Evasion Tunnel Mac OS
To initiate your SSH tunnel, simply open Mac OSX Terminal.app and connect to your remote server via SSH with the following flags: ssh -D 8080 -C -N username@example.com This will launch our SSH tunnel on port 8080 and route all traffic (securely) through the server at example.com. MacOS Mojave uses the standard unix networking services. That means you can manipulate the route table of your network to achieve split tunneling. Therefor it is necessary run two commands: route -nv add -net 192.168.188 -interface utun1.
After looking doing some research i figured out to solve this problem. It needs some hard-coding though and might not ne suitable for everyone!
MacOS Mojave uses the standard unix networking services. That means you can manipulate the route table of your network to achieve split tunneling. Therefor it is necessary run two commands:
The first command adds a new entry to the route table that does the following: Map of all casinos in las vegas.
'Hey Network, if you want to reach any address in the range 192.168.188.0 to 192.168.188.255 then you have to use the configured interface utun1.'
Here utun1 is my VPN Tunnel to the business network. To figure out what your interface is named you can use the command: 'ifconfig' via terminal.
The second command changes a entry in the route table: Replicant: the search mac os.
'Hey Network, if you want to reach any address you DO NOT have a special entry in your table, then use 192.168.178.1 to go there.'
Here default stands for 'any address not in your list' and 192.168.178.1 is my local home router who has his own DNS addresses configured and will be able to resolve any address i am looking for expect the ones directly specified in my route table.
Information:
I tried to keep this as understandable as possible. Feel free to ask, but i am not sure if i ll be around that often. All in all this is working for me. I am not using the connection to often so i can easily use these two commands when it comes to my need. If you have another easier solution i am happy to hear about it!
Jan 23, 2019 1:53 AM
macOS sandbox detection methods
1. Hardware model detection method
2. Check if hyperthreading is enabled
3. Memory size detection method
4. I/O Kit Registry detection method
5. Boot ROM Version detection method
6. Check if System Integrity Protection is enabled
Signature recommendations
Countermeasures
macOS sandbox detection methods
Most macOS-specific methods for sandbox and virtual environment detection are based on using shell commands such as “sysctl” and “ioreg”.Instead of providing code sample blocks, we show the commands and their arguments.Unfortunately, we can’t collect command outputs for various hypervisors due to Apple software licensing policy.Therefore, we compare the command outputs for physical and virtual machines when possible.
1. Hardware model detection method
The command used:
If running on native Apple hardware, the returned value contains the model name of the hardware:
On virtualized hardware, the value may contain the hypervisor name:
This technique was seen in the MacRansom malware.If the command output doesn't contain the 'Mac' substring, the malware considers that it is running in a virtual machine.
2. Check if hyperthreading is enabled
Most Apple hardware (MacBook, Mac mini) released before 2018 came with hyperthreading enabled. This means that the number of physical cores is equal to half the of logical cores.However, some hypervisors don’t provide an ability to change the number of logical cores, which is alwaysequal to the number of physical cores.
The command used:
On physical hardware, the output value of the command must be equal to '2'.This techinique was seen in the MacRansom malware.
We should note that new hardware comes with hyperthreading disabled, for example, Mac mini with 6‑core Intel Core i7 CPU. Therefore, this method should be considered outdated.
3. Memory size detection method
This method is similar to the memory size detection method used for PC. When running several virtual machines, each VM is allocated a small amount of RAM,whereas Apple physical hardware usually have more than 4 Gb RAM.
The command used:
The command returns the RAM size in bytes, for example: 17179869184.
4. I/O Kit Registry detection method
There are several ways in which virtual machine can be detected using the I/O Kit Registry.
Checking the 'IOPlatformExpertDevice' registry class
The command used:
The following fields of the IOPlatformExpertDevice class can be checked in order to detect a virtual machine:
| Field | Physical hardware example value | Virtual machine example value | VM detection rule |
|---|---|---|---|
| IOPlatformSerialNumber | 'C07T40BYG1J2' | '0' | Equal to '0' |
| board-id | <'Mac-87C4F04823D6BACF'> | <'VirtualBox'> | Contains 'VirtualBox', 'VMware', etc. |
| manufacturer | <'Apple Inc.'> | <'innotek GmbH'> | Doesn't contain 'Apple' |
Evasion Tunnel Mac Os Download
Mac Os Catalina
Checking USB device vendor names
The commands used: Sky gamblers - infinite jets mac os.
Sample output on native Apple hardware:
On virtualized hardware, the value may contain the hypervisor name:
A virtual machine can be detected by checking if the command output contains a hypervisor name, for example 'VirtualBox','VMware', etc.
Another option is to call the ioreg command with the “-l” option which makes it show properties for all objects.The output should be checked against known hypervisor names, for example:
The above command counts the number of occurrences of various hypervisor names in the ioreg output.If the number of occurrences is greater than 0, the system is likely virtualized.
5. Boot ROM Version detection method
The command used:
If running on native Apple hardware, the returned value contains the letter code for the corresponding Apple product,for example, “MM” for Mac mini, “MBP” for MacBook Pro, “MBA” for MacBook Air:
If running on a virtual machine, the returned value may contain the hypervisor name:
This method is implemented in OceanLotus malware, as shown below:
6. Check if System Integrity Protection is enabled
The latest versions of macOS have the System Integrity Protection feature (SIP).If a sandbox uses a non-signed kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension.Malware may check if the SIP is enabled.
The command used:
Elvis casino games. The command returns the SIP status, for example: “System Integrity Protection status: enabled.”
Signature recommendations
There is a kind of trade-off between the number of detected evasion techniques and the false-positive rate.If we want to detect as many as possible attempts to use the evasion techniques, we should use signatures with a broad scope.If a process is created with one of the following command lines, this indicates an application is trying to use an evasion technique:
However, the commands mentioned above can be used both to perform evasion techniques and for system information gathering.To reduce the rate of false-positive detections, malware-specific signatures can be used, for example:
Countermeasures
Apple software licensing policy doesn’t allow emulating macOS on hardware other than the original Apple hardware. It is also doesn’t not allow more than 2 virtual machines to run on one host machine.Therefore, we suggest using solutions such as DeepFreeze instead of virtualization. In addition, signed kernel extensions should be used.