SwiftBelt – A macOS Enumeration Tool Inspired By Harmjoy’S Windows-based Seatbelt Enumeration Tool
SwiftBelt is a macOS enumerator motivated by @harmjoy’s Windows-centered Seatbelt enumeration tool. SwiftBelt does not make use of any command line utilities and in its place works by using Swift code (leveraging the Cocoa Framework, Basis libraries, OSAKit libraries, and many others.) to complete technique enumeration. This can be leveraged on the offensive facet to execute enumeration after you gain entry to a macOS host. I intentionally did not include any functions that induce pop-ups (ex: keychain enumeration).
Many thanks Ramos04 for contributing code to search for numerous Objective See applications and mattreduce for contributing code for zshell history as perfectly as azure creds.
Methods
You can operate the bundled SwiftBelt mach-o binary in the root listing of this repo or you can edit the Swift code and rebuild a new binary.
To use the involved mach-o:
- Note: I did not indication the bundled mach-o. Consequently you will need to just take these measures to eliminate the quarantine attribute in order to run: The moment downloaded, duplicate to the ideal host and distinct the quarantine attribute ($ xattr -c SwiftBelt) and set as executable ($ chmod +x SwiftBelt)
- To see the aid menu: ./SwiftBelt -h
Aid menu:
SwiftBelt Alternatives:
-SecurityTools –> Examine for the existence of frequent macOS security instruments (at least the types I am familiar with)
-SystemInfo –> Pull back process information (wifi SSID facts, open up directory node information, interior IPs, ssh/aws/gcloud/azure-cli cred details, basic program details). If present on the host, this software will show the contents of ssh keys, acknowledged hosts file, aws cred documents, and gcloud token data
-Clipboard –> Dump clipboard contents
-RunningApps –> Listing all operating applications
-ListUsers –> List area consumer accounts
-LaunchAgents –> Record launch agents, start daemons, and configuration profile files
-BrowserHistory –> Attempt to pull Safari, Firefox, Chrome, and Quarantine historical past (take note as FYI: if Chrome or Firefox is actively jogging, the software will not be in a position to study the locked databases to extract data)
-SlackExtract –> Examine if Slack is current and if so browse cookie, downloads, and workspaces facts (leverages study carried out by Cody Thomas)
-ShellHistory –> Examine shell (Bash or Zsh) record information
-Bookmarks –> Browse Chrome saved bookmarks
Use:
To run all choices: ./SwiftBelt
To specify particular options: ./SwiftBelt [option1] [option2] [option3]…
Case in point: ./SwiftBelt -SystemInfo -Clipboard -SecurityTools …
To edit the Swift code and rebuild your own mach-o:
-
Open the xcodeproj file for SwiftBelt in Xcode
-
Edit the code in primary.swift code as wanted in Xcode
-
From a terminal cd into the SwiftBelt directory and operate: “swift construct” to produce the binary. The binary will be dropped in the .make/debug folder inside of the SwiftBelt folder and will be named SwiftBelt
-
Copy to the wished-for host and obvious the quarantine attribute ($ xattr -c SwiftBelt) and set as executable ($ chmod +x SwiftBelt)
-
Execute
Detection
Nevertheless this resource does not use any command line utilities (which are effortless to detect), this tool does go through from numerous information on the technique which can be detected by any resources that leverage the Endpoint Safety Framework (these file reads in certain are captured by ES_Event_Variety_NOTIFY_Open up situations inside of ESF).