Skip to content
Nuclei Templates

MacC2 JARM - Detect

ID: mac-c2-jarm

Severity: info

Author: pussycat0x

Tags: jarm,network,c2,ir,osint,cti,macc2,tcp

Description

Section titled “Description”

MacC2 is a macOS post exploitation tool written in python that uses Objective C calls or python libraries as opposed to command line executions. The client is written in python2, which though deprecated is still being shipped with base Big Sur installs. It is possible down the road that Apple will remove python2 (or python altogether) from base macOS installs but as of Nov 2020 this is not the case. Apple plans to eventually remove scripting runtimes from base macOS installs, but it is unknown when that will happen since Big Sur includes python.

YAML Source

Section titled “YAML Source”
id: mac-c2-jarm


info:
  name: MacC2 JARM - Detect
  author: pussycat0x
  severity: info
  description: |
    MacC2 is a macOS post exploitation tool written in python that uses Objective C calls or python libraries as opposed to command line executions. The client is written in python2, which though deprecated is still being shipped with base Big Sur installs. It is possible down the road that Apple will remove python2 (or python altogether) from base macOS installs but as of Nov 2020 this is not the case. Apple plans to eventually remove scripting runtimes from base macOS installs, but it is unknown when that will happen since Big Sur includes python.
  reference:
    - https://github.com/cedowens/C2-JARM
    - https://github.com/cedowens/MacC2
  metadata:
    max-request: 1
  tags: jarm,network,c2,ir,osint,cti,macc2,tcp
tcp:
  - inputs:
      - data: 2E
        type: hex
    host:
      - "{{Hostname}}"
    matchers:
      - type: dsl
        dsl:
          - "jarm(Hostname) == '2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261'"
          - "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb'"
        condition: or
# digest: 490a00463044022011ec6da75c5c3c87ac3d76b4f3ab2f29d49a097f8263435bc1eb31a846e13615022061d1dd6142f3251dee8544cd13e3007a7afa32159ef30469dee2efcf6cb611d9:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "network/jarm/c2/mac-c2-jarm.yaml"

View on Github