mktemp #

Created by Tim Peck (@B0bby_Tablez)

Description ##

The mktemp binary located in “usr/bin/mktemp” can generate unique directory or file names and has historically been used to generate unique payloads.

Paths ##

• /usr/bin/mktemp

Use Cases ##

Generate payload directory (Shlayer) ##

The following command can be used to generate a random directory name for staging payloads

export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)"

Generate directory based on template file (Bundlore) ##

The following command can be used to generate a unique directory based on a template

TMP_DIR="mktemp -d -t x"

Detections ##

• No detections at time of publishing

Resources ##

• Shlayer malware abusing Gatekeeper bypass on macOS

• 20 Common Tools & Techniques Used by macOS Threat Actors & Malware