CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Stolen Laptop Recovery via OSX Trap Partition

My Macbook Air has 2 partitions, one that is my normal everyday partition that is encrypted with FileVault2, and a 2nd partition that has Prey installed and ready to set my Mac as stolen as soon as it is connected to the Internet. It also has the Administrator account hidden and limits what the Standard account can do. If Safari is launched, it will also connect to Facebook, gMail, Yahoo, and Twitter to entice the user to log into these services. I have it setup like this so that I have a better chance of recovering it from theft. This post is going to walk you though setting up your own Mac laptop similar to mine.

This will work on all Intel Macs but works best with the newer models that don't allow you to reset the Open Firmware password by changing the amount of ram in the system or with a bootup disk, without knowing the original firmware. Any Mac that is a MacBook Air (Late 2010), MacBook Pro (Early 2011), and iMac (Mid 2011) and up will be work. Really any MacBook made during 2011 should also be this way but I can't find a source. Be sure to remember whatever password you set, as the only way to remove or change it on newer systems is by taking it to an Apple store.

You want to first start by dividing your disk into 2 partitions. You can use this with the "Disk Utility" program in OSX. Just click the hard drive listed in the left side panel, and then select partition. From there you can resize the current partition. Make sure to make the new one around 16GBs for now. We will resize it later to around 5gb.

Next, you'll need to create a Lion USB recovery stick. Download the Lion Recovery Disk Assistant over at Once that is installed it will require a 4GB USB stick to turn into a bootable install stick. Once it is completed, shutdown the Mac, hold down the Option key and turn the system back on. Select the Lion USB stick and start the installation on the newly created partition.

Also be sure to set your Open Firmware password when you are at the Lion installation screen. At the Welcome screen choose "Firmware Password Utility" from the "Utilities" menu and proceed as directed. After that continue the installation as described.

After you have installed the trap OS, boot into that partition and login as the user that you created when you installed Lion. You should now create a new user named "Apple" or whatever you want to be a Standard user, this will be the account that the computer will automatically log into. The next account you want to create is your hidden Administrator. You will need to open up the Terminal application for this and then run the following commands.

sudo dscl . create /Groups/YOUR_NEW_USER_NAME
sudo dscl . create /Groups/YOUR_NEW_USER_NAME PrimaryGroupID 400
sudo dscl . create /Users/YOUR_NEW_USER_NAME PrimaryGroupID 400
sudo dscl . create /Users/YOUR_NEW_USER_NAME UniqueID 400
sudo dscl . create /Users/YOUR_NEW_USER_NAME UserShell /bin/bash
sudo dscl . append /Groups/YOUR_NEW_USER_NAME GroupMembership 400
sudo dscl . append /Groups/admin GroupMembership YOUR_NEW_USER_NAME
sudo defaults write /Library/Preferences/ Hide500Users -bool TRUE
sudo defaults write /Library/Preferences/ HiddenUsersList -array YOUR_NEW_USER_NAME
sudo defaults write /Library/Preferences/ SHOWOTHERUSERS_MANAGED -bool FALSE

Be sure to change YOUR_NEW_USER_NAME and YOUR_USER_PASSWORD with the username and password you want to use. The above commands are doing exactly what the Users & Groups preference in the System Preferences is doing, except we are not creating a Home Directory, and we are manually setting the Group and User ID to 400. Then we enable a setting in OS X that hides users that have an ID lower than 500. This will prevent the user from being listed in most GUI locations and will make it harder for your account username to be located.

Now with that account created you want to go into the Users & Group panel, and click Login Options. Turn on automatic login and select it to log into your trap user account,"Apple" in my example. Logout and login as your fake user. Go back to the Login Options and click the lock if it is in the lock position and then use your hidden account username and password to remove your original Administrator account. After that is completed, click the lock again to make sure it's in the locked position.

With the users taken care of you want to now go into the Startup Disk in System Preferences, make sure the trap partition is selected and that the lock is again in the locked position. This will prevent the machine from booting into your real partition on startup.

At this point it is time to install Prey. Go ahead and download it while running under your trap account, when it asks for permission to install it, put in your hidden Admin username and password and everything should install.

Now with Prey installed if your laptop does get stolen you'll still need to mark it as such. We are going to setup a LaunchDaemon and create a script so that it does this for us automatically.

Before getting the script ready, we want to get a few things from your OpenPrey account. Your API key found at and your DeviceID found after you click your device the URL should be something like "", so in this case your DeviceID would be SIBDSD.

Open Terminal once again, and type "su YOUR_ADMIN_NAME". Once you're logged into your admin user, run "sudo su", this will now have you running as root. Now to create the script, open up your favorite text editor and create a file called "" at "/usr/bin/".

Be sure to change the API and DEVICE ID with yours.

<--Copy after this for /usr/bin/ contents-->

API_KEY="DF2323"; //replace this with yours
DEVICE_ID="SIBDSD"; //replace this with yours
curl --user $API_KEY:x "$DEVICE_ID.xml" -X PUT -d "device[missing]=1";

<--Copy before this for /usr/bin/ contents-->

Make sure to make the script executable. Now the last thing to do is to create the LaunchDaemon and have that run automatically on startup.

Creating the LaunchDaemon, I named mine "com.jaku.prey.plist" but you could have "jaku" replaced with pretty much anything. So let's open up your text editor one more time and create the file "com.jaku.prey.plist" at "/Library/LaunchDaemons/" or whatever you called it, just be sure to replace jaku in the text below as well.

<--Copy after this for /Library/LaunchDaemons/com.jaku.prey.plist contents-->

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">
<plist version="1.0">

<--Copy before this for /Library/LaunchDaemons/com.jaku.prey.plist contents-->

Once you are all done with that you'll need to register the LaunchDaemon with this command "launchctl load /Library/LaunchDaemons/com.jaku.prey". From now on, when the system starts up the script will run every 5 minutes and try to make the laptop as stolen on OpenPrey. You could change the "StartInterval" amount in the LaunchDaemon to a higher or lower value if you want.

After this run the following command a few times, "history -c && exit" basically run it until you are logged out of your terminal. This will wipe all the commands from history that you just ran so that no one can figure out what you just did.

You are almost done now! Just a few last things and you're all set.

Now let's log into your original partition, you will need to hold down the "Option" key on startup to choose your original partition, and it will ask for the Open Firmware password you set earlier. Once you are in your original partition, go into System Preferences and click "Startup Disk", like before you may have to unlock it but make sure that the disk selected is the trap partition. After that we can now go back into the "Disk Utility" program and resize the trap partition to a smaller partition. Once it is resized you can now (re)enable FileVault2 on your original partition.

The only thing left to do after this is to test the machine, make sure that when it first boots up it always logs into the trap partition and that for you to get into the real one you need to hold down the Option key and type in your firmware password followed by your FileVault password.

That is about it for now. If you have any comments or questions be sure to let me know by commenting below. Thanks!

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

This is Part 8 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...

Read More

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More