Analytics Story: MacOS Post-Exploitation
Description
This analytic story identifies popular MacOS post exploitation tools such as MacPEAS, MacShellSwift, EvilOSX, chainbreaker, etc
Why it matters
These tools allow operators find possible exploits or paths for privilege escalation based on stored credentials, user permissions, kernel version and distro version.
Detections
| Name | Technique | Type |
|---|---|---|
| MacOS Data Chunking | Data Transfer Size Limits | Anomaly |
| MacOS Network Share Discovery | Network Share Discovery | Anomaly |
| MacOS Gatekeeper Bypass | Gatekeeper Bypass | Anomaly |
| MacOS Log Removal | Indicator Removal | TTP |
| MacOS LoginHook Persistence | Login Hook | TTP |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Osquery Results | Other | osquery:results |
osquery |
References
- https://github.com/cedowens/MacShellSwift/tree/master/MacShellSwift
- https://github.com/Marten4n6/EvilOSX
- https://github.com/n0fate/chainbreaker
- https://github.com/UnsaltedHash42/macPEAS
- https://attack.mitre.org/matrices/enterprise/macos/
Source: GitHub | Version: 2