| name | macos-postexploit |
| description | macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools |
| category | post-exploitation |
| tags | ["macos","post-exploitation","credential-access","defense-evasion","keychain","dtrace","tcc","xprotect","gatekeeper"] |
| tech_stack | ["macos","python","dtrace","security-cli","osascript"] |
| cwe_ids | ["CWE-269","CWE-522","CWE-693","CWE-312"] |
| chains_with | ["T1555.001","T1056.001","T1059.004","T1562.001","T1070.002","T1553.001"] |
| prerequisites | ["T1068","T1548"] |
| version | 1.0 |
macOS Post-Exploitation Methodology
macOS post-exploitation uses native tools (security, dtrace, xattr, log), Python with PyObjC/Quartz frameworks, and direct SQLite access for credential extraction. After gaining root or user-level access on a macOS target, these tools provide credential harvesting, runtime monitoring, and operational security capabilities.
Prerequisites
Before deploying machook tools, verify:
- Root access — most operations require root (except
xprotect_check, gatekeeper_bypass for user-owned files, ssh_keys for current user)
- SIP status — DTrace tools require SIP disabled (
csrutil disable from Recovery Mode)
- Python3 — available via Xcode CLT or Homebrew
- PyObjC — required for
keylog_mac (CGEventTap); install via pip3 install pyobjc-framework-Quartz
csrutil status
sw_vers
security list-keychains
python3 -c "import Quartz; print('OK')"
ls /Library/Apple/System/Library/CoreServices/XProtect.bundle
Kill Chain Phases
Phase 1 — Situational Awareness (First 60 seconds)
Understand the defensive landscape before deploying hooks.
| Action | Command | Purpose |
|---|
| Check XProtect | machook xprotect_check | Enumerate XProtect/MRT signatures to know what triggers detection |
| Check SIP | csrutil status | Determine if DTrace monitoring is available |
| SSH keys | machook ssh_keys | Find SSH private keys — often leads to lateral movement |
| Keychain list | security list-keychains | See available keychains before dumping |
Phase 2 — Credential Harvesting
Extract credentials from macOS-specific stores.
| Action | Command | Purpose |
|---|
| Keychain dump | machook keychain_dump | Extract all passwords from login/system Keychain via security command |
| Browser creds | machook chrome_creds | Extract Chrome/Safari saved passwords and cookies with AES decryption |
| SSH keys | machook ssh_keys | Find private keys for all users — id_rsa, id_ed25519, etc. |
| TCC bypass | machook tcc_bypass | Bypass TCC to access camera, microphone, files without user consent |
| Keystroke capture | machook keylog_mac --duration 120 | Log keystrokes via CGEventTap with application context |
Keychain extraction uses the macOS security command to enumerate and dump keychain items. Root access allows dumping without per-item authorization prompts. The login keychain contains WiFi passwords, website credentials, certificates, and application tokens.
Chrome credential extraction copies the locked Login Data SQLite database, retrieves the Safe Storage key from Keychain, derives the AES decryption key via PBKDF2, and decrypts each stored password. Safari passwords are stored in Keychain and extracted via security find-internet-password.
TCC bypass targets the TCC.db database (~/Library/Application Support/com.apple.TCC/TCC.db) to grant access to protected resources without user consent dialogs.
Phase 3 — Monitoring (SIP disabled required)
DTrace provides kernel-level visibility into the target system.
| Action | Command | Purpose |
|---|
| Process monitoring | machook dtrace_exec --duration 60 | Trace all process executions — detect cron, security scans, admin activity |
| Network monitoring | machook dtrace_net --duration 60 | Monitor all network connections — identify internal services, C2 |
| File monitoring | machook dtrace_file --duration 60 | Monitor file access — detect what admin tools read/write |
Phase 4 — Stealth
Reduce the forensic footprint.
| Action | Command | Purpose |
|---|
| Gatekeeper bypass | machook gatekeeper_bypass --path /path | Remove quarantine xattr to allow unsigned tool execution |
| Clear logs | machook log_clear | Clear unified logging, ASL, audit logs, crash reports, shell history |
Phase 5 — Cleanup (MANDATORY)
Always run cleanup before exiting a target.
machook cleanup_mac
The cleanup tool:
- Finds and removes LaunchAgents/LaunchDaemons matching CyberStrike patterns
- Kills any running DTrace or machook-related processes
- Removes temporary files and copied databases
- Clears machook-specific entries from shell history
Detection Considerations
macOS post-exploitation tools are detectable by:
- Endpoint Security Framework (ESF) — EDR agents using
es_new_client() for process/file/auth events
- Unified Logging —
log show --predicate 'process == "security"' for Keychain access
- TCC audit — TCC access logged in Console.app,
tccutil events visible
- SIP — When enabled, blocks DTrace system-wide tracing and TCC.db modification
- XProtect — Scans downloaded executables against YARA rules
- Gatekeeper — Checks code signing and quarantine attributes
- CrowdStrike Falcon / Jamf Protect — macOS-specific EDR detects suspicious
security command usage and CGEventTap creation
Program Reference
| Program | Technique | MITRE ATT&CK |
|---|
| keychain_dump | macOS Keychain extraction via security CLI | T1555.001 — Keychain |
| chrome_creds | Browser credential decryption (Chrome/Safari) | T1555.003 — Credentials from Web Browsers |
| ssh_keys | SSH private key discovery and exfiltration | T1552.004 — Private Keys |
| tcc_bypass | TCC database manipulation for resource access | T1548 — Abuse Elevation Control Mechanism |
| keylog_mac | Keystroke capture via CGEventTap | T1056.001 — Keylogging |
| dtrace_exec | Process execution tracing via DTrace | T1057 — Process Discovery |
| dtrace_net | Network connection tracing via DTrace | T1049 — System Network Connections Discovery |
| dtrace_file | File access tracing via DTrace | T1083 — File and Directory Discovery |
| xprotect_check | XProtect/MRT signature enumeration | T1518.001 — Security Software Discovery |
| gatekeeper_bypass | Quarantine xattr removal | T1553.001 — Gatekeeper Bypass |
| log_clear | Unified log, ASL, and audit log clearing | T1070.002 — Clear Linux or Mac System Logs |
| cleanup_mac | Artifact removal and process cleanup | T1070 — Indicator Removal |