MacOS initial access techniques are somewhat limited for red teamers. Security features such as Gatekeeper, Notarization, and the application sandbox add more complexity to getting a foothold. Amongst all of the payload types for macOS, installer packages provide the most versatility for code execution techniques. Unfortunately, installer scripts and distribution XML in-line JavaScript code execution techniques leave command line artifacts and aren't ideal for stealthy initial access. However, installer plugins provide a neat way to execute objective-c code. Apple has changed the mechanics of how installer plugins are executed such that the host process for installer plugins is quickly killed after the installer process exits. This presents an interesting dilemma as attackers will need to find a way to extend the life of their malicious code once executed. In this talk, I'll:
Explain how installer plugins work Demonstrate two different methods for code execution via native APIs on macOS Explain these techniques and installer plugins stack up against the Endpoint Security Framework Share the code with my fellow hackers!