Open coolcoolnoworries opened 2 months ago
Oh wow, this looks awesome! Sorry for the late comment on this, I didn't even notice there was an open PR until today! I'll check it out and let you know how it looks!
Have you had success with the HideApp flag? I do something really similar in the Apfell agent, https://github.com/MythicAgents/apfell/blob/master/Payload_Type/apfell/apfell/agent_code/launchapp.js#L9, but even when specifying to hide, it never hides :/
Have you had success with the HideApp flag? I do something really similar in the Apfell agent, https://github.com/MythicAgents/apfell/blob/master/Payload_Type/apfell/apfell/agent_code/launchapp.js#L9, but even when specifying to hide, it never hides :/
Haha its a weird one, Ive never had success with a full hide using that flag either. Best I can tell, it just prevents the app from spawning a window, but it still pops up in dock. For something close to a true hide, Ive had the most success with setting LSUIElement to "1" in a bundle's Info.plist, but that would mean either changing an existing bundle on disk - invalidating the sig - or bringing your own custom one to drop. Something like this:
<key>LSUIElement</key>
<string>1</string>
Sending a pull request to add "lsopen" as a new command.
Uses the LaunchServices API to run applications and binaries directly out of PID 1 (launchd), the macOS equivalent of explorer.exe on Windows. Using "shell" or "run" commands will spawn processes directly as children. With "lsopen", the command can work as a form of PPID spoofing, which is especially helpful to evade detections built around strange process trees.
For example, the following pstree output shows ping as a child process of the poseidon payload "testbeforepush", as it was spawned with the "run" command. Seeing the ping binary (or any other native binary) spawning out of an unsigned poseidon payload can lead to high fidelity opportunities for detection, since its not typical.
If we use "lsopen" instead, we can detach from the process tree and avoid correlation with our payload.
Added logic to stomp the "_" variable to match the spawned path, which removes an ioc that would normally point back to the poseidon process.
Added logic to unset the DYLD_INSERT_LIBRARIES var if its present, so that we don't have any issues with inherited dylib injections into the new process.
Also created a documentation page for the command to explain usage and nuances.
Added opsec bonus, currently - as of July 18 2024 - neither TrueTree nor direct ESF can determine the true parent of a process spawned with lsopen.
Last note is that application/binary output is not accessible when run through lsopen, since the parent process is no longer the poseidon payload. If the application/binary has an output argument (like nmap -o), that can be used as a workaround to this limitation. Otherwise, this is most useful for running detached processes where we don't care or need to receive the output directly (e.g. application bundles, dedicated clipboard monitors, other payloads, tools with alternative output capabilities, etc.).
This is my first time pushing a new command, so please let me know if I missed anything in the process. Apologies in advance if I did, I can modify as needed. Thanks.