The Matrix contains information for the macOS platform
The number of possible procedures per technique is vast. These statistics use conservative estimates for coverage calculations.
Attack-macOS is a library of scripts mapped to MITRE ATT&CK. Security teams can use Attack-macOS to execute techniques and discover new detection opportunities in macOS environments.
Problem | Challenge | Solution |
---|---|---|
• Limited opensource security tools • Technique procedures primarily focused on tier I/II (advanced) Tool Index • Most commercial tools primarily focused on hardening and MDM |
• Insufficient capabilities to evaluate macOS defenses • Inadequate detection exposes systems to potential risks • Limited tooling hinders proactive security measures |
Build a library of macOS specific attack scripts dedicated to help identify better detection opportunities in macOS specific endpoint security solutions. |
This project aims to simplify the execution of Living Off The Land (LOTL) techniques via standalone, modular, flexible, interaperable, and easy-to-maintain scripts.
All Attack-macOS scripts use native macOS binaries, interpreters, playlists, libraries, tools, and utilities. If third-party tools are installed (brew
, slack
,jamf
), techniques that leverage third-party apps can be executed.
Feature | Description |
---|---|
Template | Includes a YAML template for creating new scripts and dynamically generating scripts. |
Modular Design | Self-contained scripts that can be used independently or combined, easily integrating with existing frameworks. |
Customizable | Easily modifiable and extendable, with centralized execution control via global variables and flags. |
macOS Native | Uses native tools and languages to emulate adversary techniques without external dependencies. |
MITRE ATT&CK Mapped | All scripts and arguments directly mapped to the MITRE ATT&CK framework. |
Logging | Consistent built-in logging capability across all scripts for output analysis. |
Encoding and Encryption | Multiple data encoding options and integrated encryption functions. |
Exfiltration | Simulates data exfiltration via HTTP or DNS protocols. |
Integration | Seamlessly integrates with existing security tools, automation pipelines, and CI/CD workflows. |
Install Options:
git clone https://github.com/armadoinc/attack-macos
Fetch and Execute:
TBD
Remote Execution:
TBD
This project is licensed under the Apache License 2.0. See the LICENSE file for more details.
In short, every macOS focused opensoruce security project, blog post, CTI, Apple Dev Docs, especially the archived docs, and MITRE ATT&CK. -- Full list hhere: --> Acknoledgements