Skip to content
/ attack-macOS Public template

A library of MacOS scripts based on threat emulation, community research, CTI, atomic-red-team, and MITRE ATT&CK.

Notifications You must be signed in to change notification settings

darmado/attack-macOS

Repository files navigation


attack-macOS

Shell JXA Swift STIX MITRE ATT&CK License macOS Compatibility

Join Community X Follow

MITRE ATT&CK Coverage Matrix

ATT&CK CoverageKey FeaturesCompatibilityQuick StartLicense

The Matrix contains information for the macOS platform
The number of possible procedures per technique is vast. These statistics use conservative estimates for coverage calculations.

Technique Coverage Known Techniques Procedure Coverage Estimated Known Procedures

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact
T1133
External Remote Services
T1129
Shared Modules
T1205.002
Socket Filters
T1037
Boot or Logon Initialization Scripts
T1205.002
Socket Filters
T1557
Adversary-in-the-Middle
T1033
System Owner/User Discovery
T1021.005
VNC
T1560.001
Archive via Utility
T1205.002
Socket Filters
T1567
Exfiltration Over Web Service
T1561.002
Disk Structure Wipe
T1195.001
Compromise Software Dependencies and Development Tools
T1059.007
JavaScript
T1037
Boot or Logon Initialization Scripts
T1574.007
Path Interception by PATH Environment Variable
T1027.009
Embedded Payloads
T1556.003
Pluggable Authentication Modules
T1016.001
Internet Connection Discovery
T1080
Taint Shared Content
T1113
Screen Capture
T1132.001
Standard Encoding
T1567.004
Exfiltration Over Webhook
T1498.001
Direct Network Flood
T1566.002
Spearphishing Link
T1204.002
Malicious File
T1556.003
Pluggable Authentication Modules
T1543
Create or Modify System Process
T1556.003
Pluggable Authentication Modules
T1056.001
Keylogging
T1069
Permission Groups Discovery
T1021.004
SSH
T1557
Adversary-in-the-Middle
T1568.002
Domain Generation Algorithms
T1029
Scheduled Transfer
T1491.002
External Defacement
T1566.001
Spearphishing Attachment
T1053.003
Cron
T1574.007
Path Interception by PATH Environment Variable
T1546.006
LC_LOAD_DYLIB Addition
T1564.012
File/Path Exclusions
T1110.001
Password Guessing
T1652
Device Driver Discovery
T1563.001
SSH Hijacking
T1056.001
Keylogging
T1071.004
DNS
T1011
Exfiltration Over Other Network Medium
T1499.001
OS Exhaustion Flood
T1195.003
Compromise Hardware Supply Chain
T1053
Scheduled Task/Job
T1543
Create or Modify System Process
T1548.003
Sudo and Sudo Caching
T1222.002
Linux and Mac File and Directory Permissions Modification
T1003
OS Credential Dumping
T1087.002
Domain Account
T1021
Remote Services
T1123
Audio Capture
T1573.001
Symmetric Cryptography
T1011.001
Exfiltration Over Bluetooth
T1499.003
Application Exhaustion Flood
T1195
Supply Chain Compromise
T1059.002
AppleScript
T1133
External Remote Services
T1547
Boot or Logon Autostart Execution
T1574.007
Path Interception by PATH Environment Variable
T1539
Steal Web Session Cookie
T1087.001
Local Account
T1563
Remote Service Session Hijacking
T1560.003
Archive via Custom Method
T1568.001
Fast Flux DNS
T1020
Automated Exfiltration
T1561
Disk Wipe
T1190
Exploit Public-Facing Application
T1106
Native API
T1546.006
LC_LOAD_DYLIB Addition
T1053.003
Cron
T1564.008
Email Hiding Rules
T1555.002
Securityd Memory
T1497.001
System Checks
T1072
Software Deployment Tools
T1114
Email Collection
T1071
Application Layer Protocol
T1048.001
Exfiltration Over Symmetric Encrypted Non-C2 Protocol
T1565.001
Stored Data Manipulation
T1659
Content Injection
T1059
Command and Scripting Interpreter
T1547
Boot or Logon Autostart Execution
T1053
Scheduled Task/Job
T1027.013
Encrypted/Encoded File
T1110.002
Password Cracking
T1069.002
Domain Groups
T1210
Exploitation of Remote Services
T1025
Data from Removable Media
T1219
Remote Access Software
T1567.001
Exfiltration to Code Repository
T1489
Service Stop
T1078.001
Default Accounts
T1569.001
Launchctl
T1053.003
Cron
T1037.002
Login Hook
T1014
Rootkit
T1555.001
Keychain
T1007
System Service Discovery
T1534
Internal Spearphishing
T1074.001
Local Data Staging
T1659
Content Injection
T1048.002
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1499.004
Application or System Exploitation
T1199
Trusted Relationship
T1559.003
XPC Services
T1053
Scheduled Task/Job
T1055
Process Injection
T1548.003
Sudo and Sudo Caching
T1555.005
Password Managers
T1040
Network Sniffing
T1570
Lateral Tool Transfer
T1119
Automated Collection
T1205
Traffic Signaling
T1041
Exfiltration Over C2 Channel
T1565.003
Runtime Data Manipulation
T1566
Phishing
T1204
User Execution
T1176
Browser Extensions
T1543.004
Launch Daemon
T1036.005
Match Legitimate Name or Location
T1040
Network Sniffing
T1135
Network Share Discovery
T1115
Clipboard Data
T1572
Protocol Tunneling
T1048
Exfiltration Over Alternative Protocol
T1498.002
Reflection Amplification
T1078
Valid Accounts
T1072
Software Deployment Tools
T1037.002
Login Hook
T1078.001
Default Accounts
T1036.008
Masquerade File Type
T1558
Steal or Forge Kerberos Tickets
T1120
Peripheral Device Discovery
T1074.002
Remote Data Staging
T1071.003
Mail Protocols
T1052.001
Exfiltration over USB
T1499.002
Service Exhaustion Flood
T1566.004
Spearphishing Voice
T1059.004
Unix Shell
T1205
Traffic Signaling
T1546.005
Trap
T1564
Hide Artifacts
T1555
Credentials from Password Stores
T1082
System Information Discovery
T1005
Data from Local System
T1092
Communication Through Removable Media
T1567.003
Exfiltration to Text Storage Sites
T1491
Defacement
T1195.002
Compromise Software Supply Chain
T1559
Inter-Process Communication
T1543.004
Launch Daemon
T1574.006
Dynamic Linker Hijacking
T1497.001
System Checks
T1552
Unsecured Credentials
T1016.002
Wi-Fi Discovery
T1560.002
Archive via Library
T1090.002
External Proxy
T1567.002
Exfiltration to Cloud Storage
T1657
Financial Theft
T1078.002
Domain Accounts
T1203
Exploitation for Client Execution
T1505.003
Web Shell
T1548
Abuse Elevation Control Mechanism
T1070.002
Clear Linux or Mac System Logs
T1555.003
Credentials from Web Browsers
T1010
Application Window Discovery
T1560
Archive Collected Data
T1090
Proxy
T1030
Data Transfer Size Limits
T1491.001
Internal Defacement
T1200
Hardware Additions
T1059.006
Python
T1078.001
Default Accounts
T1548.001
Setuid and Setgid
T1027.008
Stripped Payloads
T1557.003
DHCP Spoofing
T1497.003
Time Based Evasion
T1557.003
DHCP Spoofing
T1568
Dynamic Resolution
T1052
Exfiltration Over Physical Medium
T1565
Data Manipulation
T1189
Drive-by Compromise
T1569
System Services
T1546.005
Trap
T1098.004
SSH Authorized Keys
T1553.001
Gatekeeper Bypass
T1552.004
Private Keys
T1217
Browser Information Discovery
T1056.003
Web Portal Capture
T1102
Web Service
T1048.003
Exfiltration Over Unencrypted Non-C2 Protocol
T1531
Account Access Removal
T1566.003
Spearphishing via Service
T1059.005
Visual Basic
T1574.006
Dynamic Linker Hijacking
T1547.015
Login Items
T1553.002
Code Signing
T1110.003
Password Spraying
T1016
System Network Configuration Discovery
T1125
Video Capture
T1568.003
DNS Calculation
T1486
Data Encrypted for Impact
T1078.003
Local Accounts
T1204.001
Malicious Link
T1136.001
Local Account
T1546.014
Emond
T1036.009
Break Process Trees
T1056.003
Web Portal Capture
T1087
Account Discovery
T1114.003
Email Forwarding Rule
T1104
Multi-Stage Channels
T1499
Endpoint Denial of Service
T1053.002
At
T1098.004
SSH Authorized Keys
T1098
Account Manipulation
T1070.007
Clear Network Connection History and Configurations
T1649
Steal or Forge Authentication Certificates
T1083
File and Directory Discovery
T1074
Data Staged
T1205.001
Port Knocking
T1496
Resource Hijacking
T1136.002
Domain Account
T1547.006
Kernel Modules and Extensions
T1070.003
Clear Command History
T1552.003
Bash History
T1049
System Network Connections Discovery
T1056.002
GUI Input Capture
T1071.002
File Transfer Protocols
T1565.002
Transmitted Data Manipulation
T1542.002
Component Firmware
T1574
Hijack Execution Flow
T1140
Deobfuscate/Decode Files or Information
T1552.001
Credentials In Files
T1497
Virtualization/Sandbox Evasion
T1039
Data from Network Shared Drive
T1102.003
One-Way Communication
T1485
Data Destruction
T1542
Pre-OS Boot
T1078
Valid Accounts
T1562
Impair Defenses
T1606.001
Web Cookies
T1654
Log Enumeration
T1056
Input Capture
T1090.003
Multi-hop Proxy
T1498
Network Denial of Service
T1547.015
Login Items
T1068
Exploitation for Privilege Escalation
T1036
Masquerading
T1606
Forge Web Credentials
T1057
Process Discovery
T1557.002
ARP Cache Poisoning
T1001
Data Obfuscation
T1495
Firmware Corruption
T1205.001
Port Knocking
T1546
Event Triggered Execution
T1070.008
Clear Mailbox Data
T1621
Multi-Factor Authentication Request Generation
T1497.002
User Activity Based Checks
T1213
Data from Information Repositories
T1571
Non-Standard Port
T1490
Inhibit System Recovery
T1554
Compromise Host Software Binary
T1546.004
Unix Shell Configuration Modification
T1055
Process Injection
T1212
Exploitation for Credential Access
T1069.001
Local Groups
T1573
Encrypted Channel
T1561.001
Disk Content Wipe
T1546.014
Emond
T1548.004
Elevated Execution with Prompt
T1205
Traffic Signaling
T1056.002
GUI Input Capture
T1201
Password Policy Discovery
T1102.002
Bidirectional Communication
T1529
System Shutdown/Reboot
T1098
Account Manipulation
T1037.005
Startup Items
T1218
System Binary Proxy Execution
T1110
Brute Force
T1614.001
System Language Discovery
T1573.002
Asymmetric Cryptography
T1547.006
Kernel Modules and Extensions
T1078.002
Domain Accounts
T1070.006
Timestomp
T1110.004
Credential Stuffing
T1614
System Location Discovery
T1095
Non-Application Layer Protocol
T1574
Hijack Execution Flow
T1543.001
Launch Agent
T1620
Reflective Code Loading
T1556.006
Multi-Factor Authentication
T1518.001
Security Software Discovery
T1001.003
Protocol Impersonation
T1078
Valid Accounts
T1546.016
Installer Packages
T1564.011
Ignore Process Interrupts
T1056
Input Capture
T1018
Remote System Discovery
T1090.004
Domain Fronting
T1556.006
Multi-Factor Authentication
T1037.004
RC Scripts
T1497.003
Time Based Evasion
T1557.002
ARP Cache Poisoning
T1046
Network Service Discovery
T1132
Data Encoding
T1546
Event Triggered Execution
T1547.007
Re-opened Applications
T1562.004
Disable or Modify System Firewall
T1111
Multi-Factor Authentication Interception
T1518
Software Discovery
T1132.002
Non-Standard Encoding
T1546.004
Unix Shell Configuration Modification
T1548.006
TCC Manipulation
T1218.015
Electron Applications
T1556
Modify Authentication Process
T1622
Debugger Evasion
T1071.001
Web Protocols
T1037.005
Startup Items
T1053.002
At
T1553.006
Code Signing Policy Modification
T1124
System Time Discovery
T1105
Ingress Tool Transfer
T1078.002
Domain Accounts
T1574.004
Dylib Hijacking
T1027.001
Binary Padding
T1665
Hide Infrastructure
T1543.001
Launch Agent
T1078.003
Local Accounts
T1078.001
Default Accounts
T1001.002
Steganography
T1505
Server Software Component
T1574.006
Dynamic Linker Hijacking
T1008
Fallback Channels
T1546.016
Installer Packages
T1222
File and Directory Permissions Modification
T1090.001
Internal Proxy
T1037.004
RC Scripts
T1548
Abuse Elevation Control Mechanism
T1102.001
Dead Drop Resolver
T1136
Create Account
T1548.001
Setuid and Setgid
T1001.001
Junk Data
T1547.007
Re-opened Applications
T1562.006
Indicator Blocking
T1653
Power Settings
T1036.002
Right-to-Left Override
T1053.002
At
T1542.002
Component Firmware
T1556
Modify Authentication Process
T1070
Indicator Removal
T1574.004
Dylib Hijacking
T1036.004
Masquerade Task or Service
T1078.003
Local Accounts
T1647
Plist File Modification
T1542
Pre-OS Boot
T1562.010
Downgrade Attack
T1497
Virtualization/Sandbox Evasion
T1480
Execution Guardrails
T1205.001
Port Knocking
T1564.002
Hidden Users
T1562.003
Impair Command History Logging
T1497.002
User Activity Based Checks
T1562.001
Disable or Modify Tools
T1574
Hijack Execution Flow
T1027.005
Indicator Removal from Tools
T1078
Valid Accounts
T1564.009
Resource Forking
T1027
Obfuscated Files or Information
T1556.006
Multi-Factor Authentication
T1036.001
Invalid Code Signature
T1564.006
Run Virtual Instance
T1553
Subvert Trust Controls
T1548.004
Elevated Execution with Prompt
T1036.003
Rename System Utilities
T1562.011
Spoof Security Alerting
T1027.003
Steganography
T1078.002
Domain Accounts
T1553.004
Install Root Certificate
T1027.004
Compile After Delivery
T1564.007
VBA Stomping
T1656
Impersonation
T1564.003
Hidden Window
T1070.009
Clear Persistence
T1027.006
HTML Smuggling
T1027.010
Command Obfuscation
T1070.004
File Deletion
T1027.002
Software Packing
T1564.005
Hidden File System
T1622
Debugger Evasion
T1036.006
Space after Filename
T1548.006
TCC Manipulation
T1564.001
Hidden Files and Directories
T1480.001
Environmental Keying
T1556
Modify Authentication Process
T1574.004
Dylib Hijacking
T1078.003
Local Accounts
T1211
Exploitation for Defense Evasion

Overview

Attack-macOS is a library of scripts mapped to MITRE ATT&CK. Security teams can use Attack-macOS to execute techniques and discover new detection opportunities in macOS environments.

Problem Challenge Solution
• Limited opensource security tools
• Technique procedures primarily focused on
tier I/II (advanced) Tool Index
• Most commercial tools primarily focused on hardening and MDM
• Insufficient capabilities to evaluate macOS defenses
• Inadequate detection exposes systems to potential risks
• Limited tooling hinders proactive security measures
Build a library of macOS specific attack scripts dedicated to help identify better detection opportunities in macOS specific endpoint security solutions.

Objective

This project aims to simplify the execution of Living Off The Land (LOTL) techniques via standalone, modular, flexible, interaperable, and easy-to-maintain scripts.

Dependencies

All Attack-macOS scripts use native macOS binaries, interpreters, playlists, libraries, tools, and utilities. If third-party tools are installed (brew, slack,jamf), techniques that leverage third-party apps can be executed.

Key Features

Feature Description
Template Includes a YAML template for creating new scripts and dynamically generating scripts.
Modular Design Self-contained scripts that can be used independently or combined, easily integrating with existing frameworks.
Customizable Easily modifiable and extendable, with centralized execution control via global variables and flags.
macOS Native Uses native tools and languages to emulate adversary techniques without external dependencies.
MITRE ATT&CK Mapped All scripts and arguments directly mapped to the MITRE ATT&CK framework.
Logging Consistent built-in logging capability across all scripts for output analysis.
Encoding and Encryption Multiple data encoding options and integrated encryption functions.
Exfiltration Simulates data exfiltration via HTTP or DNS protocols.
Integration Seamlessly integrates with existing security tools, automation pipelines, and CI/CD workflows.

Compatibility

macOS

Quick Start

Install Options:

git clone https://github.com/armadoinc/attack-macos

Fetch and Execute:

TBD

Remote Execution:

TBD

Documentation

License

This project is licensed under the Apache License 2.0. See the LICENSE file for more details.

Credits and References

In short, every macOS focused opensoruce security project, blog post, CTI, Apple Dev Docs, especially the archived docs, and MITRE ATT&CK. -- Full list hhere: --> Acknoledgements

About

A library of MacOS scripts based on threat emulation, community research, CTI, atomic-red-team, and MITRE ATT&CK.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published