SlideShare a Scribd company logo
1 of 18
Bir macOS APT Senaryosu
Onur ALANBEL
$id -un
• Product Manager - Picus Security
• Bilgisayar Mühendisliği – İYTE
• Twitter - @onuralanbel
• Github - onura
Ajanda
Hedef
olarak
macOS
İlk erişim
Yetki
yükseltme
Kalıcılık
Veri
toplama
Veri
kaçırma
Hedef olarak macOS
Üst düzey hedeflerde
yaygın kullanım
Düşük güvenlik önlemleri
(gözden uzak)
Gerçek hayat örnekleri
• Lazarus
• Windtail
• Diğerleri
İlk erişim
Exploit (0 to 2-3 days)
• Safari
• MS Office for Mac
• Preview Keynote,
Numbers vb.
Zafiyet değil
özellik
• URL Scheme
Handlers
Diğerleri
URL Schemes
• Document Handlers
• URL schemes
• URL scheme kaydeden bir paket oluşturma
• Download + forward ile istismar
URL Schemes
• Document Handlers
CFBundleTypeExtensions = (
rtf
);
CFBundleTypeName = "Rich Text Document";
CFBundleTypeRole = Editor;
LSItemContentTypes = (
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/l
sregister -dump |grep -a5 -b5 TypeExtension
Bundle
• Info.plist
• CFBundleTypeExtension
Dosya Diske
Yazılır
macOS
Document
Handler
kaydeder
URL Schemes
• URL Schemes
/System/Library/Frameworks/CoreServices.framework/Frameworks/Launc
hServices.framework/Support/lsregister -dump |grep -a5 -b5 -i
CFBundleURLSchemessssh://
CFBundleURLTypes = (
{
CFBundleURLName = "ssh URL";
CFBundleURLSchemes = (
ssh
);
},
{
CFBundleURLName = "x-man-page URL";
ssh
);
}
);
URL Schemes
• URL Schemes
videoconf://
Info.plist
Implant Seçimi
SSH Backdoor
• Basit ve etkili
Mettle
• Stabil
• Post exploitation kolay
Empire
• Stabil
• Güçlü C2 iletişimi
• Post exploitation kolay
EvilOSXs
• macOS'e özel bir çok post exploitation modülü
Empire stager ile paket oluşturma
Http listener
osx/macho
stager
stager >
macosapt.app
İstismar Sayfası
Gatekeeper
İmzalı app kullanmak
• Windtail kullanıyor
Gatekeeper bypass (0 or 2-3 days)
• Hemen her versiyonda bulunabiliyor
İlk erişimden sonra curl + exec
• Bir çok macOS zararlısı kullanıyor
Homograph
• Genelde GK bypass ile beraber ikna edici
dosya isimleri oluşturmakta kullanılır
Yetki Yükseltme
• Local Privilege Escalation Exploit (CVE-2019-8513)
• macOS 10.14.3
• Password Phishing
• macOS 10.14.4
Kalıcılık
• Mail
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.proxy.initialize</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/macosapt</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
<dict>
<key>AllCriteriaMustBeSatisfied</key>
<string>NO</string>
<key>AppleScript</key>
<string>persist.scpt</string>
<key>AutoResponseType</key>
<integer>0</integer>
<key>Criteria</key>
<array>
<dict>
-----
<key>Expression</key>
<string>macosAPT</string>
<key>Header</key>
------
• Launch Daemon
Veri Toplama ve Kaçırma
Dump keychain
without root
• CVE-2019-8526
• Keychain Stealer App
Keychain
masterkey in
memory
• Keychaindump
• Keychaindump chainbreaker
macOS’e özel
olmayan diğerleri
• Dump Chrome passwords
• Browser history
• Keylogging
• Screenshots
• Mic recording
Sorular
info@picussecurity.com
Referanslar
• https://www.sentinelone.com/blog/how-malware-bypass-macos-gatekeeper/
• https://digitasecurity.com/blog/2018/08/30/windshift/
• https://www.n00py.io/2016/10/using-email-for-persistence-on-os-x/
• https://null-byte.wonderhowto.com/how-to/hacking-macos-perform-privilege-escalation-part-2-password-phishing-0186332/
• https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43?sk=3970823f97714fac1d04d75325e3cbac
• https://www.willmaster.com/library/features/download-and-redirect-with-one-click.php

More Related Content

What's hot

New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than EverAlienVault
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldCisco Canada
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar -  NEW GENERATION IPSSourcefire Webinar -  NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSmmiznoni
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionBlue Coat
 
Miben nyújt többet a Cisco ASA + FirePOWER Services?
Miben nyújt többet a Cisco ASA + FirePOWER Services?Miben nyújt többet a Cisco ASA + FirePOWER Services?
Miben nyújt többet a Cisco ASA + FirePOWER Services?S&T Consulting Hungary
 
McAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint SecurityMcAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint Securitynetlogix
 
MID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_ENMID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_ENVladyslav Radetsky
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation SecurityCisco Canada
 
Talos Insight: Threat Innovation Emerging from the Noise
Talos Insight: Threat Innovation Emerging from the NoiseTalos Insight: Threat Innovation Emerging from the Noise
Talos Insight: Threat Innovation Emerging from the NoiseCisco Canada
 

What's hot (20)

New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real World
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar -  NEW GENERATION IPSSourcefire Webinar -  NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPS
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Mod security
Mod securityMod security
Mod security
 
Online Authentication
Online AuthenticationOnline Authentication
Online Authentication
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
 
L27
L27L27
L27
 
Miben nyújt többet a Cisco ASA + FirePOWER Services?
Miben nyújt többet a Cisco ASA + FirePOWER Services?Miben nyújt többet a Cisco ASA + FirePOWER Services?
Miben nyújt többet a Cisco ASA + FirePOWER Services?
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
IPS Best Practices
IPS Best PracticesIPS Best Practices
IPS Best Practices
 
McAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint SecurityMcAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint Security
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
 
MID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_ENMID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_EN
 
SourceFire IPS Overview
SourceFire IPS OverviewSourceFire IPS Overview
SourceFire IPS Overview
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation Security
 
Cisco NGFW AMP
Cisco NGFW AMPCisco NGFW AMP
Cisco NGFW AMP
 
Talos Insight: Threat Innovation Emerging from the Noise
Talos Insight: Threat Innovation Emerging from the NoiseTalos Insight: Threat Innovation Emerging from the Noise
Talos Insight: Threat Innovation Emerging from the Noise
 

Similar to Bir macOS APT Senaryosu

Archiving, E-Discovery, and Supervision with Spark and Hadoop with Jordan Volz
Archiving, E-Discovery, and Supervision with Spark and Hadoop with Jordan VolzArchiving, E-Discovery, and Supervision with Spark and Hadoop with Jordan Volz
Archiving, E-Discovery, and Supervision with Spark and Hadoop with Jordan VolzDatabricks
 
Low latency scalable web crawling on Apache Storm
Low latency scalable web crawling on Apache StormLow latency scalable web crawling on Apache Storm
Low latency scalable web crawling on Apache StormJulien Nioche
 
Large Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and FriendsLarge Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and Friendslucenerevolution
 
Large Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and FriendsLarge Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and FriendsJulien Nioche
 
Big Data Introduction - Solix empower
Big Data Introduction - Solix empowerBig Data Introduction - Solix empower
Big Data Introduction - Solix empowerDurga Gadiraju
 
Introduction to Kafka and Zookeeper
Introduction to Kafka and ZookeeperIntroduction to Kafka and Zookeeper
Introduction to Kafka and ZookeeperRahul Jain
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures Stenio Ferreira
 
Unleash the Power of Redis with Amazon ElastiCache
Unleash the Power of Redis with Amazon ElastiCache Unleash the Power of Redis with Amazon ElastiCache
Unleash the Power of Redis with Amazon ElastiCache Amazon Web Services
 
Unleash the Power of Redis with Amazon ElastiCache
Unleash the Power of Redis with Amazon ElastiCacheUnleash the Power of Redis with Amazon ElastiCache
Unleash the Power of Redis with Amazon ElastiCacheAmazon Web Services
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn ContainerDay Security 2023
 
Providence: rapid vulnerability prevention
Providence: rapid vulnerability preventionProvidence: rapid vulnerability prevention
Providence: rapid vulnerability preventionSalesforce Engineering
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.xFabio Codebue
 
Managing Applications in CodeIgniter
Managing Applications in CodeIgniterManaging Applications in CodeIgniter
Managing Applications in CodeIgniterJamshid Hashimi
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
Building Machine Learning Inference Pipelines at Scale (July 2019)
Building Machine Learning Inference Pipelines at Scale (July 2019)Building Machine Learning Inference Pipelines at Scale (July 2019)
Building Machine Learning Inference Pipelines at Scale (July 2019)Julien SIMON
 

Similar to Bir macOS APT Senaryosu (20)

Archiving, E-Discovery, and Supervision with Spark and Hadoop with Jordan Volz
Archiving, E-Discovery, and Supervision with Spark and Hadoop with Jordan VolzArchiving, E-Discovery, and Supervision with Spark and Hadoop with Jordan Volz
Archiving, E-Discovery, and Supervision with Spark and Hadoop with Jordan Volz
 
Low latency scalable web crawling on Apache Storm
Low latency scalable web crawling on Apache StormLow latency scalable web crawling on Apache Storm
Low latency scalable web crawling on Apache Storm
 
Large Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and FriendsLarge Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and Friends
 
Large Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and FriendsLarge Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and Friends
 
Big Data Introduction - Solix empower
Big Data Introduction - Solix empowerBig Data Introduction - Solix empower
Big Data Introduction - Solix empower
 
SolrCloud on Hadoop
SolrCloud on HadoopSolrCloud on Hadoop
SolrCloud on Hadoop
 
Introduction to Kafka and Zookeeper
Introduction to Kafka and ZookeeperIntroduction to Kafka and Zookeeper
Introduction to Kafka and Zookeeper
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
 
Unleash the Power of Redis with Amazon ElastiCache
Unleash the Power of Redis with Amazon ElastiCache Unleash the Power of Redis with Amazon ElastiCache
Unleash the Power of Redis with Amazon ElastiCache
 
Unleash the Power of Redis with Amazon ElastiCache
Unleash the Power of Redis with Amazon ElastiCacheUnleash the Power of Redis with Amazon ElastiCache
Unleash the Power of Redis with Amazon ElastiCache
 
Using Data Lakes
Using Data LakesUsing Data Lakes
Using Data Lakes
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Providence: rapid vulnerability prevention
Providence: rapid vulnerability preventionProvidence: rapid vulnerability prevention
Providence: rapid vulnerability prevention
 
Using Data Lakes
Using Data LakesUsing Data Lakes
Using Data Lakes
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.x
 
Managing Applications in CodeIgniter
Managing Applications in CodeIgniterManaging Applications in CodeIgniter
Managing Applications in CodeIgniter
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Using Data Lakes
Using Data LakesUsing Data Lakes
Using Data Lakes
 
Building Machine Learning Inference Pipelines at Scale (July 2019)
Building Machine Learning Inference Pipelines at Scale (July 2019)Building Machine Learning Inference Pipelines at Scale (July 2019)
Building Machine Learning Inference Pipelines at Scale (July 2019)
 

More from BGA Cyber Security

WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiBGA Cyber Security
 
Tatil Öncesi Güvenlik Kontrol Listesi.pdf
Tatil Öncesi Güvenlik Kontrol Listesi.pdfTatil Öncesi Güvenlik Kontrol Listesi.pdf
Tatil Öncesi Güvenlik Kontrol Listesi.pdfBGA Cyber Security
 
Ücretsiz Bilgi Güvenliği Farkındalık Eğitimi
Ücretsiz Bilgi Güvenliği Farkındalık EğitimiÜcretsiz Bilgi Güvenliği Farkındalık Eğitimi
Ücretsiz Bilgi Güvenliği Farkındalık EğitimiBGA Cyber Security
 
3. parti firma risklerinden nasıl korunulur?
3. parti firma risklerinden nasıl korunulur?3. parti firma risklerinden nasıl korunulur?
3. parti firma risklerinden nasıl korunulur?BGA Cyber Security
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBGA Cyber Security
 
Webinar: Popüler black marketler
Webinar: Popüler black marketlerWebinar: Popüler black marketler
Webinar: Popüler black marketlerBGA Cyber Security
 
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım SenaryolarıWebinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım SenaryolarıBGA Cyber Security
 
Açık Kaynak Kodlu Çözümler Kullanarak SOC Yönetimi SOAR & IRM Webinar - 2020
Açık Kaynak Kodlu Çözümler Kullanarak SOC Yönetimi SOAR & IRM Webinar - 2020Açık Kaynak Kodlu Çözümler Kullanarak SOC Yönetimi SOAR & IRM Webinar - 2020
Açık Kaynak Kodlu Çözümler Kullanarak SOC Yönetimi SOAR & IRM Webinar - 2020BGA Cyber Security
 
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm ÖnerileriDNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm ÖnerileriBGA Cyber Security
 
Webinar: Siber Güvenlikte Olgunluk Seviyesini Arttırmak
Webinar: Siber Güvenlikte Olgunluk Seviyesini ArttırmakWebinar: Siber Güvenlikte Olgunluk Seviyesini Arttırmak
Webinar: Siber Güvenlikte Olgunluk Seviyesini ArttırmakBGA Cyber Security
 
Open Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIOpen Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIBGA Cyber Security
 
Webinar Sunumu: Saldırı, Savunma ve Loglama Açısından Konteyner Güvenliği
Webinar Sunumu: Saldırı, Savunma ve Loglama Açısından Konteyner GüvenliğiWebinar Sunumu: Saldırı, Savunma ve Loglama Açısından Konteyner Güvenliği
Webinar Sunumu: Saldırı, Savunma ve Loglama Açısından Konteyner GüvenliğiBGA Cyber Security
 
Hacklenmiş Windows Sistem Analizi
Hacklenmiş Windows Sistem AnaliziHacklenmiş Windows Sistem Analizi
Hacklenmiş Windows Sistem AnaliziBGA Cyber Security
 
RAKAMLARIN DİLİ İLE 2020 YILI SIZMA TESTLERİ
RAKAMLARIN DİLİ İLE 2020 YILI SIZMA TESTLERİRAKAMLARIN DİLİ İLE 2020 YILI SIZMA TESTLERİ
RAKAMLARIN DİLİ İLE 2020 YILI SIZMA TESTLERİBGA Cyber Security
 
BGA Türkiye Bankacılık Sektörü 1. Çeyrek Phishing Raporu
BGA Türkiye Bankacılık Sektörü 1. Çeyrek Phishing RaporuBGA Türkiye Bankacılık Sektörü 1. Çeyrek Phishing Raporu
BGA Türkiye Bankacılık Sektörü 1. Çeyrek Phishing RaporuBGA Cyber Security
 
SOC Kurulumu ve Yönetimi İçin Açık Kaynak Kodlu Çözümler
SOC Kurulumu ve Yönetimi İçin Açık Kaynak Kodlu ÇözümlerSOC Kurulumu ve Yönetimi İçin Açık Kaynak Kodlu Çözümler
SOC Kurulumu ve Yönetimi İçin Açık Kaynak Kodlu ÇözümlerBGA Cyber Security
 
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of Secrets
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of SecretsVeri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of Secrets
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of SecretsBGA Cyber Security
 
Aktif Dizin (Active Directory) Güvenlik Testleri - I: Bilgi Toplama
Aktif Dizin (Active Directory) Güvenlik Testleri - I:  Bilgi ToplamaAktif Dizin (Active Directory) Güvenlik Testleri - I:  Bilgi Toplama
Aktif Dizin (Active Directory) Güvenlik Testleri - I: Bilgi ToplamaBGA Cyber Security
 

More from BGA Cyber Security (20)

WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
 
Tatil Öncesi Güvenlik Kontrol Listesi.pdf
Tatil Öncesi Güvenlik Kontrol Listesi.pdfTatil Öncesi Güvenlik Kontrol Listesi.pdf
Tatil Öncesi Güvenlik Kontrol Listesi.pdf
 
Ücretsiz Bilgi Güvenliği Farkındalık Eğitimi
Ücretsiz Bilgi Güvenliği Farkındalık EğitimiÜcretsiz Bilgi Güvenliği Farkındalık Eğitimi
Ücretsiz Bilgi Güvenliği Farkındalık Eğitimi
 
3. parti firma risklerinden nasıl korunulur?
3. parti firma risklerinden nasıl korunulur?3. parti firma risklerinden nasıl korunulur?
3. parti firma risklerinden nasıl korunulur?
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
 
Webinar: Popüler black marketler
Webinar: Popüler black marketlerWebinar: Popüler black marketler
Webinar: Popüler black marketler
 
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım SenaryolarıWebinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
 
Açık Kaynak Kodlu Çözümler Kullanarak SOC Yönetimi SOAR & IRM Webinar - 2020
Açık Kaynak Kodlu Çözümler Kullanarak SOC Yönetimi SOAR & IRM Webinar - 2020Açık Kaynak Kodlu Çözümler Kullanarak SOC Yönetimi SOAR & IRM Webinar - 2020
Açık Kaynak Kodlu Çözümler Kullanarak SOC Yönetimi SOAR & IRM Webinar - 2020
 
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm ÖnerileriDNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
 
Webinar: Siber Güvenlikte Olgunluk Seviyesini Arttırmak
Webinar: Siber Güvenlikte Olgunluk Seviyesini ArttırmakWebinar: Siber Güvenlikte Olgunluk Seviyesini Arttırmak
Webinar: Siber Güvenlikte Olgunluk Seviyesini Arttırmak
 
Open Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIOpen Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-II
 
Webinar Sunumu: Saldırı, Savunma ve Loglama Açısından Konteyner Güvenliği
Webinar Sunumu: Saldırı, Savunma ve Loglama Açısından Konteyner GüvenliğiWebinar Sunumu: Saldırı, Savunma ve Loglama Açısından Konteyner Güvenliği
Webinar Sunumu: Saldırı, Savunma ve Loglama Açısından Konteyner Güvenliği
 
Hacklenmiş Windows Sistem Analizi
Hacklenmiş Windows Sistem AnaliziHacklenmiş Windows Sistem Analizi
Hacklenmiş Windows Sistem Analizi
 
Open Source SOC Kurulumu
Open Source SOC KurulumuOpen Source SOC Kurulumu
Open Source SOC Kurulumu
 
RAKAMLARIN DİLİ İLE 2020 YILI SIZMA TESTLERİ
RAKAMLARIN DİLİ İLE 2020 YILI SIZMA TESTLERİRAKAMLARIN DİLİ İLE 2020 YILI SIZMA TESTLERİ
RAKAMLARIN DİLİ İLE 2020 YILI SIZMA TESTLERİ
 
Siber Fidye 2020 Raporu
Siber Fidye 2020 RaporuSiber Fidye 2020 Raporu
Siber Fidye 2020 Raporu
 
BGA Türkiye Bankacılık Sektörü 1. Çeyrek Phishing Raporu
BGA Türkiye Bankacılık Sektörü 1. Çeyrek Phishing RaporuBGA Türkiye Bankacılık Sektörü 1. Çeyrek Phishing Raporu
BGA Türkiye Bankacılık Sektörü 1. Çeyrek Phishing Raporu
 
SOC Kurulumu ve Yönetimi İçin Açık Kaynak Kodlu Çözümler
SOC Kurulumu ve Yönetimi İçin Açık Kaynak Kodlu ÇözümlerSOC Kurulumu ve Yönetimi İçin Açık Kaynak Kodlu Çözümler
SOC Kurulumu ve Yönetimi İçin Açık Kaynak Kodlu Çözümler
 
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of Secrets
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of SecretsVeri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of Secrets
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of Secrets
 
Aktif Dizin (Active Directory) Güvenlik Testleri - I: Bilgi Toplama
Aktif Dizin (Active Directory) Güvenlik Testleri - I:  Bilgi ToplamaAktif Dizin (Active Directory) Güvenlik Testleri - I:  Bilgi Toplama
Aktif Dizin (Active Directory) Güvenlik Testleri - I: Bilgi Toplama
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Key Features Of Token Development (1).pptx
Key  Features Of Token  Development (1).pptxKey  Features Of Token  Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Key Features Of Token Development (1).pptx
Key  Features Of Token  Development (1).pptxKey  Features Of Token  Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

Bir macOS APT Senaryosu

  • 1. Bir macOS APT Senaryosu Onur ALANBEL
  • 2. $id -un • Product Manager - Picus Security • Bilgisayar Mühendisliği – İYTE • Twitter - @onuralanbel • Github - onura
  • 4. Hedef olarak macOS Üst düzey hedeflerde yaygın kullanım Düşük güvenlik önlemleri (gözden uzak) Gerçek hayat örnekleri • Lazarus • Windtail • Diğerleri
  • 5. İlk erişim Exploit (0 to 2-3 days) • Safari • MS Office for Mac • Preview Keynote, Numbers vb. Zafiyet değil özellik • URL Scheme Handlers Diğerleri
  • 6. URL Schemes • Document Handlers • URL schemes • URL scheme kaydeden bir paket oluşturma • Download + forward ile istismar
  • 7. URL Schemes • Document Handlers CFBundleTypeExtensions = ( rtf ); CFBundleTypeName = "Rich Text Document"; CFBundleTypeRole = Editor; LSItemContentTypes = ( /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/l sregister -dump |grep -a5 -b5 TypeExtension Bundle • Info.plist • CFBundleTypeExtension Dosya Diske Yazılır macOS Document Handler kaydeder
  • 8. URL Schemes • URL Schemes /System/Library/Frameworks/CoreServices.framework/Frameworks/Launc hServices.framework/Support/lsregister -dump |grep -a5 -b5 -i CFBundleURLSchemessssh:// CFBundleURLTypes = ( { CFBundleURLName = "ssh URL"; CFBundleURLSchemes = ( ssh ); }, { CFBundleURLName = "x-man-page URL"; ssh ); } );
  • 9. URL Schemes • URL Schemes videoconf:// Info.plist
  • 10. Implant Seçimi SSH Backdoor • Basit ve etkili Mettle • Stabil • Post exploitation kolay Empire • Stabil • Güçlü C2 iletişimi • Post exploitation kolay EvilOSXs • macOS'e özel bir çok post exploitation modülü
  • 11. Empire stager ile paket oluşturma Http listener osx/macho stager stager > macosapt.app
  • 13. Gatekeeper İmzalı app kullanmak • Windtail kullanıyor Gatekeeper bypass (0 or 2-3 days) • Hemen her versiyonda bulunabiliyor İlk erişimden sonra curl + exec • Bir çok macOS zararlısı kullanıyor Homograph • Genelde GK bypass ile beraber ikna edici dosya isimleri oluşturmakta kullanılır
  • 14. Yetki Yükseltme • Local Privilege Escalation Exploit (CVE-2019-8513) • macOS 10.14.3 • Password Phishing • macOS 10.14.4
  • 15. Kalıcılık • Mail <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0"> <plist version="1.0"> <dict> <key>Label</key> <string>com.proxy.initialize</string> <key>ProgramArguments</key> <array> <string>/usr/local/macosapt</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/> </dict> </plist> <dict> <key>AllCriteriaMustBeSatisfied</key> <string>NO</string> <key>AppleScript</key> <string>persist.scpt</string> <key>AutoResponseType</key> <integer>0</integer> <key>Criteria</key> <array> <dict> ----- <key>Expression</key> <string>macosAPT</string> <key>Header</key> ------ • Launch Daemon
  • 16. Veri Toplama ve Kaçırma Dump keychain without root • CVE-2019-8526 • Keychain Stealer App Keychain masterkey in memory • Keychaindump • Keychaindump chainbreaker macOS’e özel olmayan diğerleri • Dump Chrome passwords • Browser history • Keylogging • Screenshots • Mic recording
  • 18. Referanslar • https://www.sentinelone.com/blog/how-malware-bypass-macos-gatekeeper/ • https://digitasecurity.com/blog/2018/08/30/windshift/ • https://www.n00py.io/2016/10/using-email-for-persistence-on-os-x/ • https://null-byte.wonderhowto.com/how-to/hacking-macos-perform-privilege-escalation-part-2-password-phishing-0186332/ • https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43?sk=3970823f97714fac1d04d75325e3cbac • https://www.willmaster.com/library/features/download-and-redirect-with-one-click.php