The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

macOS mail.app spawning reverse shells

Source: https://holdmybeersecurity.com/2020/01/03/poc-mail-app-the-boomerang-of-reverse-shells-on-macos/

Description:  "From my testing, it seems that our malicious AppleScript is executed as a child process of UserScriptService. I ASSUME that when an app like Mail.app runs an Applescript it makes an internal API call to this process to execute the script. The child process spawned by UserScriptService has a -T flag which specifies the application that made the request to spawn this AppleScript. "

What The Data Shows: The query below starts by querying the process table for the PID of Mail. Next, it queries the process_events table for all the command lines that initiated a process that have a prefix of “osascript”. Finally, the query extracts the parent PID from any processes starting  with “osascript” and compares the PID to the Mail app PID. Effectively this query is looking for any Applescript initiated by Mail.app

SQL: 

SELECT * FROM process_events WHERE cmdline like '%osascript%' AND trim(substr(cmdline,23,5)) like (SELECT pid FROM processes WHERE name='Mail');

Query #2: Creation and Modification Date

Description: With Osquery we can query the following directory ~/Library/Application Scripts/com.apple.mail for recent modifications.

SQL: 

SELECT f.path, datetime(f.mtime,'unixepoch') AS file_last_modified_time, datetime(f.ctime,'unixepoch') AS file_last_status_change_time, datetime(f.btime,'unixepoch') AS file_created_time, ROUND((f.size * 10e-7),4) AS size_megabytes FROM file f LEFT JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path like "/Users/%/Library/Application Scripts/com.apple.mail/%';

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved