메뉴
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations
| name | macos-postexploit |
| description | macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools |
| category | post-exploitation |
| tags | ["macos","post-exploitation","credential-access","defense-evasion","keychain","dtrace","tcc","xprotect","gatekeeper"] |
| tech_stack | ["macos","python","dtrace","security-cli","osascript"] |
| cwe_ids | ["CWE-269","CWE-522","CWE-693","CWE-312"] |
| chains_with | ["T1555.001","T1056.001","T1059.004","T1562.001","T1070.002","T1553.001"] |
| prerequisites | ["T1068","T1548"] |
| version | 1.0 |
macOS post-exploitation uses native tools (security, dtrace, xattr, log), Python with PyObjC/Quartz frameworks, and direct SQLite access for credential extraction. After gaining root or user-level access on a macOS target, these tools provide credential harvesting, runtime monitoring, and operational security capabilities.
Before deploying machook tools, verify:
xprotect_check, gatekeeper_bypass for user-owned files, ssh_keys for current user)csrutil disable from Recovery Mode)keylog_mac (CGEventTap); install via pip3 install pyobjc-framework-Quartz# Quick prerequisite check
csrutil status # SIP status (DTrace needs disabled)
sw_vers # macOS version
security list-keychains # available keychains
python3 -c "import Quartz; print('OK')" # PyObjC for keylogging
ls /Library/Apple/System/Library/CoreServices/XProtect.bundle # XProtect present
Understand the defensive landscape before deploying hooks.
| Action | Command | Purpose |
|---|---|---|
| Check XProtect | machook xprotect_check | Enumerate XProtect/MRT signatures to know what triggers detection |
| Check SIP | csrutil status | Determine if DTrace monitoring is available |
| SSH keys | machook ssh_keys | Find SSH private keys — often leads to lateral movement |
| Keychain list | security list-keychains | See available keychains before dumping |
Extract credentials from macOS-specific stores.
| Action | Command | Purpose |
|---|---|---|
| Keychain dump | machook keychain_dump | Extract all passwords from login/system Keychain via security command |
| Browser creds | machook chrome_creds | Extract Chrome/Safari saved passwords and cookies with AES decryption |
| SSH keys | machook ssh_keys | Find private keys for all users — id_rsa, id_ed25519, etc. |
| TCC bypass | machook tcc_bypass | Bypass TCC to access camera, microphone, files without user consent |
| Keystroke capture | machook keylog_mac --duration 120 | Log keystrokes via CGEventTap with application context |
Keychain extraction uses the macOS security command to enumerate and dump keychain items. Root access allows dumping without per-item authorization prompts. The login keychain contains WiFi passwords, website credentials, certificates, and application tokens.
Chrome credential extraction copies the locked Login Data SQLite database, retrieves the Safe Storage key from Keychain, derives the AES decryption key via PBKDF2, and decrypts each stored password. Safari passwords are stored in Keychain and extracted via security find-internet-password.
TCC bypass targets the TCC.db database (~/Library/Application Support/com.apple.TCC/TCC.db) to grant access to protected resources without user consent dialogs.
DTrace provides kernel-level visibility into the target system.
| Action | Command | Purpose |
|---|---|---|
| Process monitoring | machook dtrace_exec --duration 60 | Trace all process executions — detect cron, security scans, admin activity |
| Network monitoring | machook dtrace_net --duration 60 | Monitor all network connections — identify internal services, C2 |
| File monitoring | machook dtrace_file --duration 60 | Monitor file access — detect what admin tools read/write |
Reduce the forensic footprint.
| Action | Command | Purpose |
|---|---|---|
| Gatekeeper bypass | machook gatekeeper_bypass --path /path | Remove quarantine xattr to allow unsigned tool execution |
| Clear logs | machook log_clear | Clear unified logging, ASL, audit logs, crash reports, shell history |
Always run cleanup before exiting a target.
machook cleanup_mac
The cleanup tool:
macOS post-exploitation tools are detectable by:
es_new_client() for process/file/auth eventslog show --predicate 'process == "security"' for Keychain accesstccutil events visiblesecurity command usage and CGEventTap creation| Program | Technique | MITRE ATT&CK |
|---|---|---|
| keychain_dump | macOS Keychain extraction via security CLI | T1555.001 — Keychain |
| chrome_creds | Browser credential decryption (Chrome/Safari) | T1555.003 — Credentials from Web Browsers |
| ssh_keys | SSH private key discovery and exfiltration | T1552.004 — Private Keys |
| tcc_bypass | TCC database manipulation for resource access | T1548 — Abuse Elevation Control Mechanism |
| keylog_mac | Keystroke capture via CGEventTap | T1056.001 — Keylogging |
| dtrace_exec | Process execution tracing via DTrace | T1057 — Process Discovery |
| dtrace_net | Network connection tracing via DTrace | T1049 — System Network Connections Discovery |
| dtrace_file | File access tracing via DTrace | T1083 — File and Directory Discovery |
| xprotect_check | XProtect/MRT signature enumeration | T1518.001 — Security Software Discovery |
| gatekeeper_bypass | Quarantine xattr removal | T1553.001 — Gatekeeper Bypass |
| log_clear | Unified log, ASL, and audit log clearing | T1070.002 — Clear Linux or Mac System Logs |
| cleanup_mac | Artifact removal and process cleanup | T1070 — Indicator Removal |