macOS Post-Exploitation Shenanigans with VSCode Extensions
Overview
It’s no secret that macOS post-exploitation is often centric around targeting the installed apps for privilege escalation, persistence and more. Indeed, we’ve previously posted about approaches for code injection in macOS apps in the past and would recommend a refresher if you’re unfamiliar with these techniques.
On a recent red team engagement, we were exploring the endpoint of a compromised engineer looking for opportunities to elevate. One of the apps the user was making heavy use of was VSCode which led to further research in to avenues to obtain code execution in the context of the app. As a supported means of code execution, perhaps the most obvious way to achieve this was through a “malicious” VSCode extension.
This post will cover how to create a malicious VSCode extension on macOS that can be used for further post-exploitation shenanigans.
