PoisonApple v0.2.1 releases: macOS persistence tool
Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cyber threat emulation purposes.
- Re-arrange techniques and improve code base by using subclasses.
$ pip3 install poisonapple –user
- PoisonApple will make modifications to your macOS system, it’s advised to only use PoisonApple on a virtual machine. Although any persistence mechanism technique added using this tool can also be easily removed (-r), please use with caution!
- Be advised: This tool will likely cause common AV / EDR / other macOS security products to generate alerts.
- To understand how any of these techniques work in-depth please see The Art of Mac Malware, Volume 1: Analysis – Chapter 0x2: Persistence by Patrick Wardle of Objective-See. It’s a fantastic resource.
List of available techniques:
Apply a persistence mechanism:
If no command is specified (-c) a default trigger command will be used which writes to a file on the Desktop every time the persistence mechanism is triggered:
Remove a persistence mechanism:
$ poisonapple -t LaunchAgentUser -n testing -r
Use a custom command:
$ poisonapple -t LaunchAgentUser -n foo -c "echo foo >> /Users/user/Desktop/foo"
Copyright (c) 2021 Cyborg Security