## macOS Initial Access Ideas According to my practise and experience, these were the file vectors entailing least number of clicks involved from the victim and being reliable & viable initial access vectors: - `.js` - JXA script file - `.scpt` - compiled AppleScript or compiled JXA script file (with `osacompile`) - `.app` - directory containing files that will eventually run `.scpt` compiled _JXA_ or _AppleScript_ - Note that [`.app` files can be compressed into `.zip`/`.cpio`/`.cpgz`](https://blog.xpnsec.com/macos-phishing-tricks/) archives and this way delivered to victims - Moreover, we can also [rename their extensions to perform homoglyph attack](https://blog.xpnsec.com/macos-filename-homoglyphs-revisited/) thus obscuring `.app` extension - `Office documents` - macro-enabled Office documents are still worth their salt in MacOS world - `.slk` - Excel4 SYLK macros are also working in MacOS as of April, 2023 With regards to VBA macros, we can come up with following vectors: - Macro-enabled Office documents, that run JXA/Javascript in-memory and save to file - Macro-enabled Office documents, that run JXA/Javascript in-memory and save to file via **`curl`** ## Sources - [Mystikal](https://github.com/D00MFist/Mystikal) - [MacOS X Initial Access payloads generator](https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520) that nicely integrates with Mythic - before using, ensure to modify `Settings/MythicSettings.py` file - after generating any payloads, review if domain was used properly, cause the tool likes to hardcode `localhost` instead - [MacOS Phishing Tricks](https://blog.xpnsec.com/macos-phishing-tricks/) - disguing .APP bundles - [MacOS Filename Homoglyphs Revisited](https://blog.xpnsec.com/macos-filename-homoglyphs-revisited/) - more recent tricks on hiding away `.app` extension from Finder - [Escaping the Sandbox – Microsoft Office on MacOS](https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/) - the need to drop files named with `~$` prefix, such as `~$foo.js`