python -m posixath macos -t T1620
{
"activity_at_ts": "2024-01-16T11:33:33.683Z",
"attack_id": "T1620",
"command_line": "/Users/brandondalton/Developer/threat-research/AtomicTestHarnesses/posix/src/posixath/tests/macos/library/T1620/nscreateobjectfileimagefrommemory /Users/brandondalton/Developer/threat-research/AtomicTestHarnesses/posix/src/posixath/tests/macos/library/T1620/libHello.bundle",
"cwd": "/Users/brandondalton/Developer/threat-research/AtomicTestHarnesses/posix/src/posixath",
"gid": 20,
"md5": "7bae5d063f431459e3b7ed9cf1dee63d",
"nslinkmodule_writeback_path": "/private/var/folders/8b/fg_9sj9j2_9c0ghl_knlpp1c0000gp/T/NSCreateObjectFileImageFromMemory-6sjMhisX",
"pid": 37817,
"ppid": 37783,
"process_path": "/Users/brandondalton/Developer/threat-research/AtomicTestHarnesses/posix/src/posixath/tests/macos/library/T1620/nscreateobjectfileimagefrommemory",
"result": "success",
"return_code": 0,
"stderr": "",
"stdin": null,
"stdout": "\ud83d\udc4b Hello curious user!\n ",
"uid": 502
}
NSCreateObjectFileImageFromMemory
: Utilizing the Dyld API function by the same name we load a bundle into memory from disk, executes it, and observe the detection opportunity.
After installing the POSIX AtomicTestHarness executer module posixath
you can begin to run the following tests:
- Execute all T1620 macOS tests
python -m posixath macos -t T1620
- Execute a specific T1620 technique variation (NSCreateObjectFileImageFromMemory)
python -m posixath macos -t T1620 -k "NSCreateObjectFileImageFromMemory"
- Execute tests with a custom C source file
python -m posixath macos -t T1620 --source-code-path <PATH TO C FILE>
- Execute a test with a custom bundle
python -m posixath macos -t T1620 --bundle-path <PATH TO A MH_BUNDLE>
--source-code-path
: The path to a custom C source code file to use in the test. The file must have arun_me
function.--bundle-path
: The path to a custom loadable bundle to use in the test.
- File creations:
ES_EVENT_TYPE_NOTIFY_CREATE
/ES_EVENT_TYPE_AUTH_CREATE
being made following the format:/private/var/folders/.../NSCreateObjectFileImageFromMemory-XXXXXXXX
. - Apple Unified Log (AUL): Looking for the kernel via AMFI (Apple Mobile File Integrity) logging the module's writeback. You can use the following predicate:
eventMessage CONTAINS 'NSCreateObjectFileImageFromMemory-'
.
{
"macOS" : "14.2.1 (Build 23C71)",
"context" : "/private/var/folders/8b/fg_9sj9j2_9c0ghl_knlpp1c0000gp/T/NSCreateObjectFileImageFromMemory-KtlCIkyz",
"initiating_euid_human" : "brandondalton",
"target_path" : "/private/var/folders/8b/fg_9sj9j2_9c0ghl_knlpp1c0000gp/T/NSCreateObjectFileImageFromMemory-KtlCIkyz",
"initiating_is_platform_binary" : false,
"initiating_ruid" : 502,
"initiating_process_file_quarantine_type" : 0,
"initiating_euid" : 502,
"es_event_type" : "ES_EVENT_TYPE_NOTIFY_CREATE",
"initiating_ruid_human" : "brandondalton",
"initiating_pid" : 39821,
"sensor_id" : "bf169d19f3e7bea1b61c00db1bc9c98318007ae5f7a2b6c15e3f64f9ed5760c7cd8a49268472e75e0f916fe8acd503d9f9580a030d7d021582271813b6a3ff38",
"responsible_audit_token" : "502-502-20-502-20-32710-100013-2938787",
"path_is_truncated" : false,
"initiating_process_group_id" : 39821,
"audit_token" : "502-502-20-502-20-39855-100013-2954335",
"initiating_process_path" : "/Users/brandondalton/Developer/threat-research/AtomicTestHarnesses/posix/src/posixath/tests/macos/library/T1620/nscreateobjectfileimagefrommemory",
"parent_audit_token" : "502-502-20-502-20-39821-100013-2954311",
"initiating_process_signing_id" : "nscreateobjectfileimagefrommemory",
"initiating_process_name" : "nscreateobjectfileimagefrommemory",
"activity_at_ts" : "2024-01-16T13:43:39.524Z",
"file_event" : {
"is_quarantined" : 2,
"destination_path" : "/private/var/folders/8b/fg_9sj9j2_9c0ghl_knlpp1c0000gp/T/NSCreateObjectFileImageFromMemory-KtlCIkyz",
"file_name" : "NSCreateObjectFileImageFromMemory-KtlCIkyz"
},
"initiating_process_cdhash" : "876646534674f08c8e04d65675b336698293fc78"
}