MacOS Red Teaming 209: macOS Frameworks for Command and Control
This post will be a quick run down of some popular options for macOS command and control (C&C or C2) frameworks. I've left some out, such as Pupy, a cross-platform python backdoor, as I've tried to get a few from each general category and there are other similar python frameworks included. That said, if you think I've missed a framework with major differentiators please link it in the comments. I also know there are a great deal of cross platform backdoors that focus on novel command and control channels, I know because I've written a bunch. The following are more quick options for those who want to rely on the strength of a framework vs combining one-off techniques, like we've been covering in this series up till now. Hopefully I'm listing more professional tools for the trade, to apply this theory we've been discussing in the "macOS Red Teaming" series so far. Also keep in mind, you can easily wrap any of the following in gscript for some fast obfuscation, or for applying any number of techniques before laying down your command and control. The options presented below are mostly differentiated on their execution techniques, command and control channels, and post exploitation techniques, in an effort to give pentesters and red teamers options in the face of different environments and detection solutions.
Merlin
You've probably seen me write about merlin in the past, this is one of my favorite command and control frameworks because it is cross platform, the c2 channel uses http2 beaconing, it's got enough basic features, and it has a strong dev community. I personally prefer a light-weight, cross platform agent like this as most of my macOS techniques are platform independent and I perform them using one-off tools once I'm established on the endpoint. Merlin does have some post exploitation modules for Bash, but these aren't necessarily macOS specific. That said, I understand how important good frameworks are to professional red teamers, so I understand if this framework doesn't have enough macOS specific post exploitation features for them.
Sliver
Sliver is a new-ish cross platform, go based, command and control framework. I really enjoy Sliver as a framework, as it's cross platform and supports multiple user clients, but it doesn't have many macOS post exploitation features. This project is bit hard to set up if your compiling from source, so I suggest the prebuilt docker image, as it uses cgo and some standalone tools for some of the crazier features. This project also has built-in obfuscation using a modified version of gobfuscate. That said, I have high hopes for this platform and think it will be one of the major platforms of the future, so keep your eyes on it!
EvilOSX
EvilOSX is a python based framework that has quite a few macOS specific post exploitation features and modules. This framework includes some awesome collection techniques such gathering backups, browser passwords, and even iCloud data. This is an older framework so it may have more detections around it when evaluated against AV or EDR tools. This project is kind of neat because it also includes a GUI for the tool, which has it's own agent builder. Despite being obfuscated, this stuff is pretty obviously malware once you find the python code that is executed. This is the first macOS exclusive framework we have looked at, which may also lend itself to detections as it's a targeted threat vs the cross platform malware, which may only have strong detections on Windows for example, depending on the detection solution. Finally, other branches of this framework are now more up to date, as the main branch hasn't seen much active development recently.
Empire
This is another python based post exploitation framework, which may come with some inherent drawbacks associated with the language (slower run speed, requires the interpreter, can be decompiled to source). Although this framework has been retired, it's chock full of great macOS specific post exploitation features. From multiple persistence techniques, such as launch daemons and dylib hijacking, to few collection modules like a keylogger and a keychain dumper. This is also a cross-platform framework so you can manage your callbacks from other operating systems in a central location. This framework has some of the most post exploitation features for macOS, making it one of the better full fledged frameworks for accomplishing your goals after execution. Empire also includes opsec notes for it's post exploitation features. That said, it's very popular and has been around for a long time so many EDR vendors have built up detections for different techniques in these frameworks over the years.
Metasploit
Metasploit actually has a large collection of macOS specific post exploitation modules. It has collection techniques ranging from key logging to all kinds of password storage: airport passwords, autologin passwords, keychains, hashes, and even stored vnc passwords. It also has an awesome amount of different execution types available with msfvenom, and even some older macOS specific exploits. This all includes a version of meterpreter for macOS, but honestly meterpreter is pretty lacking on macOS and Linux. This is a tried and true post exploitation framework that still sees active development and I list it because it is still extremely robust and modular, despite being easier to detect only because it has been around for so long. This is definitely one of the more dynamic platforms, but should also be one of the easier frameworks to detect. This is always a good place to start for generic hacker adversary emulation in my opinion as well.
Apfell
This is a very interesting modular C2 framework that mostly targets macOS. While the framework supports adding new execution and C2 methods, currently it's a little limited as it uses python and JXA for it's initial execution. It also doesn't actually have many macOS post exploitation features built into the framework beyond these execution techniques. That said, there are many lessons to be learned in digging into the JXA execution methods because they are so novel. Cody also includes some novel persistence techniques in the talk below such as 'folder actions', which can execute AppleScript on specific folder events. I personally found this framework tougher to set up and use operationally.
MacSwiftShell
This was another really neat project, as this one is done totally in Swift. Here we have a native macOS application which you can easily modify and call native libraries or other tools from. This framework does have a few post exploitation features, including notes on if they are opsec safe or not. This project includes an example of Launch Agent persistence and an example of the classic macOS collection method with the osacript user password prompt, to name two techniques. The project itself is invaluable as a template for C2 in Swift, as you see all macOS coca API calls required for these techniques as opposed to the other high level language library calls. All that said, this project is still very much in development, so I would probably just use it as a template for my own Swift agents, as opposed to using it for large or professional engagements. This framework also includes general opsec considerations for each technique it uses, which can be a helpful perspectives to consider based on the target environment.
There you go, after this post you should have quite a few options for execution, command and control, and post exploitation features such as persistence. Which framework you end up using will likely be up to your needs or based on environmental constraints. For example, if your pentesting an environment with poor detections or where detection testing is less of a concern, I would go with a more feature rich platform where opsec is less of a consideration. If I were red teaming a high security environment I would likely use one of the more lightweight, native agents. If I were doing adversary emulation I would analyze my target threat group/s and pick a framework with existing similar techniques or go with one-off technique emulation. Obviously this list is not exhaustive, but my goal here is to give you a selection of good options. Enjoy, and please leave feedback on your favorite macOS command and control frameworks in the comments.
Merlin
You've probably seen me write about merlin in the past, this is one of my favorite command and control frameworks because it is cross platform, the c2 channel uses http2 beaconing, it's got enough basic features, and it has a strong dev community. I personally prefer a light-weight, cross platform agent like this as most of my macOS techniques are platform independent and I perform them using one-off tools once I'm established on the endpoint. Merlin does have some post exploitation modules for Bash, but these aren't necessarily macOS specific. That said, I understand how important good frameworks are to professional red teamers, so I understand if this framework doesn't have enough macOS specific post exploitation features for them.
Sliver
Sliver is a new-ish cross platform, go based, command and control framework. I really enjoy Sliver as a framework, as it's cross platform and supports multiple user clients, but it doesn't have many macOS post exploitation features. This project is bit hard to set up if your compiling from source, so I suggest the prebuilt docker image, as it uses cgo and some standalone tools for some of the crazier features. This project also has built-in obfuscation using a modified version of gobfuscate. That said, I have high hopes for this platform and think it will be one of the major platforms of the future, so keep your eyes on it!
EvilOSX
EvilOSX is a python based framework that has quite a few macOS specific post exploitation features and modules. This framework includes some awesome collection techniques such gathering backups, browser passwords, and even iCloud data. This is an older framework so it may have more detections around it when evaluated against AV or EDR tools. This project is kind of neat because it also includes a GUI for the tool, which has it's own agent builder. Despite being obfuscated, this stuff is pretty obviously malware once you find the python code that is executed. This is the first macOS exclusive framework we have looked at, which may also lend itself to detections as it's a targeted threat vs the cross platform malware, which may only have strong detections on Windows for example, depending on the detection solution. Finally, other branches of this framework are now more up to date, as the main branch hasn't seen much active development recently.
Empire
This is another python based post exploitation framework, which may come with some inherent drawbacks associated with the language (slower run speed, requires the interpreter, can be decompiled to source). Although this framework has been retired, it's chock full of great macOS specific post exploitation features. From multiple persistence techniques, such as launch daemons and dylib hijacking, to few collection modules like a keylogger and a keychain dumper. This is also a cross-platform framework so you can manage your callbacks from other operating systems in a central location. This framework has some of the most post exploitation features for macOS, making it one of the better full fledged frameworks for accomplishing your goals after execution. Empire also includes opsec notes for it's post exploitation features. That said, it's very popular and has been around for a long time so many EDR vendors have built up detections for different techniques in these frameworks over the years.
Metasploit
Metasploit actually has a large collection of macOS specific post exploitation modules. It has collection techniques ranging from key logging to all kinds of password storage: airport passwords, autologin passwords, keychains, hashes, and even stored vnc passwords. It also has an awesome amount of different execution types available with msfvenom, and even some older macOS specific exploits. This all includes a version of meterpreter for macOS, but honestly meterpreter is pretty lacking on macOS and Linux. This is a tried and true post exploitation framework that still sees active development and I list it because it is still extremely robust and modular, despite being easier to detect only because it has been around for so long. This is definitely one of the more dynamic platforms, but should also be one of the easier frameworks to detect. This is always a good place to start for generic hacker adversary emulation in my opinion as well.
Apfell
This is a very interesting modular C2 framework that mostly targets macOS. While the framework supports adding new execution and C2 methods, currently it's a little limited as it uses python and JXA for it's initial execution. It also doesn't actually have many macOS post exploitation features built into the framework beyond these execution techniques. That said, there are many lessons to be learned in digging into the JXA execution methods because they are so novel. Cody also includes some novel persistence techniques in the talk below such as 'folder actions', which can execute AppleScript on specific folder events. I personally found this framework tougher to set up and use operationally.
MacSwiftShell
This was another really neat project, as this one is done totally in Swift. Here we have a native macOS application which you can easily modify and call native libraries or other tools from. This framework does have a few post exploitation features, including notes on if they are opsec safe or not. This project includes an example of Launch Agent persistence and an example of the classic macOS collection method with the osacript user password prompt, to name two techniques. The project itself is invaluable as a template for C2 in Swift, as you see all macOS coca API calls required for these techniques as opposed to the other high level language library calls. All that said, this project is still very much in development, so I would probably just use it as a template for my own Swift agents, as opposed to using it for large or professional engagements. This framework also includes general opsec considerations for each technique it uses, which can be a helpful perspectives to consider based on the target environment.
There you go, after this post you should have quite a few options for execution, command and control, and post exploitation features such as persistence. Which framework you end up using will likely be up to your needs or based on environmental constraints. For example, if your pentesting an environment with poor detections or where detection testing is less of a concern, I would go with a more feature rich platform where opsec is less of a consideration. If I were red teaming a high security environment I would likely use one of the more lightweight, native agents. If I were doing adversary emulation I would analyze my target threat group/s and pick a framework with existing similar techniques or go with one-off technique emulation. Obviously this list is not exhaustive, but my goal here is to give you a selection of good options. Enjoy, and please leave feedback on your favorite macOS command and control frameworks in the comments.
