Dylib Hijack Vulnerability Scanner - Empire Module

This page contains detailed information about how to use the python/situational_awareness/host/osx/HijackScanner Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Dylib Hijack Vulnerability Scanner
Module: python/situational_awareness/host/osx/HijackScanner
Source code: empire/server/modules/python/situational_awareness/host/osx/HijackScanner.yaml
MITRE ATT&CK: T1157
Language: Python
Needs admin: No
OPSEC safe: Yes
Background: No

The HijackScanner module can be used to identify applications vulnerable to dylib hijacking on a target system. This has been modified from the original to remove the dependancy for the macholib library.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the HijackScanner module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the HijackScanner module:

Agent
Agent to run the module on.

LoadedProcesses
Scan only loaded process executables.
Default value: False.

Additional Module Options

---

This is a list of additional options that are supported by the HijackScanner module:

Path
Scan all binaries recursively, in a specific path.

HijackScanner Example Usage

---

Here's an example of how to use the HijackScanner module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/osx/ducky) > usemodule python/situational_awareness/host/osx/HijackScanner

 Author       @patrickwardle                                                         
              @xorrior                                                               
 Background   False                                                                  
 Comments     Heavily adapted from @patrickwardle's script:                          
              https://github.com/synack/DylibHijack/blob/master/scan.py              
 Description  This module can be used to identify applications vulnerable to dylib   
              hijacking on a target system. This has been modified from the original 
              to remove the dependancy for the macholib library.                     
 Language     python                                                                 
 Name         python/situational_awareness/host/osx/HijackScanner                    
 NeedsAdmin   False                                                                  
 OpsecSafe    True                                                                   
 Techniques   http://attack.mitre.org/techniques/T1157                               


,Record Options---,-------,----------,-------------------------------------,
| Name            | Value | Required | Description                         |
|-----------------|-------|----------|-------------------------------------|
| Agent           |       | True     | Agent to run the module on.         |
|-----------------|-------|----------|-------------------------------------|
| LoadedProcesses | False | True     | Scan only loaded process            |
|                 |       |          | executables                         |
|-----------------|-------|----------|-------------------------------------|
| Path            |       | False    | Scan all binaries recursively, in a |
|                 |       |          | specific path.                      |
'-----------------'-------'----------'-------------------------------------'

(Empire: usemodule/python/situational_awareness/host/osx/HijackScanner) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/python/situational_awareness/host/osx/HijackScanner) > set LoadedProcesses False
[*] Set LoadedProcesses to False
(Empire: usemodule/python/situational_awareness/host/osx/HijackScanner) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Authors

---

• @patrickwardle
• @xorrior

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/python/situational_awareness/host/osx/HijackScanner.yaml
• https://github.com/synack/DylibHijack/blob/master/scan.py
• http://attack.mitre.org/techniques/T1157

See Also

---

Check also the following modules related to this module:

• python/situational_awareness/host/osx/situational_awareness
• python/trollsploit/osx/change_background
• python/trollsploit/osx/say
• python/trollsploit/osx/thunderstruck
• python/trollsploit/osx/login_message
• python/management/osx/shellcodeinject64
• python/management/osx/screen_sharing
• python/privesc/osx/piggyback
• python/privesc/osx/dyld_print_to_file
• python/collection/osx/osx_mic_record
• python/collection/osx/sniffer
• python/collection/osx/imessage_dump
• python/collection/osx/kerberosdump
• python/collection/osx/keychaindump_chainbreaker
• python/collection/osx/prompt
• python/collection/osx/hashdump
• python/collection/osx/keychaindump_decrypt
• python/collection/osx/browser_dump
• python/collection/osx/pillage_user
• python/collection/osx/webcam
• python/collection/osx/screenshot
• python/collection/osx/keychaindump
• python/collection/osx/search_email
• python/collection/osx/screensaver_alleyoop
• python/collection/osx/native_screenshot_mss
• python/collection/osx/clipboard
• python/collection/osx/keylogger
• python/collection/osx/native_screenshot
• python/persistence/osx/mail
• python/persistence/osx/LaunchAgent
• python/persistence/osx/loginhook
• python/persistence/osx/CreateHijacker
• python/persistence/osx/LaunchAgentUserLandPersistence
• python/persistence/osx/RemoveLaunchAgent

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.