Skip to content
/ CalendarPersist Public

JXA script to allow programmatic persistence via macOS Calendar.app alerts.

40 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

FSecureLABS/CalendarPersist

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
CalendarPersist.js
CalendarPersist.js
 
 
README.md
README.md
 
 

Repository files navigation

CalendarPersist

JXA script to allow programmatic persistence via macOS Calendar.app alerts.

Fore full information read: https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos

Usage

Import the script in Mythic's Apfell payload using the following commands.

jsimport
jsimport_call

Once imported, all of the functions within the script can be called.

List Calendars

list_calendars()

The list_calendars command will return a list of calendars configured within the target's Calendar application. The calendar type (https://developer.apple.com/documentation/eventkit/ekcalendartype) and UID is returned also.

List Events

list_calendar_events(numberOfHours)

list_calendar_events will return events across all calendars between the current time and the number of hours specified as an argument.

  • numberOfHours: Number of hours in the future that form the time window for returned events.

For example, list_calendar_events(24) will return all of the events in the next 24 hours.

Persist via Calendar Event

persist_calalert(title, target, delay, frequency, interval, end, uid)

This command creates new events and inserts them into the calendar with an alert that executes an application.

  • title: Title of the created event(s)
  • target: Full path to the application to execute as persistence.
  • delay: Number of seconds in the future to create the first event.
  • frequency: String representing the frequency of the calendar series. (daily, weekly, monthly, yearly)
  • interval: Units of time between each event in the series. For example, if 2 and weekly, the events will be every second week.
  • end: Number of events to insert before ending the series.
  • uid: UID of the calendar to insert the event.

Persist via Backdooring Existing Event

persist_calalert_existing(uid, target)

This command adds a procedure alarm to an existing calendar event.

  • uid: UID of the target event.
  • target: Full path to the application to execute as persistence.

Hide Calendar

hide_calendar(uid)

This function "unchecks" the show calendar button within Calendar.app. Whilst it can be trivially re-enabled, this might help hide the created events in some situations.

  • uid: UID of the calendar to be hidden.

Contributors

I want to take the time to thank those who have helped fix or add to this script, cheers!

About

JXA script to allow programmatic persistence via macOS Calendar.app alerts.

Resources

Readme
Activity
Custom properties

Stars

40 stars

Watchers

7 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages