{"id":13845662,"url":"https://github.com/XMCyber/MacHound","last_synced_at":"2025-07-12T03:31:27.561Z","repository":{"id":50357673,"uuid":"339314006","full_name":"XMCyber/MacHound","owner":"XMCyber","description":null,"archived":false,"fork":false,"pushed_at":"2021-02-16T13:00:23.000Z","size":29,"stargazers_count":100,"open_issues_count":0,"forks_count":21,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-08-05T17:45:02.574Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/XMCyber.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-02-16T07:11:41.000Z","updated_at":"2024-07-09T16:06:37.000Z","dependencies_parsed_at":"2022-09-11T22:23:41.325Z","dependency_job_id":null,"html_url":"https://github.com/XMCyber/MacHound","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XMCyber%2FMacHound","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XMCyber%2FMacHound/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XMCyber%2FMacHound/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XMCyber%2FMacHound/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/XMCyber","download_url":"https://codeload.github.com/XMCyber/MacHound/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225791374,"owners_count":17524772,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:03:32.243Z","updated_at":"2024-11-21T19:30:26.869Z","avatar_url":"https://github.com/XMCyber.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# What is MacHound\nMacHound is an extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts.\nMacHound collects information about logged-in users, and administrative group members on Mac machines and ingest the information into the Bloodhound database. \nIn addition to using the HasSession and AdminTo edges, MacHound adds three new edges to the Bloodhound database:\n* CanSSH - entity allowed to SSH to host\n* CanVNC - entity allowed to VNC to host\n* CanAE - entity allowed to execute AppleEvent scripts on host \n\nTo read more about MacHound, refer to the [introduction post](https://medium.com/xm-cyber/introducing-machound-a-solution-to-macos-active-directory-based-attacks-2a425f0a22b6)\n\n# Data Collection\n## Logged-in users (HasSession)\nMacHound uses the utmpx API to query currently active users and OpenDirectory and membership API to validate Active Directory users.\n\n## Administrative Groups\nMacHound collects Active Directory members of the following local administrative groups:\n\n### admin\nThe local administrative groups, allowing for root operations.\n\n### com.apple.access_ssh\nMembers of this local group are allowed to access the remote login service (SSH).\n\n### com.apple.remote_ae\nMembers of this local group are allowed to remotely execute AppleEvent scripts.\n\n### com.apple.access_screensharing\nMembers of this local group are allowed to access the screen sharing service (VNC)\n\n# Components\nMacHound is split into two main components: the collector and the ingestor.\n\n### Collector\nThe MacHound collector is a Python3.7 scripts that run locally on Active Directory joined MacOS hosts.\nThe collector queries the local OpenDirectory and the Active Directory for information about priviliged users and groups.\nThe output of the execution is a JSON file that contains all the collected information.\n\n### Ingestor\nThe MacHound ingestor is a Python3.7 script that parses the output JSON files (one per host), connects to the neo4j database and inserts the edges to the database.\nThe ingestor uses the neo4j library for Python to query information to and from the neo4j database.\nThe ingestor must be executed on a host that has TCP access to the neo4j database.\n\n# Getting Started\n\n## Requirements\nMacHound requires Python3.7.\nThe ingestor requires the neo4j library for Python3.7.\n‏\n## Collector\n\n### Deployment\nThe Collector should be deployed and executed locally on Macs. The output is stored locally and needs to be transfered to the host running the ingestor. The collector depends on builtin libraries in Python3.7  and does not require additional installations.\nMacHound can be compiled as an Application using the py2app library to ease the deployment.\n\n### Usage\nThe Collector takes no arguments by default queries all information, and writes the output file into ./output.json.\nThe Collector must be executed as a root user.\n```\ncollector.py -o \u003coutput_file\u003e -c \u003cAdmin,CanSSH,CanVNC,CanAE,HasSession\u003e [-v] [-l log_file_path]\n```\n\n## Ingestor\nThe Ingestor should be deployed on a host that has direct TCP connection to Bloodhound's neo4j database, preferably locally on the neo4j database server to avoid security risks.\nThe ingestor requires the installation of neo4j driver for Python (see requirements file).\n\n```\ningestor.py \u003curl_to_neo4j\u003e -u \u003cusername\u003e -p \u003cpassword\u003e -i \u003cjson_folder\u003e\n```\n\n# License\nMacHound is released under the GPL-3.0 License. For more details see LICENSE.md.\n\n# Contact Us\nFor any question, suggestion, bug reporting please feel free to contact at rony@xmcyber.com\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FXMCyber%2FMacHound","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FXMCyber%2FMacHound","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FXMCyber%2FMacHound/lists"}