Note: Both of the techniques shown in this post are not specific to MacOS. For us, this translates to running code in the context of a target application without having to resort to disabling System Integrity Protection (SIP). In this post, we are going to take a look at a couple of interesting methods of leveraging third-party technologies to achieve our code injection goals. That is, of course, as long as the binary is not using the hardened runtime and the target is not an Apple signed binary, which are both exempt from even the root user peering into their memory. Fast-forward to today, and these APIs have been heavily restricted, with only the root user permitted to call these functions. Historically, we used to be able to call task_for_pid on a target process, retrieve its Mach port, and begin the mach_vm_ dance to allocate and read/write memory. Process injection is one example of the post-exploitation kill chain that Apple has put considerable effort into locking down. With privacy protection, sandboxing, and endless entitlement dependencies, operating via an implant on a MacOS-powered device can be a minefield. Since joining the TrustedSec AETR team, I have been spending a bit of time looking at tradecraft for MacOS environments, which, unfortunately for us attackers, are getting tougher to attack compared to their Windows peers. By Adam Chester in Red Team Adversarial Attack Simulation
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |