Analytics Story: MacOS Post-Exploitation
Description
This analytic story identifies popular MacOS post exploitation tools such as MacPEAS, MacShellSwift, EvilOSX, chainbreaker, etc
Why it matters
These tools allow operators find possible exploits or paths for privilege escalation based on stored credentials, user permissions, kernel version and distro version.
Detections
| Name | Technique | Type |
|---|---|---|
| MacOS LoginHook Persistence | Login Hook | TTP |
| MacOS Data Chunking | Data Transfer Size Limits | Anomaly |
| MacOS Log Removal | Indicator Removal | TTP |
| MacOS Gatekeeper Bypass | Gatekeeper Bypass | Anomaly |
| MacOS Network Share Discovery | Network Share Discovery | Anomaly |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Osquery Results | Other | osquery:results |
osquery |
References
- https://github.com/cedowens/MacShellSwift/tree/master/MacShellSwift
- https://github.com/Marten4n6/EvilOSX
- https://github.com/n0fate/chainbreaker
- https://github.com/UnsaltedHash42/macPEAS
- https://attack.mitre.org/matrices/enterprise/macos/
Source: GitHub | Version: 2