Skip to main content

Overview

macOS provides a mix of standard Unix tools and Apple-specific utilities. This reference covers the most useful commands for security assessments and post-exploitation on macOS systems.

Automated Enumeration Tools

MacPEAS

The macOS version of PEASS — automated privilege escalation enumeration for Mac.

Metasploit enum_osx

Metasploit post-exploitation module for macOS enumeration.

SwiftBelt

macOS enumeration tool written in Swift for operational security.

System Information

# Basic system info
date
uptime
w                                    # Logged-in users
whoami
uname -a
system_profiler SPSoftwareDataType   # OS info

# Hardware and resources
system_profiler SPHardwareDataType   # Hardware info
sysctl -a                            # Kernel configuration
diskutil list                        # Connected drives
df -h                                # Disk usage

# Services and tasks
launchctl list                       # List all LaunchDaemon/LaunchAgent services
atq                                  # List "at" tasks for current user
nettop                               # Network usage by process (top-style)

Comprehensive system_profiler Commands

system_profiler SPPrintersDataType       # Printers
system_profiler SPApplicationsDataType  # Installed applications
system_profiler SPFrameworksDataType     # Installed frameworks
system_profiler SPDeveloperToolsDataType # Developer tools info
system_profiler SPStartupItemDataType    # Startup items
system_profiler SPNetworkDataType        # Network capabilities
system_profiler SPFirewallDataType       # Firewall status
system_profiler SPNetworkLocationDataType # Known networks
system_profiler SPBluetoothDataType      # Bluetooth info
system_profiler SPEthernetDataType       # Ethernet info
system_profiler SPUSBDataType            # USB devices
system_profiler SPAirPortDataType        # Airport/WiFi info

Searching for Interesting Files

# Find files containing a specific word (Spotlight)
mdfind password

# Find files by name containing a word
mdfind -name password

# Open app hidden (useful for stealth)
open -a <Application Name> --hide
open some.doc -a TextEdit

Network Commands

# ARP table
arp -i en0 -l -a

# Open network connections
lsof -i -P -n | grep LISTEN

# SMB shares
smbutil statshares -a

# Network services management
networksetup -listallnetworkservices
networksetup -listallhardwareports
networksetup -getinfo Wi-Fi
networksetup -getautoproxyurl Wi-Fi
networksetup -getwebproxy Wi-Fi
networksetup -getftpproxy Wi-Fi

User Process Enumeration

# All running services for a specific user domain
launchctl print gui/<users_UID>

# All running services under root
launchctl print system

# Details for a specific agent
launchctl print gui/<user_UID>/com.company.launchagent.label

Installed Software and Services

system_profiler SPApplicationsDataType   # GUI apps
system_profiler SPFrameworksDataType     # Frameworks
lsappinfo list                           # Installed apps (alternative)
launchctl list                           # Running services

Miscellaneous Useful Commands

# Prevent sleep
caffeinate &

# Take screenshot (asks for permission)
screencapture -x /tmp/ss.jpg

# Clipboard contents
pbpaste

# Make macOS speak (useful for presence testing)
say hello -v diego

# Flush DNS cache
dscacheutil -flushcache
sudo killall -HUP mDNSResponder

Privileged Operations

# Purge RAM
sudo purge

# Enable/disable SSH
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist   # enable
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist    # disable

# Start/stop Apache
sudo apachectl start
sudo apachectl stop
sudo apachectl restart
# Web root: /Library/WebServer/Documents/

Homebrew Package Management

brew list              # List installed packages
brew search <text>     # Search for a package
brew info <formula>    # Info about a package
brew install <formula>
brew uninstall <formula>
brew cleanup           # Remove older versions

Anti-Analysis / VM Detection Check

Some macOS malware and stealers use system_profiler to detect virtual machine environments and abort execution to evade sandboxes: 
# Common VM detection snippet seen in macOS stealers
if system_profiler SPHardwareDataType SPDisplaysDataType | grep -Eiq 'qemu|kvm|vmware|virtualbox'; then
  exit 100
fi
Malware may exit with a specific exit code (e.g., 100) to signal sandbox detection to the operator, helping distinguish sandbox runs from real victim execution.

Quick Security Assessment Commands

# Check SIP status
csrutil status

# Check Gatekeeper status
spctl --status

# List loaded kernel extensions
kextstat | grep -v com.apple

# Check running processes with their full paths
ps aux | grep -v "^root" | awk '{print $11}' | sort -u

# List all Launch Daemons (system-wide persistence)
ls /Library/LaunchDaemons/
ls /System/Library/LaunchDaemons/

# List Launch Agents (user-level persistence)
ls ~/Library/LaunchAgents/
ls /Library/LaunchAgents/
ls /System/Library/LaunchAgents/

# Check for login items
osascript -e 'tell application "System Events" to get the name of every login item'

# FileVault status
fdesetup status

References

Build docs developers (and LLMs) love

Get started for freeTalk to us