Analytics Story: MacOS Post-Exploitation
Description
This analytic story identifies popular MacOS post exploitation tools such as MacPEAS, MacShellSwift, EvilOSX, chainbreaker, etc
Why it matters
These tools allow operators find possible exploits or paths for privilege escalation based on stored credentials, user permissions, kernel version and distro version.
Detections
| Name | Technique | Type |
|---|---|---|
| MacOS Network Share Discovery | Network Share Discovery | Anomaly |
| MacOS Log Removal | Indicator Removal | TTP |
| MacOS Gatekeeper Bypass | Gatekeeper Bypass | Anomaly |
| MacOS Data Chunking | Data Transfer Size Limits | Anomaly |
| MacOS LoginHook Persistence | Login Hook | TTP |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Osquery Results | Other | osquery:results |
osquery |
References
- https://github.com/cedowens/MacShellSwift/tree/master/MacShellSwift
- https://github.com/Marten4n6/EvilOSX
- https://github.com/n0fate/chainbreaker
- https://github.com/UnsaltedHash42/macPEAS
- https://attack.mitre.org/matrices/enterprise/macos/
Source: GitHub | Version: 2