Analytics Story: MacOS Post-Exploitation
Description
This analytic story identifies popular MacOS post exploitation tools such as MacPEAS, MacShellSwift, EvilOSX, chainbreaker, etc
Why it matters
These tools allow operators find possible exploits or paths for privilege escalation based on stored credentials, user permissions, kernel version and distro version.
Detections
| Name | Technique | Type |
|---|---|---|
| MacOS Data Chunking | Data Transfer Size Limits | Anomaly |
| MacOS Gatekeeper Bypass | Gatekeeper Bypass | Anomaly |
| MacOS Log Removal | Indicator Removal | TTP |
| MacOS LoginHook Persistence | Login Hook | TTP |
| MacOS Network Share Discovery | Network Share Discovery | Anomaly |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Osquery Results | Other | osquery:results |
osquery |
References
- https://attack.mitre.org/matrices/enterprise/macos/
- https://github.com/UnsaltedHash42/macPEAS
- https://github.com/cedowens/MacShellSwift/tree/master/MacShellSwift
- https://github.com/Marten4n6/EvilOSX
- https://github.com/n0fate/chainbreaker
Source: GitHub | Version: 1