Here’s an abridged example of its output: % osascript HealthInspector.js Under the hood, the Finder_Preferences() function reads the below plist file, showing us several pertinent entries: ~/Library/Preferences/ Tooling such as JXA script, HealthInspector, can help. We can get some appreciation of this in a broader context by looking at recent files and folders from Finder. Having identified the usage of VSCode on our compromised endpoint, gaining an understanding of files and folders recently accessed by a user would be a good next step.
The Mythic Medusa agent has three new functions to target the above behaviours: New files that have yet to be saved are also stored in this location.Files that may otherwise be protected by TCC, are accessible at this location (in their edited form) until a user saves them.When a user makes changes to files in VSCode, until they’re saved, they’re backed up in temporary files within ~/Library/Application Support/Code/Backups/. In a JSON file which (among other things) dictates what appears in VSCode’s menu bars at ~/Library/Application Support/Code/storage.json.In VSCode’s global sqlite state database at ~/Library/Application Support/Code/User/globalStorage/state.vscdb.We can view a user’s recently accessed files in a couple of places:
We’ll also see these reconnaissance activities operationalised in the Mythic Medusa agent. Looking at this from another angle however - this short blog explores the situational awareness that can be gleaned from VSCode, should an operator have obtained an initial foothold while also considering what sensitive data might be exposed, which would otherwise be protected by Apple’s oft-maligned ‘Transparency, Consent and Control’ framework, aka TCC. blog highlights how a malicious VSCode extension could be used as a loader for JXA script content, while takes this further with a fully-fledged cross-platform Mythic C2 Agent, Venus. With a rich marketplace of extensions that improve functionality for various programming languages, as well as interaction with cloud service providers and remote hosts, it’s a popular choice among a broad range of engineering roles (and beyond).įrom an offensive testing perspective, macOS VSCode has already been explored by others as a means of persistence and code execution. One application commonly used among this user group is Microsoft’s Visual Studio Code, aka VSCode. In many environments, macOS endpoint users are synonymous with software and systems engineers.
0 kommentar(er)
