For whatever reason, there was (or is) this notion that Macs are more secure than Windows systems, and that users don’t have to worry as much about malware as they do with Windows systems. While Windows systems may have a somewhat larger attack surface than Macs, this does not mean that there aren’t vulnerabilities with Macs that can be exploited. This idea that users don’t have to worry as much about Macs is a dangerous one, and can lead users to inadvertently do something bad to their systems without even realizing it. There are even dedicated command and control (C2) frameworks out there for Mac that can be used for malicious activities.

As part of my testing of endpoint systems, I came across C2 framework for Macs known as Mythic (https://github.com/its-a-feature/Mythic). Like Meterpreter or Cobalt Strike, Mythic allows you to do a lot of cool hacking stuff on a Mac system. It sports a clean interface reminiscent of Cobalt Strike, and it gives you a lot of functionality out of the box. It gives you different payload types as well as ways to customize them, and it allows you to run various commands on Macs like you do with the Windows C2 frameworks. It even allows you collaborate with other people if you are running a campaign against a Mac heavy environment. And if you happen to come across Windows systems, the Mythic framework has support for that OS too, although I haven’t tried it out myself.

Under the hood, it uses a fair amount of Objective C for some of its beacons. For you penetration testers and red teasers out there, it also seems to bypass some of those endpoint detection and response (EDR) software solutions out there for Macs, which is nice.

My testing involved using more of its out the box features. To establish C2 of my Mac, I used a basic HTTP beacon where you can provide the information for it, such as the IP of your C2 server, as well as more advanced information that you can provide to it (User Agent, jitter, etc.). You can even set the commands that the beacon is allowed to run.

The resulting payload will be a JavaScript file that you can name whatever you want. By default, it is named apfell.js. You can feed this JS file as an argument to the osascript command on your Mac (located in /usr/bin, which should already be in your path). And if you haven’t used osascript before, you’re not alone. My first introduction to it was with this tool as well, but In short, your command will look something like the following:

osascript apfell.js

After executing the above command, assuming your C2 server has the listening port open (mines was port 80 by default), you should see a check-in from the system on which you ran the above command within Mythic.

Back in the Mythic interface, you will go to Operational Views -> Active Callbacks to see your new beacon. Just like other C2 frameworks, you can then interact with it and give it commands to run. 

As you can see in the above screenshot, I ran a couple of fun commands like seeing what’s in the clipboard of the user, seeing what Google Chrome tabs that the user has open, as well as general system info of the Mac.

Overall, the Mythic framework is a great addition to your arsenal of hacking tools. Take a look at the corresponding YouTube video for this framework: