The Assignment

Somewhere in the middle of a disinformation fuelled pandemic I came to realize I will not be fulfilled in my career, or as a person, if the work I do is not both prosocial and impactful.

Of all the talented hackers I've met it is the kind ones, those who deliberately lift up others, whom I respect the most. There are just too many roiling dumpster fires out there for me to waste my hottest, most collagen-filled years protecting the borked smart contracts of crypto chuds, or whatever. So I started looking for people interested in the same problems as me and who, through their work, would help lift up others.

This January I joined Prelude as a Senior Cyber Security Engineer.

I already knew some of the engineers from working with Operator over the last year. I'd built Nicodemus, a free open-source Nim implant based on Pneuma, for use with Operator. I'd had conversations with Spencer Thompson, the CEO of Prelude, about their mission, vision, and ethics. With David Hunt and Alex Manners about technology and lessons learned from their former work on MITRE Caldera. I felt good about this team.

My first assignment, however, was when I realized my map reflected the territory.

There's something about being asked to hack the CEO, in a one-week, no holds barred engagement, and then tell the world about it, that really cements the idea I'm with my people. That here at Prelude, with all the other weird infosec nerds, eating our own dog food and scheming surprise off-site backups vs. senior leadership, things are gonna work out.

This first assignment captures the essence of it, what makes us special, which is from day one we're expected to walk the talk and live what we envision for our customers, along the way making much of our research and tooling available for free to anyone who wants it.

So that's my first task. Hack the CEO. What do?

Initial Access

Two unfortunate facts; a week goes by fast, MacOS is a tough target for initial access.

I'm not gonna find a MacOS 0day in a week (or in many, probably). My best shot at initial access is via social engineering. Not easy, given we're a security conscious bunch and Spencer is already primed for my antics, but far from impossible. It's not like there aren't ways - SpectreOps has a whole course on it. They even have an awesome tool, Mystikal, for generating initial access payloads for the Mythic C2 framework.

Mystikal is great if you use Mythic but I don't so it doesn't work for me. What I'd really like to do is get one of Operator's agents on Spencer's device because importantly lol but also lmao. So now I've invented a bunch of extra work for myself and I’ll need to rewrite Mythic so it works with Operator, which is what I did, and in Nim, because I have style.

NeonMidnight

NeonMidnight, my port of Mystikal to Nim, generates MacOS initial access payloads containing Hush - a modular JavaScript agent for Operator.

Sometime soon we plan to use this tool, or one like it, to serve MacOS initial access payloads configured automatically for your Operator client. This tool is a preview of a larger effort to provide a simple method for users to emulate initial access techniques from Operator without fussing with external tools.

Of course, agents have a shelf life, so we’ve made it easy to swap out Hush with some other JavaScript agent which can be configured through NeonMidnight’s payload sub-menus.

We'll be releasing this open-source tool following code review, so check out our Discord or Twitter for more information on the release.

Here's a cool ASCII banner so you know I actually did the thing.

Defence Against the Dark Arts

How can we make Spencer a harder target?

We can’t always stop him from clicking that juicy link but we can put controls in place to detect and potentially block post-exploitation activity.

All of the MacOS initial access payloads generated by NeonMidnight follow the same basic formula; trick a user into executing the payload which calls osascript to execute the malicious JavaScript agent. As defenders, the use optional persistence components, the use of osascript, and agent network traffic, are all reliable data points for detecting this activity.

To protect yourself I recommend Patrick Wardle’s free Mac security tools. In particular BlockBlock which monitors and alerts on new persistence components (such as our malicious installer packages) and LuLu an open-source firewall (that catches our payload beacons).

Lessons Learned

A week goes by fast. I spent too much time writing tools and too little using them.

I wasn't able to get a shell on our CEO's machine but I learned enough about MacOS initial access to bring new content to Operator. Expect to see more MacOS initial access techniques from me in upcoming chains.

As an exercise in picking up an offensive security tool and modifying it to work with Operator, the week was definitely a success. Not the first example either. We've seen amazing community effort to integrate third party tooling with Operator - most recently Bishop Fox's Sliver implant framework which as of Sliver v1.5 can use Operator as its C2.

As a closing thought, I'd like to see much more integration with open-source tools. If you have some special tool that's near and dear to you, that would benefit our community by some kind of integration, you're welcome to open a feature request on our community GitHub repo.