Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cyber threat emulation purposes.
Changelog v0.2.3
Formatted code using black, bump license for 2022, and misc edits.
Install
$ pip3 install poisonapple –user
Important Notes!
PoisonApple will make modifications to your macOS system, it’s advised to only use PoisonApple on a virtual machine. Although any persistence mechanism technique added using this tool can also be easily removed (-r), please use with caution!
Be advised: This tool will likely cause common AV / EDR / other macOS security products to generate alerts.
Command-line tool to perform various persistence mechanism techniques on macOS.
optional arguments:
-h, --help show this help message and exit
-l, --list list available persistence mechanism techniques
-t TECHNIQUE, --technique TECHNIQUE
persistence mechanism technique to use
-n NAME, --name NAME name for the file or label used for persistence
-c COMMAND, --command COMMAND
command(s) to execute for persistence
-r, --remove remove persistence mechanism
[+] Success! The persistence mechanism action was successful: LaunchAgentUser
If no command is specified (-c) a default trigger command will be used which writes to a file on the Desktop every time the persistence mechanism is triggered:
$ cat ~/Desktop/PoisonApple-LaunchAgentUser
Triggered @ Tue Mar 23 17:46:02 CDT 2021
Triggered @ Tue Mar 23 17:46:13 CDT 2021
Triggered @ Tue Mar 23 17:46:23 CDT 2021
Triggered @ Tue Mar 23 17:46:33 CDT 2021
Triggered @ Tue Mar 23 17:46:43 CDT 2021
Triggered @ Tue Mar 23 17:46:53 CDT 2021
Triggered @ Tue Mar 23 17:47:03 CDT 2021
Triggered @ Tue Mar 23 17:47:13 CDT 2021
Triggered @ Tue Mar 23 17:48:05 CDT 2021
Triggered @ Tue Mar 23 17:48:15 CDT 2021