Skip to content

Latest commit

 

History

History
379 lines (367 loc) · 22.8 KB

macos-index.md

File metadata and controls

379 lines (367 loc) · 22.8 KB

macOS Atomic Tests by ATT&CK Tactic & Technique

persistence

impact

discovery

execution

lateral-movement

collection

exfiltration

  • T1020 Automated Exfiltration CONTRIBUTE A TEST
  • T1002 Data Compressed
    • Atomic Test #3: Data Compressed - nix - zip [linux, macos]
    • Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
    • Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
  • T1022 Data Encrypted
    • Atomic Test #1: Data Encrypted with zip and gpg [macos, centos, ubuntu, linux]
  • T1030 Data Transfer Size Limits
    • Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
  • T1048 Exfiltration Over Alternative Protocol
    • Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, centos, ubuntu, linux]
    • Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, centos, ubuntu, linux]
    • Atomic Test #3: Exfiltration Over Alternative Protocol - HTTP [macos, centos, ubuntu, linux]
  • T1041 Exfiltration Over Command and Control Channel CONTRIBUTE A TEST
  • T1011 Exfiltration Over Other Network Medium CONTRIBUTE A TEST
  • T1052 Exfiltration Over Physical Medium CONTRIBUTE A TEST
  • T1029 Scheduled Transfer CONTRIBUTE A TEST

credential-access

defense-evasion

  • T1009 Binary Padding
    • Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
  • T1146 Clear Command History
    • Atomic Test #1: Clear Bash history (rm) [linux, macos]
    • Atomic Test #2: Clear Bash history (echo) [linux, macos]
    • Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
    • Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
    • Atomic Test #6: Clear history of a bunch of shells [linux, macos]
  • T1116 Code Signing CONTRIBUTE A TEST
  • T1500 Compile After Delivery CONTRIBUTE A TEST
  • T1090 Connection Proxy
    • Atomic Test #1: Connection Proxy [macos, linux]
  • T1089 Disabling Security Tools
    • Atomic Test #5: Disable Carbon Black Response [macos]
    • Atomic Test #6: Disable LittleSnitch [macos]
    • Atomic Test #7: Disable OpenDNS Umbrella [macos]
  • T1480 Execution Guardrails CONTRIBUTE A TEST
  • T1211 Exploitation for Defense Evasion CONTRIBUTE A TEST
  • T1107 File Deletion
    • Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
    • Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
  • T1222 File and Directory Permissions Modification
    • Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
    • Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
    • Atomic Test #10: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
    • Atomic Test #11: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
    • Atomic Test #12: chown - Change file or folder ownership and group [macos, linux]
    • Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
    • Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
    • Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
    • Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
  • T1144 Gatekeeper Bypass
    • Atomic Test #1: Gatekeeper Bypass [macos]
  • T1148 HISTCONTROL
    • Atomic Test #1: Disable history collection [linux, macos]
    • Atomic Test #2: Mac HISTCONTROL [macos, linux]
  • T1158 Hidden Files and Directories
    • Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
    • Atomic Test #2: Mac Hidden file [macos]
    • Atomic Test #3: Hidden file [macos, linux]
    • Atomic Test #6: Hidden files [macos]
    • Atomic Test #7: Hide a Directory [macos]
    • Atomic Test #8: Show all hidden files [macos]
    • Atomic Test #9: Create Visible Directories [macos, linux]
    • Atomic Test #10: Create hidden directories and files [macos, linux]
  • T1147 Hidden Users
    • Atomic Test #1: Hidden Users [macos]
  • T1143 Hidden Window CONTRIBUTE A TEST
  • T1066 Indicator Removal from Tools CONTRIBUTE A TEST
  • T1070 Indicator Removal on Host
    • Atomic Test #3: rm -rf [macos, linux]
  • T1130 Install Root Certificate
  • T1149 LC_MAIN Hijacking CONTRIBUTE A TEST
  • T1152 Launchctl
    • Atomic Test #1: Launchctl [macos]
  • T1036 Masquerading
  • T1027 Obfuscated Files or Information
    • Atomic Test #1: Decode base64 Data into Script [macos, linux]
  • T1150 Plist Modification
    • Atomic Test #1: Plist Modification [macos]
  • T1205 Port Knocking CONTRIBUTE A TEST
  • T1055 Process Injection
  • T1108 Redundant Access CONTRIBUTE A TEST
  • T1014 Rootkit
  • T1064 Scripting
    • Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
  • T1045 Software Packing CONTRIBUTE A TEST
  • T1151 Space after Filename
    • Atomic Test #1: Space After Filename [macos]
  • T1099 Timestomp
    • Atomic Test #1: Set a file's access timestamp [linux, macos]
    • Atomic Test #2: Set a file's modification timestamp [linux, macos]
    • Atomic Test #3: Set a file's creation timestamp [linux, macos]
    • Atomic Test #4: Modify file timestamps using reference file [linux, macos]
  • T1078 Valid Accounts CONTRIBUTE A TEST
  • T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
  • T1102 Web Service CONTRIBUTE A TEST

command-and-control

initial-access

privilege-escalation