BadUSB attacks have been an essential part of a Red Teamer’s bag of tricks for years. They allow us to relatively easily obtain a foothold on any unattended machine their user forgot to lock, by using a USB device that emulates a keyboard and sends a series of scripted malicious keystrokes. While it has been extensively used and documented on Windows systems, the examples available online for macOS systems are much scarcer and almost always rely on opening the terminal and issuing shell commands.
This talk will present an alternative way of obtaining code execution and getting an implant running on the macOS target. We will leverage a trusted, Apple-signed Live-off-the-Land binary (LOLBIN) and macOS-specific scripting languages which are available on a default installation. Every single step involved in the process will be done with stealth in mind and to avoid any disruption in the user’s environment. Tips will also be given along the way to overcome some challenges caused by macOS’ specificities.
