Note: The attack procedure built in this post will not work for every macOS operating system or in every scenario. There are many factors that can block scripts from running at boot time, and you should always test against your target operating system.
- Ok Boomer Mac Os Catalina
- Ok Boomer Mac Os X
- Ok Boomer Mac Os Download
- Mac Os Mojave
- Ok Boomer Mac Os 11
- Ok Boomer Mac Os Download
- Mac Os Download
The MITRE ATT&CK framework is a universally accepted knowledge-base of tactics, techniques and procedures designed to organize and display how adversaries attack real-world assets. Blue teams use ATT&CK to better understand the multitude of new (and old) attacks and map those to their internal tools and systems. Red teams can use ATT&CK as a sort of playbook, using specific “plays” (combinations of TTPs) to try and test their systems, which can be easily communicated to the rest of the security team.
Under this technique, I see a series of sub-techniques, or categories, as denoted with the.000 syntax. Now, while all of these sub-techniques should be considered, my eye is drawn to.002: Logon Script (Mac) because it specifically mentions the operating system Boomer is currently running on. Scanning the description of T1037.002, I read. Jun 11, 2014 - This Pin was discovered by Teresa Carter. Discover (and save!) your own Pins on Pinterest.
Digging into some terminology:
- A tactic is what an attacker hopes to achieve.
- A technique is how an attacker plans to achieve or execute the tactic.
- A procedure is a specific implementation of the technique.
Sound confusing? Let’s walk through an example:
An attacker may execute a Collection tactic to steal data from a computer, picking the Clipboard Data (T1115) technique and executing the Get-Clipboard PowerShell cmdlet as the procedure to complete the action.
ATT&CK helps defenders in a variety of ways:
- It offers a common language to discuss tactics, techniques and procedures.
- It provides a dynamic kill-chain for blue team members to detect and respond.
- It supplies resources related to threat groups and the behaviors they use in the wild.
For those on the offensive side, the ATT&CK matrix offers another quite remarkable benefit: it acts a classification system to design your attacks into distinct kill-chains.
Offensive operators, including those in cyber operations and red teams alike, spend their time crafting exploits, coding implants and researching ways to conduct post-compromise activities without getting caught. In a constant game of cat-and-mouse, an offensive operator needs to remain one step ahead at all times and, therefore, must build (and rebuild) procedures constantly.
In this post, we’ll walk through how an offensive operator uses ATT&CK. We will start with a goal, something to accomplish, and then set out to define it as a tactic, select the best-fitting technique and finally pivot into building a single procedure to use in a live attack.
Step 0: The ATTACK Scenario
I am an offensive operator. Previously, I wrote an excellent Python-based implant that easily drops onto target systems and allows me Remote Code Execution (RCE). When my agent, let’s call it “Boomer,” is installed, it beacons back to my command-and-control (C2) server where I can send it instructions. I now need to devise a new instruction (procedure) to ensure Boomer stays on the infected computer – specifically when the computer reboots.
When a computer reboots, any non-system services and processes will shut down and not reopen when the computer starts back up. This will stop implants like Boomer in their tracks – unless action is taken to ensure they reboot when the computer does.
As a Python agent, I’ve coded Boomer to execute Python code as attacks using the Python 3 interpreter installed by default on my target operating system, macOS.
Some attackers will send instructions directly to the shell interpreter through utilities such as Bash or ZSH, but defenders have improved their detection’s for these over the years. So I’ll need to write my procedure in the Python programming language so it can execute through the interpreter on the infected machine.
Boomer accepts a Python expression – even a large one – and pipes it through the built-in exec() function, which interprets and executes dynamic Python code.
It looks like this:
Step 1: Selecting the tactic
With Boomer deployed remotely and waiting for an instruction, I first have to select my tactic.
With my goal in hand – which is to maintain my foothold on the infected computer – I head to attack.mitre.org to see if any tactics align.
Looking at the Enterprise tactics, I see Reconnaissance, Resource Development, Initial Access, Execution, Persistence…there it is. Persistence sounds exactly like what I’m trying to do!
Clicking into the tactic, I verify my hunch by reading MITRE’s description:
The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
Perfect. This is the one. Time to pick a technique.
Step 2: Selecting the technique
Scrolling down the page on the Persistence tactic (https://attack.mitre.org/tactics/TA0003/), I see a variety of rows with a T* prefix. These are the technique identifiers underneath the tactic.
Two in particular catch my eye: T1547 (Boot or Logon Autostart Execution) and T1037 (Boot or Logon Initialization Scripts).
T1547 is described as:
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
And T1037 is:
Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on the operating system and whether applied locally or remotely.
Hm. Either could work for me, as they are both designed to relaunch an arbitrary program (like Boomer) after a computer boots up. Because Boomer is a Python script, I figure I can probably hook into the script technique a little easier, so I decide on T1037.
Under this technique, I see a series of sub-techniques, or categories, as denoted with the .000 syntax. Now, while all of these sub-techniques should be considered, my eye is drawn to .002: Logon Script (Mac) because it specifically mentions the operating system Boomer is currently running on.
Scanning the description of T1037.002, I read:
Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike Startup Items, a login hook executes as the elevated root user.
Perfect. This will do just fine.
Step 3: Researching the options
At this point, I’ve identified the Persistence tactic and technique T1037.002 as my preferred behavior to execute. For any technique, there could be dozens – if not thousands – of variations. This is what makes being a defender so difficult. As the offensive operator, to be successful, I only need to select one variation the defense is blind to, whereas defenders need to catch all of my attacks to beat me.
Picking a variation means hitting the internet for some research.
Let’s start on the ATT&CK website itself. Clicking into the technique itself (https://attack.mitre.org/techniques/T1037/002/), I can see the defense is being trained to detect procedures under this technique in this way:
Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.
Ok, good to know.
Heading to every hacker’s best friend, Google, I type the following:
“macos logon script python”
This leads me to a Stackoverflow post (https://stackoverflow.com/questions/29338066/run-python-script-at-os-x-startup) recommending I create a PLIST file and place it in one of the following locations:
- /System/Library/LaunchAgents
- /System/Library/LaunchDaemons
- /Users/<username>/Library/LaunchAgents
A PLIST file is simply a properties file on macOS computers for specific applications.
This has 12 upvotes and seems to be a well supported answer, so I bookmark the page and move on to the next step: writing the code.
Step 4: Writing the code
Based on my research in the previous step, I need to do two things to build my attack:
- Write a PLIST property file which starts Boomer.
- Place the property file on the correct location on disk.
In my research, it says to put my new PLIST property file in one of three locations on disk. I suppose I can find an example PLIST file there to work off of, so I navigate on my own laptop to those locations and open a few PLIST files.
I find a small example that seems promising: com.jetbrains.toolbox.plist.
Opening this, I see:
It looks like the Label should equal the name of my PLIST file and the Program arguments should be the path to the Python interpreter and script location. I adjust the values to the following, which match my own computer.
Next, I stage the PLIST file on my laptop’s /Users/privateducky/Library/LaunchAgents directory in order to test it out.
I ensure the paths defined in the PLIST are correct. Then, instead of infecting my laptop with a Boomer agent, I drop an ad-hoc Python script called boomer.py into my laptop’s Downloads directory to test with:
Rebooting my laptop, I run a process check to see if my ad-hoc Boomer process is active:
Success!
Step 5: Launching the attack
With a working procedure in hand, I’m ready to send it to my live Boomer agent running on the infected remote computer.
Since I’m planning on using Python’s built-in exec() function, I need to ensure my instruction is a valid Python string.
It looks a little messy, but this one-liner should do the trick (assuming the username of the active user is barry and Boomer is located in the Downloads directory of the remote machine):
With the command ready, I send the procedure (instruction) to Boomer and sit back comfortably, knowing every time the infected machine is rebooted, Boomer will kick back on.
In this post, we learned how to take a goal and convert it into an executable procedure classified by MITRE ATT&CK.
From here, we can continue building procedures to construct an end-to-end mission, or we can save our procedure into an indexed database so we can repeat it in the future. In the latter case, there are several popular online repositories built toward standardizing attack procedures in a repeatable way. There is the Atomic Red Team (https://github.com/redcanaryco/atomic-red-team) project as well as the Community repository (https://github.com/preludeorg/community), both of which index procedures in YML format for reuse in future missions.
Happy building!
About the Author:David Hunt is the CTO of Prelude Research Inc. There, he leads a team supporting a cutting-edge autonomous red team platform. Prior to this work, David built CALDERA, an open-source adversary emulation framework, while working as a Principal Cyber Security Engineer for MITRE. David has spent 15 years working as a security consultant for the U.S. Government, along with full-time roles at major cyber security firms, such as FireEye.
Ok Boomer Mac Os Catalina
Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
macOS Big Sur elevates the most advanced desktop operating system in the world to a new level of power and beauty. Experience Mac to the fullest with a refined new design. Enjoy the biggest Safari update ever. Discover new features for Maps and Messages. Get even more transparency around your privacy.
Chances are, your Mac can run macOS Big Sur
The following models are supported:
- MacBook (2015 or later)
- MacBook Air (2013 or later)
- MacBook Pro (Late 2013 or later)
- Mac mini (2014 or later)
- iMac (2014 or later)
- iMac Pro (2017 or later)
- Mac Pro (2013 or later)
To see which model you have, click the Apple icon in your menu bar and choose About This Mac.
Make sure you’re ready to upgrade.
Before you upgrade, we recommend that you back up your Mac. If your Mac is running OS X Mavericks 10.9 or later, you can upgrade directly to macOS Big Sur. You’ll need the following:
- OS X 10.9 or later
- 4GB of memory
- 35.5GB available storage on macOS Sierra or later*
- Some features require an Apple ID; terms apply.
- Some features require a compatible internet service provider; fees may apply.
Upgrading is free and easy
Upgrading from macOS Catalina 10.15 or Mojave 10.14?
Go to Software Update in System Preferences to find macOS Big Sur. Click Upgrade Now and follow the onscreen instructions.
Upgrading from an older version of macOS?
If you’re running any release from macOS 10.13 to 10.9, you can upgrade to macOS Big Sur from the App Store. If you’re running Mountain Lion 10.8, you will need to upgrade to El Capitan 10.11 first.
If you don’t have broadband access, you can upgrade your Mac at any Apple Store.
- OS X 10.9 or later
- 4GB of memory
- 35.5GB available storage on macOS Sierra or later*
- Some features require an Apple ID; terms apply.
- Some features require a compatible internet service provider; fees may apply.
For details about your Mac model, click the Apple icon at the top left of your screen and choose About This Mac. These Mac models are compatible with macOS Big Sur:
- MacBook (2015 or later)
- MacBook Air (2013 or later)
- MacBook Pro (Late 2013 or later)
- Mac mini (2014 or later)
- iMac (2014 or later)
- iMac Pro (2017 or later)
- Mac Pro (2013 or later)
Siri
Requires a broadband internet connection and microphone (built-in or external).
Hey Siri
Supported by the following Mac models:
- MacBook Pro (2018 or later)
- MacBook Air (2018 or later)
- iMac Pro (2017 or later)
Dictation, Voice Control, and Voice Memos
Requires a microphone (built-in or external).
Spotlight Suggestions
Requires a broadband internet connection.
Gestures
Requires a Multi-Touch trackpad, Force Touch trackpad, Magic Trackpad, or Magic Mouse.
Force Touch gestures require a Force Touch trackpad.
VoiceOver gestures require a Multi-Touch trackpad, Force Touch trackpad, or Magic Trackpad.
Photo Booth
Requires a FaceTime or iSight camera (built-in or external) or USB video class (UVC) camera.
FaceTime
Audio calls require a microphone (built-in or external) and broadband internet connection.
Video calls require a built-in FaceTime camera, an iSight camera (built-in or external), or a USB video class (UVC) camera; and broadband internet connection.
Apple TV
High dynamic range (HDR) video playback is supported by the following Mac models:
- MacBook Pro (2018 or later)
- iMac Pro (2017 or later)
- Mac Pro (2019) with Pro Display XDR
Dolby Atmos soundtrack playback is supported by the following Mac models:
- MacBook Air (2018 or later)
- MacBook Pro (2018 or later)
Sidecar
Supported by the following Mac models:
- MacBook (2016 or later)
- MacBook Air (2018 or later)
- MacBook Pro (2016 or later)
- Mac mini (2018 or later)
- iMac (late 2015 or later)
- iMac Pro (2017 or later)
- Mac Pro (2019)
Supported by all iPad models with Apple Pencil support:
- 12.9-inch iPad Pro
- 11-inch iPad Pro
- 10.5-inch iPad Pro
- 9.7-inch iPad Pro
- iPad (6th generation or later)
- iPad mini (5th generation)
- iPad Air (3rd and 4th generation)
Continuity Camera
Requires an iPhone or iPad that supports iOS 12 or later.
Continuity Sketch and Continuity Markup
Ok Boomer Mac Os X
Requires an iPhone with iOS 13 or later or an iPad with iPadOS 13 or later.
Handoff
Requires an iPhone or iPad with a Lightning connector or with USB-C and iOS 8 or later.
Instant Hotspot
Requires an iPhone or iPad with cellular connectivity, a Lightning connector or USB-C, and iOS 8.1 or later. Requires Personal Hotspot service through your carrier.
Universal Clipboard
Requires an iPhone or iPad with a Lightning connector or with USB-C and iOS 10 or later.
Auto Unlock
Requires an Apple Watch with watchOS 3 or later or an iPhone 5 or later.
Approve with Apple Watch
Requires an Apple Watch with watchOS 6 or later or an iPhone 6s or later with iOS 13 or later.
Apple Pay on the Web
Requires a MacBook Pro or MacBook Air with Touch ID, an iPhone 6 or later with iOS 10 or later, or an Apple Watch with watchOS 3 or later.
Phone Calling
Requires an iPhone with iOS 8 or later and an activated carrier plan.
SMS
Requires an iPhone with iOS 8.1 or later and an activated carrier plan.
Home
Requires an iPhone with iOS 12 or later and a configured Home app.
AirDrop
AirDrop to iOS and iPadOS devices requires an iPhone or iPad with a Lightning connector or with USB-C and iOS 7 or later.
AirPlay
Ok Boomer Mac Os Download
AirPlay Mirroring requires an Apple TV (2nd generation or later).
AirPlay for web video requires an Apple TV (2nd generation or later).
Peer-to-peer AirPlay requires a Mac (2012 or later) and an Apple TV (3rd generation rev A, model A1469 or later) with Apple TV software 7.0 or later.
Time Machine
Mac Os Mojave
Requires an external storage device (sold separately).
Maps electric vehicle routing
Requires an iPhone with iOS 14 and a compatible electric vehicle.
Maps license plate restrictions
Requires an iPhone running iOS 14 or an iPad running iPadOS 14.
Boot Camp
Ok Boomer Mac Os 11
Allows Boot Camp installations of Windows 10 on supported Mac models.
Exchange Support
Requires Microsoft Office 365, Exchange 2016, Exchange 2013, or Exchange Server 2010. Installing the latest Service Packs is recommended.
Windows Migration
Ok Boomer Mac Os Download
Supports OS X 10.7 or later and Windows 7 or later.
App Store
Available only to persons age 13 or older in the U.S. and many other countries and regions.
Photos
Mac Os Download
The improved Retouch tool is supported on the following Mac models:
- MacBook Pro (15-inch and 16-inch models) introduced in 2016 or later
- iMac (Retina 5K models) introduced in 2014 or later
- iMac (Retina 4K models) introduced in 2017 or later
- iMac Pro (2017 or later)
- Mac Pro introduced in 2013 or later
- Apple Books
- Apple News
- App Store
- Automator
- Calculator
- Calendar
- Chess
- Contacts
- Dictionary
- DVD Player
- FaceTime
- Find My
- Font Book
- Home
- Image Capture
- Launchpad
- Maps
- Messages
- Mission Control
- Music
- Notes
- Photo Booth
- Photos
- Podcasts
- Preview
- QuickTime Player
- Reminders
- Safari
- Siri
- Stickies
- Stocks
- System Preferences
- TextEdit
- Time Machine
- TV
- Voice Memos
- Activity Monitor
- AirPort Utility
- Audio MIDI Setup
- Bluetooth File Exchange
- Boot Camp Assistant
- ColorSync Utility
- Console
- Digital Color Meter
- Disk Utility
- Grapher
- Keychain Access
- Migration Assistant
- Screenshot
- Screen Time
- Script Editor
- Sidecar
- System Information
- Terminal
- VoiceOver Utility
- Arabic
- Catalan
- Croatian
- Simplified Chinese
- Traditional Chinese
- Traditional Chinese (Hong Kong)
- Czech
- Danish
- Dutch
- English (Australia)
- English (UK)
- English (U.S.)
- Finnish
- French
- French (Canada)
- German
- Greek
- Hebrew
- Hindi
- Hungarian
- Indonesian
- Italian
- Japanese
- Korean
- Malay
- Norwegian
- Polish
- Brazilian Portuguese
- Portuguese
- Romanian
- Russian
- Slovak
- Spanish
- Spanish (Latin America)
- Swedish
- Thai
- Turkish
- Ukrainian
- Vietnamese