Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to use PoisonApple tools". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to use PoisonApple tools".

PoisonApple

PoisonApple is a persistence tool for macOS. It is a command-line tool that can help researchers test and implement various persistence mechanism technologies on macOS systems. The main purpose of this tool is to help researchers simulate and analyze network threats, please do not use it for malicious purposes.

Matters needing attention

PoisonApple will make some configuration changes to your macOS system, so we recommend that you install and use PoisonApple on the virtual machine. Researchers can easily remove any persistence mechanism technology implemented by the tool using the-r parameter.

Recommendation: this tool will trigger alarm alerts from common antivirus software / EDR and other macOS security products.

Tool installation

Because the tool is based on Python development, researchers need to first configure the Python environment on the local device, and then run the following command to install and configure PoisonApple:

$pip3 install poisonapple-user

Note: PoisonApple is based on Python 3.9 development and testing, so we recommend that researchers use the Python 3.6 + version.

Tool use

Researchers can use the following command to view the tool's help options (--help):

$poisonapple-- helpusage: poisonapple [- h] [- l] [- t TECHNIQUE] [- n NAME] [- c COMMAND] [- r] Command-line tool to perform various persistence mechanism techniques on macOS. Optional arguments:-h,-- help displays help information and exits. -l,-- list lists all available persistence mechanism technologies. -t TECHNIQUE,-- persistence mechanism technology that technique TECHNIQUE needs to use. -n NAME,-- name NAME files or tags used for persistence technology. -c COMMAND,-- command COMMAND executes commands for persistence technology. -r,-- remove removes persistence mechanism.

List all available persistence mechanism technologies:

$poisonapple-- list, _ _. -.: |. -. | _.-| _ _ | -..''. |. | | _ _-| |'-. "~". . -'|. _ |} `} {|: | _} {|:. | | _. -. | | -. } `} {`--'|. |-_ |. -''~'-. |. _ | _ |'. .'|: | | _ _ | | _ _ |'-.. _'|::. |:. | | `- 'v0.2.1 +-+ | AtJob | +-+ | Bashrc | +-+ | Cron | +-| -+ | CronRoot | +-+ | Emond | +-+ | LaunchAgent | +-+ | LaunchAgentUser | +- + | LaunchDaemon | +-+ | LoginHook | +-+ | LoginHookUser | +-+ | LoginItem | +-+ | LogoutHook | +- -+ | LogoutHookUser | +-+ | Periodic | +-+ | Reopen | +-+ | Zshrc | +-+

Apply persistence mechanism:

$poisonapple-t LaunchAgentUser-n testing, _ _. -.: |. -. | _.-| _ _ | -..''. |. | | _ _-| |'-. "~". . -'|. _ |} `} {|: | _} {|:. | | _. -. | | -. } `} {`--'|. |-_ |. -''~'-. |. _ | _ |'. .'|: | | _ _ | | _ _ |'-.. _'|::. |:. | | `- 'v0.2.1 [+] Success! | The persistence mechanism action was successful: LaunchAgentUser

If the command does not specify the-c option during execution, the tool uses a default trigger command and writes a file to the desktop each time the persistence mechanism is triggered:

$cat ~ / Desktop/PoisonApple-LaunchAgentUserTriggered @ Tue Mar 23 17:46:02 CDT 2021Triggered @ Tue Mar 23 17:46:13 CDT 2021Triggered @ Tue Mar 23 17:46:23 CDT 2021Triggered @ Tue Mar 23 17:46:33 CDT 2021Triggered @ Tue Mar 23 17:46:43 CDT 2021Triggered @ Tue Mar 23 17:46:53 CDT 2021Triggered @ Tue Mar 23 17:47:03 CDT 2021Triggered @ Tue Mar 23 17Suzhou 4715 CDT 2021Triggered @ Tue Mar 23 17Suzhou 4805 CDT 2021Triggered @ Tue Mar 23 17Suzhou 4815 CDT 2021

Remove a persistence mechanism:

$poisonapple-t LaunchAgentUser-n testing-r...

Use a custom command:

$poisonapple-t LaunchAgentUser-n foo-c "echo foo > > / Users/user/Desktop/foo"... Thank you for your reading, the above is the content of "how to use PoisonApple tools", after the study of this article, I believe you have a deeper understanding of how to use PoisonApple tools, the specific use of the situation also needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.