brian for the awesome tony hawk pro skater 2 photoshop that i basically use everywhere thank you besides sf for allowing me to share my work and then thank you for coming and listening really appreciate your time [Applause] [Music] all right we have a bunch of time for questions so if you have any questions raise your hand or you can submit on slido.com besides sf2022 any questions out there question in the back

yeah so um the current kind of c2 traffic that hermes implements is all using http or issued ps traffic and so depending on how the attacker masks that traffic potentially using domain fronting or like cooking legitimate domains um it would look like that i guess potentially you could detect anomalies if you have um really good network data on like this domain has never been reached out to before uh et cetera et cetera and potentially like catch those anomalies

yeah that's a great question oftentimes these detections can be more difficult to scale up because these events are happening uh very frequently you'll have to combine the file create events with other kind of detection logic to really nail in on this activity thank you any other questions sure

that's a great question i call it a tre flip i love it nice thank you thanks again everyone