SlideShare a Scribd company logo

Red Teaming macOS Environments with Hermes the Swift Messenger

J
Justin Bui

Swift 5 agent targeting macOS for the Mythic framework

Technology
1 of 52
Download to read offline
Red Teaming macOS Environments with Hermes the Swift Messenger Justin Bui (@slyd0g)
slyd0g@mac~$ whoami ▫ @slyd0g ▫ Red teamer at Zoom, previously consultant at SpecterOps ⬝ Views and research are my own ▫ Interested in all things security and skateboarding 2
SUMMARY 1. Swift Programming Language 2. Mythic Framework 3. Hermes Payload a. Development b. Functionality 4. Detecting Hermes 3
1. Swift What is Swift? Pros and cons as a post-exploitation language? Current Swift tooling?
WHAT IS SWIFT? ▫ High-level programming language developed by Apple ⬝ Swift 1.0 released in 2014 ⬝ Swift 5.3 enabled cross-platform support (macOS, Windows, Linux) ⬝ Designed to be successor to ObjC ▫ Uses Objective-C runtime library ⬝ Allows for C/C++/ObjC/Swift code to run in a single program (!) 5
COMPILING AND EXECUTING SWIFT ▫ Can be executed in a variety of ways: ⬝ Command line: ⬝ swift shellcon.swift ⬝ ./shellcon ⬝ Double clicking on: ⬝ Compiled Macho-O executable ▫ Swift compiler/toolchain is not installed by default ⬝ Swift libraries installed as of macOS Mojave 10.14.4¹ 6
(SOME) COMMON LANGUAGES FOR MACOS POST-EXPLOITATION JXA ▫ Pros ▫ LOLBin for execution (osascript) ▫ ObjC bridge allows access to ObjC API ▫ Cons ▫ Single-threaded ▫ Development abandoned by Apple team ▫ Examples ⬝ Apfell² ⬝ SwiftBelt-JXA³ ⬝ PersistentJXA⁴ Python ▫ Pros ▫ LOLBin for execution (python/python3) ▫ Cons ▫ Apple stated scripting languages are deprecated and removed in future versions ▫ More heavily signatured ▫ Examples ⬝ Medusa⁵ ⬝ Empire⁶ ⬝ chainbreaker⁷ Golang ▫ Pros ▫ Cross-compilation for many OS ▫ Easily integrates ObjC/C/C++ code ▫ Cons ▫ Large sized binary ▫ Examples ⬝ Poseidon⁸ ⬝ xpcutil⁹ ⬝ Sliver¹⁰ 7
Pros ▫ Multithreading ▫ Access to macOS APIs ▫ Easier to develop than ObjC/JXA ▫ Can call C/C++/ObjC with bridging headers ▫ App whitelisting bypass with swift WHY SWIFT FOR POST-EXPLOITATION? Cons ▫ Swift compiler/toolchain is not installed by default ▫ Unsigned binaries may be subject to more scrutiny versus scripts 8
EXAMPLES OF SWIFT TOOLING ▫ https://github.com/cedowens/SwiftBelt ▫ https://github.com/cedowens/MacShellSwift ▫ https://github.com/cedowens/Swift-Attack ▫ https://github.com/slyd0g/SwiftSpy ▫ https://github.com/slyd0g/SwiftParseTCC ▫ https://github.com/richiercyrus/Venator-Swift ▫ https://github.com/SuprHackerSteve/Crescendo 9
10
2. Introducing Mythic What is Mythic?
A cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI. It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming. 12 https://github.com/its-a-feature/Mythic
WHAT IS MYTHIC? ▫ Open Source at https://github.com/its-a-feature/Mythic ⬝ Documentation at https://docs.mythic-c2.net/ ▫ Modular and customizable framework ▫ Docker is used to separate all Mythic components ▫ Operators simply connect via a browser 13
WANT BIG IMPACT? USE BIG IMAGE. 14
MYTHIC PAYLOADS FOR MACOS ▫ The following payloads all use ObjC API calls to interact with macOS ▫ Apfell (JXA) ⬝ LOLBin can be used for execution (osascript) ⬝ Supports download cradles ⬝ Great for initial access ▫ Poseidon (Golang) ⬝ Larger payload, but more features (like SOCKS, threading) ⬝ Great for 2nd stage payload ▫ Medusa (Python) ⬝ LOLBin can be used for execution (python/python3) ⬝ Dynamic loading and unloading of python modules 15
3A. Introducing Hermes (Development) The Swift Messenger
WHAT IS HERMES? ▫ Hermes¹¹ is a Mythic payload targeting macOS written in Swift 5 ⬝ Tested on Catalina and Big Sur ▫ Encrypted key exchange for secure communications ▫ Post-exploitation modules ⬝ Enumeration ⬝ Upload/download ⬝ Execution ⬝ Job control 17
MOTIVATION FOR WRITING HERMES ▫ Straightforward and fun way to learn macOS internals ⬝ File system ⬝ Processes ⬝ Transparency, Consent, and Control (TCC) ▫ Opportunity to learn Swift ⬝ HTTP requests ⬝ Encrypted key exchange ▫ Previously wrote C2 for Windows called SK8RAT/SK8PARK ⬝ Hated writing the server component 18
CROSS-COMPILING FOR MACOS ▫ Goal: Compile Swift to Mach-O from Linux container ⬝ Make it easier for end user to compile payloads directly through Mythic without setting up external build systems ▫ https://github.com/tpoechtrager/osxcross ⬝ Doesn’t support Swift ▫ https://github.com/sickcodes/Docker-OSX ⬝ Needs to be run on a macOS host, whereas C2 servers traditionally run on Linux ▫ AWS Pipeline / GitHub Actions ⬝ Wanted a free solution that also kept payload config under end user’s control 19
DARWIN + LINUX = DARLING ▫ Darwin/macOS emulation layer for Linux ⬝ http://www.darlinghq.org/ ⬝ https://github.com/darlinghq/darling ▫ Free and open-source software, great community on their Discord server ▫ Wine for macOS ⬝ Install software (Xcode, Command Line Tools, etc.) ⬝ Can compile and run programs (!) 20
CROSS-COMPILATION WITH DARLING 21
CROSS-COMPILATION WITH DARLING ▫ Some tricks to get Darling to work with Docker ⬝ Darling Linux kernel module installed on host ⬝ Run modprobe darling-mach before the container starts as root to load the kernel module ⬝ Container must be run in privileged mode ▫ Swift code could be compiled within a Docker container on a Linux host 22
3B. Introducing Hermes (Functionality) The Swift Messenger
SECURE COMMUNICATIONS ▫ Encrypted Key Exchange ⬝ Client-side generated RSA keys ▫ Unique session keys per implant ▫ Forward secrecy ▫ Encrypted messages ⬝ Agent messages ⬝ Upload/download 24
25
JOB ARCHITECTURE ▫ Commands issued into Mythic turns into a job on the Hermes side ▫ Each job executes in a separate thread ⬝ threadId is tracked to kill job at anytime ▫ Supports long running jobs or jobs that don’t return immediately ⬝ Upload/download ⬝ Clipboard monitoring ⬝ While loop 26
UPLOAD/DOWNLOAD ▫ Performed in 512kb chunks over multiple C2 requests ⬝ Encrypted with session key negotiated during EKE ⬝ URLRequest struct, URLSession class ▫ upload will incrementally create file on disc ⬝ Entire file never stored in Hermes memory at once ▫ download will send 512kb chunks up to Mythic ⬝ Recreate file on the server once all chunks are received ▫ Can be done from file browser as well! 27
FILE SYSTEM INTERACTION ▫ Implemented using methods from FileManager class ⬝ cd: Change directory ⬝ ls: List contents of directory ⬝ pwd: Print working directory ⬝ mkdir: Make a new directory ⬝ mv: Move a file or directory to another location ⬝ cp: Copy a file or directory to another location ⬝ rm: Remove a file or directory ▫ Can be done from file browser as well! ⬝ ls ⬝ rm 28
LISTING DIRECTORIES 29
FILE BROWSER 30
SHELL AND BINARY EXECUTION ▫ run: Execute a binary on disc with arguments ⬝ Process class to execute the binary ⬝ Pipe class to capture output ▫ shell: Execute a bash command with “/bin/bash -c” ⬝ Similar to run, just use /bin/bash as the binary ⬝ Useful if you need input/output redirection 31
SHELL COMMAND 32
IN-MEMORY JXA EXECUTION ▫ Achieved with OSAScript class ⬝ Can also run AppleScript in memory ▫ jxa: Execute arbitrary JXA ▫ jxa_import: Load JXA script into memory ▫ jxa_call: Call functions within scripts ▫ Can load in lots of 3rd party tooling this way ⬝ https://github.com/its-a-feature/HealthInsp ector ⬝ https://github.com/its-a-feature/Orchard ⬝ https://github.com/D00MFist/PersistentJXA ⬝ https://github.com/antman1p/PrintTCCdb 33
PROCESS INTERACTION ▫ ps: Gather list of running processes by parsing kinfo_proc struct from sysctl routine ▫ list_apps: Gather a list of running applications using NSWorkspace.runningApplications ▫ Kill a running process ⬝ shell kill <PID> 34
PROCESS BROWSER 35
SCREENSHOT ▫ Requires Screen Recording permissions from TCC ▫ screenshot: Uses Core GraphicsAPI to perform a screen capture of all displays ⬝ First call to CGGetActiveDisplayList to obtain number of active displays ⬝ Second call to CGGetActiveDisplayList gets list of active displays ⬝ Loop through displays and grab image with CGDisplayCreateImage ⬝ Send image to Mythic over C2 36
CLIPBOARD MONITORING ▫ clipboard: Monitor and log any changes to the system clipboard ⬝ NSPasteboard class used to interact with clipboard ⬝ changeCount property increases when clipboard ownership changes ⬝ No clipboard notification to listen for, most resort to polling 😭 ▫ Root does not have access to the general pasteboard! 37
SAFETY CHECKS & TCC ENUMERATION ▫ fda_check: Checks if your current process has “Full Disk Access” permissions ⬝ Attempts to open a file handle to ~/Library/Application Support/com.apple.TCC/TCC.db ⬝ Discovered and inspired by Cedric Owens (@cedowens) ▫ list_tcc: List entries in specified TCC database ⬝ Requires “Full Disk Access” ⬝ Reads data from sqlite database ⬝ TCC db schema changes over macOS versions ⬝ Currently supports Big Sur and above 38
PLIST ENUMERATION ▫ plist_print: Return contents of a plist file ⬝ Can parse XML, JSON or binary ⬝ Determines type by checking first byte of the file ⬝ Uses PropertyListSerialization class to parse the data 39
ENVIRONMENTAL VARIABLE CONTROL ▫ env: List out environment variables ⬝ Reads data from ProcessInfo class which has an environment field ▫ setenv: Set environment variable ⬝ Uses setenv from Darwin stdlib ⬝ If you specify an existing environment variable, will overwrite ▫ unsetenv: Unset an environment variable ⬝ Uses unsetenv from Darwin stdlib 40
4. Detecting Hermes Apple’s Endpoint Security Framework (ESF)
ENDPOINT SECURITY FRAMEWORK (ESF) ▫ Apple pushed 3rd-party developers out of the kernel in Big Sur ⬝ Included security products ▫ ESF allows vendors to subscribe to several system events ⬝ Process ⬝ File ⬝ Module/library loads ▫ Several free and open-source tools ⬝ Appmon¹² (@xorrior) ⬝ Crescendo¹³ (@SuprHackerSteve) ⬝ FileMonitor/ProcessMonitor¹⁴ (@patrickwardle) 42
DETECTING SHELL COMMANDS 43 ▫ Running “shell” from Mythic ▫ process::exec event in Crescendo
WHAT ARE LAUNCH AGENTS? ▫ Background process that launches when a user logs in ▫ Launch agents are defined in property list files in the following locations: ⬝ /Library/LaunchAgents ⬝ /Users/<username>/Library/LaunchAgents ⬝ /System/Library/LaunchAgents ▫ Attackers can utilize this for persistence! 44
WHAT ARE LAUNCH AGENTS? 45
DETECTING LAUNCH AGENTS ▫ Uploading Launch Agent plist from Mythic 46 ▫ file::create event in Crescendo
DETECTING FDA_CHECK 47
DETECTING LIST_TCC 48
INSTALL HERMES 1. Install Mythic (https://github.com/its-a-feature/Mythic) on Ubuntu 20.10 2. Install the Darling kernel module (https://github.com/darlinghq/darling/releases/download/v0.1.20210224/d arling-dkms_0.1.20210224.testing_amd64.deb) 3. Execute modprobe darling-mach as root to load the kernel module 4. sudo ./mythic-cli install github https://github.com/MythicAgents/hermes 5. sudo ./mythic-cli payload start hermes 49
REFERENCES 1. https://developer.apple.com/documentatio n/xcode-release-notes/swift-5-release-notes -for-xcode-10_2 2. https://github.com/MythicAgents/apfell 3. https://github.com/cedowens/SwiftBelt-JXA 4. https://github.com/D00MFist/PersistentJX A 5. https://github.com/MythicAgents/Medusa 6. https://github.com/EmpireProject/Empire 7. https://github.com/n0fate/chainbreaker 8. https://github.com/MythicAgents/poseidon 9. https://github.com/xorrior/xpcutil 10. https://github.com/BishopFox/sliver 11. https://github.com/MythicAgents/hermes 12. https://bitbucket.org/xorrior/appmon/src/ master/ 13. https://github.com/SuprHackerSteve/Cresc endo 14. https://objective-see.com/products/utilities .html 50
THANK YOU ▫ Big thanks to Cody Thomas (@its_a_feature_) who helped me endlessly when I ran into bugs during development ▫ Thank you to all my coworkers for reviewing my content ▫ Thank you Brian Reitz for the awesome THPS2 photoshop :D ▫ Thank you ShellCon for allowing me to share my work ▫ Thank you for coming and listening! ▫ Presentation template by SlidesCarnival ▫ Photographs by Unsplash 51
THANKS! Any questions? You can find me at: @slyd0g on Twitter and #mythic channel in BloodHound Gang Slack 52

Recommended

Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSHJeremy Brown
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Securemohannadalhanahnah
 
Secure shell
Secure shellSecure shell
Secure shellArjun Aj
 
Mlag invisibile layer 2 redundancy
Mlag invisibile layer 2 redundancyMlag invisibile layer 2 redundancy
Mlag invisibile layer 2 redundancyCumulus Networks
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain DemystifiedBangladesh Network Operators Group
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Masahiko Sawada
 

Recommended

Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSHJeremy Brown
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Securemohannadalhanahnah
 
Secure shell
Secure shellSecure shell
Secure shellArjun Aj
 
Mlag invisibile layer 2 redundancy
Mlag invisibile layer 2 redundancyMlag invisibile layer 2 redundancy
Mlag invisibile layer 2 redundancyCumulus Networks
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain DemystifiedBangladesh Network Operators Group
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Masahiko Sawada
 
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley KuoCODE BLUE
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
 
Intel dpdk Tutorial
Intel dpdk TutorialIntel dpdk Tutorial
Intel dpdk TutorialSaifuddin Kaijar
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch YongKi Kim
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumScyllaDB
 
Hardware & Software Platforms for HPC, AI and ML
Hardware & Software Platforms for HPC, AI and MLHardware & Software Platforms for HPC, AI and ML
Hardware & Software Platforms for HPC, AI and MLinside-BigData.com
 
Dynamic Reconfiguration of Apache ZooKeeper
Dynamic Reconfiguration of Apache ZooKeeperDynamic Reconfiguration of Apache ZooKeeper
Dynamic Reconfiguration of Apache ZooKeeperDataWorks Summit
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Infocyte
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyAlberto Rivai
 
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Vietnam Open Infrastructure User Group
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on MikrotikGLC Networks
 
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...LF_DPDK
 
Advanced Aruba ClearPass Workshop
Advanced Aruba ClearPass WorkshopAdvanced Aruba ClearPass Workshop
Advanced Aruba ClearPass WorkshopAruba, a Hewlett Packard Enterprise company
 
LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...
LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...
LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...LF_DPDK
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityBrendan Gregg
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Revisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS SchedulerRevisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS SchedulerYongseok Oh
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
 
Docker dDessi november 2015
Docker dDessi november 2015Docker dDessi november 2015
Docker dDessi november 2015Massimiliano Dessì
 

More Related Content

What's hot

[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley KuoCODE BLUE
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch YongKi Kim
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumScyllaDB
 
Hardware & Software Platforms for HPC, AI and ML
Hardware & Software Platforms for HPC, AI and MLHardware & Software Platforms for HPC, AI and ML
Hardware & Software Platforms for HPC, AI and MLinside-BigData.com
 
Dynamic Reconfiguration of Apache ZooKeeper
Dynamic Reconfiguration of Apache ZooKeeperDynamic Reconfiguration of Apache ZooKeeper
Dynamic Reconfiguration of Apache ZooKeeperDataWorks Summit
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Infocyte
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyAlberto Rivai
 
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Vietnam Open Infrastructure User Group
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on MikrotikGLC Networks
 
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...LF_DPDK
 
LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...
LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...
LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...LF_DPDK
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityBrendan Gregg
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Revisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS SchedulerRevisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS SchedulerYongseok Oh
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 

What's hot (20)

[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFW
 
Intel dpdk Tutorial
Intel dpdk TutorialIntel dpdk Tutorial
Intel dpdk Tutorial
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
 
Hardware & Software Platforms for HPC, AI and ML
Hardware & Software Platforms for HPC, AI and MLHardware & Software Platforms for HPC, AI and ML
Hardware & Software Platforms for HPC, AI and ML
 
Dynamic Reconfiguration of Apache ZooKeeper
Dynamic Reconfiguration of Apache ZooKeeperDynamic Reconfiguration of Apache ZooKeeper
Dynamic Reconfiguration of Apache ZooKeeper
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
 
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on Mikrotik
 
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
 
Advanced Aruba ClearPass Workshop
Advanced Aruba ClearPass WorkshopAdvanced Aruba ClearPass Workshop
Advanced Aruba ClearPass Workshop
 
LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...
LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...
LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF Observability
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Revisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS SchedulerRevisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS Scheduler
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
 

Similar to Red Teaming macOS Environments with Hermes the Swift Messenger

Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014Carlo Bonamico
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesJérôme Petazzoni
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Patrick Chanezon
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to productionmuayyad alsadi
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Jim Birch
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xrkr10
 
Duke Docker Day 2014: Research Applications with Docker
Duke Docker Day 2014: Research Applications with DockerDuke Docker Day 2014: Research Applications with Docker
Duke Docker Day 2014: Research Applications with DockerDarin London
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Ricardo Amaro
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionJérôme Petazzoni
 
Docman - The swiss army knife for Drupal multisite docroot management and dep...
Docman - The swiss army knife for Drupal multisite docroot management and dep...Docman - The swiss army knife for Drupal multisite docroot management and dep...
Docman - The swiss army knife for Drupal multisite docroot management and dep...Aleksey Tkachenko
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkJérôme Petazzoni
 
Docker Essentials Workshop— Innovation Labs July 2020
Docker Essentials Workshop— Innovation Labs July 2020Docker Essentials Workshop— Innovation Labs July 2020
Docker Essentials Workshop— Innovation Labs July 2020CloudHero
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Walid Shaari
 

Similar to Red Teaming macOS Environments with Hermes the Swift Messenger (20)

Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Docker dDessi november 2015
Docker dDessi november 2015Docker dDessi november 2015
Docker dDessi november 2015
 
Docker Ecosystem on Azure
Docker Ecosystem on AzureDocker Ecosystem on Azure
Docker Ecosystem on Azure
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los Angeles
 
Docker linuxday 2015
Docker linuxday 2015Docker linuxday 2015
Docker linuxday 2015
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to Production
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to production
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Duke Docker Day 2014: Research Applications with Docker
Duke Docker Day 2014: Research Applications with DockerDuke Docker Day 2014: Research Applications with Docker
Duke Docker Day 2014: Research Applications with Docker
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
 
Docman - The swiss army knife for Drupal multisite docroot management and dep...
Docman - The swiss army knife for Drupal multisite docroot management and dep...Docman - The swiss army knife for Drupal multisite docroot management and dep...
Docman - The swiss army knife for Drupal multisite docroot management and dep...
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New York
 
Docker Essentials Workshop— Innovation Labs July 2020
Docker Essentials Workshop— Innovation Labs July 2020Docker Essentials Workshop— Innovation Labs July 2020
Docker Essentials Workshop— Innovation Labs July 2020
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 

Recently uploaded

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Red Teaming macOS Environments with Hermes the Swift Messenger

  • 1. Red Teaming macOS Environments with Hermes the Swift Messenger Justin Bui (@slyd0g)
  • 2. slyd0g@mac~$ whoami ▫ @slyd0g ▫ Red teamer at Zoom, previously consultant at SpecterOps ⬝ Views and research are my own ▫ Interested in all things security and skateboarding 2
  • 3. SUMMARY 1. Swift Programming Language 2. Mythic Framework 3. Hermes Payload a. Development b. Functionality 4. Detecting Hermes 3
  • 4. 1. Swift What is Swift? Pros and cons as a post-exploitation language? Current Swift tooling?
  • 5. WHAT IS SWIFT? ▫ High-level programming language developed by Apple ⬝ Swift 1.0 released in 2014 ⬝ Swift 5.3 enabled cross-platform support (macOS, Windows, Linux) ⬝ Designed to be successor to ObjC ▫ Uses Objective-C runtime library ⬝ Allows for C/C++/ObjC/Swift code to run in a single program (!) 5
  • 6. COMPILING AND EXECUTING SWIFT ▫ Can be executed in a variety of ways: ⬝ Command line: ⬝ swift shellcon.swift ⬝ ./shellcon ⬝ Double clicking on: ⬝ Compiled Macho-O executable ▫ Swift compiler/toolchain is not installed by default ⬝ Swift libraries installed as of macOS Mojave 10.14.4¹ 6
  • 7. (SOME) COMMON LANGUAGES FOR MACOS POST-EXPLOITATION JXA ▫ Pros ▫ LOLBin for execution (osascript) ▫ ObjC bridge allows access to ObjC API ▫ Cons ▫ Single-threaded ▫ Development abandoned by Apple team ▫ Examples ⬝ Apfell² ⬝ SwiftBelt-JXA³ ⬝ PersistentJXA⁴ Python ▫ Pros ▫ LOLBin for execution (python/python3) ▫ Cons ▫ Apple stated scripting languages are deprecated and removed in future versions ▫ More heavily signatured ▫ Examples ⬝ Medusa⁵ ⬝ Empire⁶ ⬝ chainbreaker⁷ Golang ▫ Pros ▫ Cross-compilation for many OS ▫ Easily integrates ObjC/C/C++ code ▫ Cons ▫ Large sized binary ▫ Examples ⬝ Poseidon⁸ ⬝ xpcutil⁹ ⬝ Sliver¹⁰ 7
  • 8. Pros ▫ Multithreading ▫ Access to macOS APIs ▫ Easier to develop than ObjC/JXA ▫ Can call C/C++/ObjC with bridging headers ▫ App whitelisting bypass with swift WHY SWIFT FOR POST-EXPLOITATION? Cons ▫ Swift compiler/toolchain is not installed by default ▫ Unsigned binaries may be subject to more scrutiny versus scripts 8
  • 9. EXAMPLES OF SWIFT TOOLING ▫ https://github.com/cedowens/SwiftBelt ▫ https://github.com/cedowens/MacShellSwift ▫ https://github.com/cedowens/Swift-Attack ▫ https://github.com/slyd0g/SwiftSpy ▫ https://github.com/slyd0g/SwiftParseTCC ▫ https://github.com/richiercyrus/Venator-Swift ▫ https://github.com/SuprHackerSteve/Crescendo 9
  • 10. 10
  • 12. A cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI. It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming. 12 https://github.com/its-a-feature/Mythic
  • 13. WHAT IS MYTHIC? ▫ Open Source at https://github.com/its-a-feature/Mythic ⬝ Documentation at https://docs.mythic-c2.net/ ▫ Modular and customizable framework ▫ Docker is used to separate all Mythic components ▫ Operators simply connect via a browser 13
  • 14. WANT BIG IMPACT? USE BIG IMAGE. 14
  • 15. MYTHIC PAYLOADS FOR MACOS ▫ The following payloads all use ObjC API calls to interact with macOS ▫ Apfell (JXA) ⬝ LOLBin can be used for execution (osascript) ⬝ Supports download cradles ⬝ Great for initial access ▫ Poseidon (Golang) ⬝ Larger payload, but more features (like SOCKS, threading) ⬝ Great for 2nd stage payload ▫ Medusa (Python) ⬝ LOLBin can be used for execution (python/python3) ⬝ Dynamic loading and unloading of python modules 15
  • 17. WHAT IS HERMES? ▫ Hermes¹¹ is a Mythic payload targeting macOS written in Swift 5 ⬝ Tested on Catalina and Big Sur ▫ Encrypted key exchange for secure communications ▫ Post-exploitation modules ⬝ Enumeration ⬝ Upload/download ⬝ Execution ⬝ Job control 17
  • 18. MOTIVATION FOR WRITING HERMES ▫ Straightforward and fun way to learn macOS internals ⬝ File system ⬝ Processes ⬝ Transparency, Consent, and Control (TCC) ▫ Opportunity to learn Swift ⬝ HTTP requests ⬝ Encrypted key exchange ▫ Previously wrote C2 for Windows called SK8RAT/SK8PARK ⬝ Hated writing the server component 18
  • 19. CROSS-COMPILING FOR MACOS ▫ Goal: Compile Swift to Mach-O from Linux container ⬝ Make it easier for end user to compile payloads directly through Mythic without setting up external build systems ▫ https://github.com/tpoechtrager/osxcross ⬝ Doesn’t support Swift ▫ https://github.com/sickcodes/Docker-OSX ⬝ Needs to be run on a macOS host, whereas C2 servers traditionally run on Linux ▫ AWS Pipeline / GitHub Actions ⬝ Wanted a free solution that also kept payload config under end user’s control 19
  • 20. DARWIN + LINUX = DARLING ▫ Darwin/macOS emulation layer for Linux ⬝ http://www.darlinghq.org/ ⬝ https://github.com/darlinghq/darling ▫ Free and open-source software, great community on their Discord server ▫ Wine for macOS ⬝ Install software (Xcode, Command Line Tools, etc.) ⬝ Can compile and run programs (!) 20
  • 22. CROSS-COMPILATION WITH DARLING ▫ Some tricks to get Darling to work with Docker ⬝ Darling Linux kernel module installed on host ⬝ Run modprobe darling-mach before the container starts as root to load the kernel module ⬝ Container must be run in privileged mode ▫ Swift code could be compiled within a Docker container on a Linux host 22
  • 24. SECURE COMMUNICATIONS ▫ Encrypted Key Exchange ⬝ Client-side generated RSA keys ▫ Unique session keys per implant ▫ Forward secrecy ▫ Encrypted messages ⬝ Agent messages ⬝ Upload/download 24
  • 25. 25
  • 26. JOB ARCHITECTURE ▫ Commands issued into Mythic turns into a job on the Hermes side ▫ Each job executes in a separate thread ⬝ threadId is tracked to kill job at anytime ▫ Supports long running jobs or jobs that don’t return immediately ⬝ Upload/download ⬝ Clipboard monitoring ⬝ While loop 26
  • 27. UPLOAD/DOWNLOAD ▫ Performed in 512kb chunks over multiple C2 requests ⬝ Encrypted with session key negotiated during EKE ⬝ URLRequest struct, URLSession class ▫ upload will incrementally create file on disc ⬝ Entire file never stored in Hermes memory at once ▫ download will send 512kb chunks up to Mythic ⬝ Recreate file on the server once all chunks are received ▫ Can be done from file browser as well! 27
  • 28. FILE SYSTEM INTERACTION ▫ Implemented using methods from FileManager class ⬝ cd: Change directory ⬝ ls: List contents of directory ⬝ pwd: Print working directory ⬝ mkdir: Make a new directory ⬝ mv: Move a file or directory to another location ⬝ cp: Copy a file or directory to another location ⬝ rm: Remove a file or directory ▫ Can be done from file browser as well! ⬝ ls ⬝ rm 28
  • 31. SHELL AND BINARY EXECUTION ▫ run: Execute a binary on disc with arguments ⬝ Process class to execute the binary ⬝ Pipe class to capture output ▫ shell: Execute a bash command with “/bin/bash -c” ⬝ Similar to run, just use /bin/bash as the binary ⬝ Useful if you need input/output redirection 31
  • 33. IN-MEMORY JXA EXECUTION ▫ Achieved with OSAScript class ⬝ Can also run AppleScript in memory ▫ jxa: Execute arbitrary JXA ▫ jxa_import: Load JXA script into memory ▫ jxa_call: Call functions within scripts ▫ Can load in lots of 3rd party tooling this way ⬝ https://github.com/its-a-feature/HealthInsp ector ⬝ https://github.com/its-a-feature/Orchard ⬝ https://github.com/D00MFist/PersistentJXA ⬝ https://github.com/antman1p/PrintTCCdb 33
  • 34. PROCESS INTERACTION ▫ ps: Gather list of running processes by parsing kinfo_proc struct from sysctl routine ▫ list_apps: Gather a list of running applications using NSWorkspace.runningApplications ▫ Kill a running process ⬝ shell kill <PID> 34
  • 36. SCREENSHOT ▫ Requires Screen Recording permissions from TCC ▫ screenshot: Uses Core GraphicsAPI to perform a screen capture of all displays ⬝ First call to CGGetActiveDisplayList to obtain number of active displays ⬝ Second call to CGGetActiveDisplayList gets list of active displays ⬝ Loop through displays and grab image with CGDisplayCreateImage ⬝ Send image to Mythic over C2 36
  • 37. CLIPBOARD MONITORING ▫ clipboard: Monitor and log any changes to the system clipboard ⬝ NSPasteboard class used to interact with clipboard ⬝ changeCount property increases when clipboard ownership changes ⬝ No clipboard notification to listen for, most resort to polling 😭 ▫ Root does not have access to the general pasteboard! 37
  • 38. SAFETY CHECKS & TCC ENUMERATION ▫ fda_check: Checks if your current process has “Full Disk Access” permissions ⬝ Attempts to open a file handle to ~/Library/Application Support/com.apple.TCC/TCC.db ⬝ Discovered and inspired by Cedric Owens (@cedowens) ▫ list_tcc: List entries in specified TCC database ⬝ Requires “Full Disk Access” ⬝ Reads data from sqlite database ⬝ TCC db schema changes over macOS versions ⬝ Currently supports Big Sur and above 38
  • 39. PLIST ENUMERATION ▫ plist_print: Return contents of a plist file ⬝ Can parse XML, JSON or binary ⬝ Determines type by checking first byte of the file ⬝ Uses PropertyListSerialization class to parse the data 39
  • 40. ENVIRONMENTAL VARIABLE CONTROL ▫ env: List out environment variables ⬝ Reads data from ProcessInfo class which has an environment field ▫ setenv: Set environment variable ⬝ Uses setenv from Darwin stdlib ⬝ If you specify an existing environment variable, will overwrite ▫ unsetenv: Unset an environment variable ⬝ Uses unsetenv from Darwin stdlib 40
  • 41. 4. Detecting Hermes Apple’s Endpoint Security Framework (ESF)
  • 42. ENDPOINT SECURITY FRAMEWORK (ESF) ▫ Apple pushed 3rd-party developers out of the kernel in Big Sur ⬝ Included security products ▫ ESF allows vendors to subscribe to several system events ⬝ Process ⬝ File ⬝ Module/library loads ▫ Several free and open-source tools ⬝ Appmon¹² (@xorrior) ⬝ Crescendo¹³ (@SuprHackerSteve) ⬝ FileMonitor/ProcessMonitor¹⁴ (@patrickwardle) 42
  • 43. DETECTING SHELL COMMANDS 43 ▫ Running “shell” from Mythic ▫ process::exec event in Crescendo
  • 44. WHAT ARE LAUNCH AGENTS? ▫ Background process that launches when a user logs in ▫ Launch agents are defined in property list files in the following locations: ⬝ /Library/LaunchAgents ⬝ /Users/<username>/Library/LaunchAgents ⬝ /System/Library/LaunchAgents ▫ Attackers can utilize this for persistence! 44
  • 45. WHAT ARE LAUNCH AGENTS? 45
  • 46. DETECTING LAUNCH AGENTS ▫ Uploading Launch Agent plist from Mythic 46 ▫ file::create event in Crescendo
  • 49. INSTALL HERMES 1. Install Mythic (https://github.com/its-a-feature/Mythic) on Ubuntu 20.10 2. Install the Darling kernel module (https://github.com/darlinghq/darling/releases/download/v0.1.20210224/d arling-dkms_0.1.20210224.testing_amd64.deb) 3. Execute modprobe darling-mach as root to load the kernel module 4. sudo ./mythic-cli install github https://github.com/MythicAgents/hermes 5. sudo ./mythic-cli payload start hermes 49
  • 50. REFERENCES 1. https://developer.apple.com/documentatio n/xcode-release-notes/swift-5-release-notes -for-xcode-10_2 2. https://github.com/MythicAgents/apfell 3. https://github.com/cedowens/SwiftBelt-JXA 4. https://github.com/D00MFist/PersistentJX A 5. https://github.com/MythicAgents/Medusa 6. https://github.com/EmpireProject/Empire 7. https://github.com/n0fate/chainbreaker 8. https://github.com/MythicAgents/poseidon 9. https://github.com/xorrior/xpcutil 10. https://github.com/BishopFox/sliver 11. https://github.com/MythicAgents/hermes 12. https://bitbucket.org/xorrior/appmon/src/ master/ 13. https://github.com/SuprHackerSteve/Cresc endo 14. https://objective-see.com/products/utilities .html 50
  • 51. THANK YOU ▫ Big thanks to Cody Thomas (@its_a_feature_) who helped me endlessly when I ran into bugs during development ▫ Thank you to all my coworkers for reviewing my content ▫ Thank you Brian Reitz for the awesome THPS2 photoshop :D ▫ Thank you ShellCon for allowing me to share my work ▫ Thank you for coming and listening! ▫ Presentation template by SlidesCarnival ▫ Photographs by Unsplash 51
  • 52. THANKS! Any questions? You can find me at: @slyd0g on Twitter and #mythic channel in BloodHound Gang Slack 52