Lorem ipsum dolor sit amet, consectetur adipisicing elit sed do eiusmod tempor incididunt ut labore et dolore magna.
THREATS, TACTICS AND PROCEDURES TTP
MITRE’S ATT&CK®
macOS Pen Test
Persistence – macOS
1. Account Manipulation.
2. Boot or Logon Autostart Execution.
3. Boot Initialisation Scripts.
4. Browser Extensions.
5. Compromise Client Software Binary.
6. Create Account.
7. Create or Modify System Process.
8. Event Triggered Execution.
9. Hijack Execution Flow.
10. Scheduled Task/Jobs.
11. Server Software Component.
12. Traffic Signalling.
13. Valid Accounts.
2. Boot or Logon Autostart Execution.
3. Boot Initialisation Scripts.
4. Browser Extensions.
5. Compromise Client Software Binary.
6. Create Account.
7. Create or Modify System Process.
8. Event Triggered Execution.
9. Hijack Execution Flow.
10. Scheduled Task/Jobs.
11. Server Software Component.
12. Traffic Signalling.
13. Valid Accounts.
Privilege Escalation – macOS
1. Abuse Elevation Control Mechanism.
2. Logon Autostart Execution.
3. Logon Initialisation Scripts.
4. Create or Modify System Process.
5. Event Triggered Execution.
6. Exploitation for Privilege Escalation.
7. Hijack Execution Flow.
8. Process Injection.
9. Scheduled Cronjobs.
10. Valid Accounts.
2. Logon Autostart Execution.
3. Logon Initialisation Scripts.
4. Create or Modify System Process.
5. Event Triggered Execution.
6. Exploitation for Privilege Escalation.
7. Hijack Execution Flow.
8. Process Injection.
9. Scheduled Cronjobs.
10. Valid Accounts.
Defence Evasion – macOS
1. Abuse Elevation Control Mechanism.
2. De-obfuscate or Decode Files or Information.
3. Execution Guardrails.
4. Exploitation for Defense Evasion.
5. File and Directory Permissions Modification.
6. Hide Artifacts.
7. Hijack Execution Flow.
8. Impair Defenses.
9. Indicator Removal of Host.
10. Masquerading.
11. Modify Authentication Process.
12. Obfuscated Files or Information.
13. Process Injection.
14. Rootkits.
15. Subvert Trust Controls.
16. Traffic Signalling.
17. Valid Accounts.
18. Virtualisation or Sandbox Evasion.
2. De-obfuscate or Decode Files or Information.
3. Execution Guardrails.
4. Exploitation for Defense Evasion.
5. File and Directory Permissions Modification.
6. Hide Artifacts.
7. Hijack Execution Flow.
8. Impair Defenses.
9. Indicator Removal of Host.
10. Masquerading.
11. Modify Authentication Process.
12. Obfuscated Files or Information.
13. Process Injection.
14. Rootkits.
15. Subvert Trust Controls.
16. Traffic Signalling.
17. Valid Accounts.
18. Virtualisation or Sandbox Evasion.
Credential Access in macOS
1. Brute Force.
2. Credentials from Password Stores.
3. Exploitation for Credential Access.
4. Input Capture.
5. Man-in-the-Middle (MiTM) Attacks.
6. Modify Authentication Process.
7. Network Sniffing.
8. OS Credential Dumping.
9. Steal Web Session Cookie.
10. 2FA Interception.
11. Insecure Credentials.
2. Credentials from Password Stores.
3. Exploitation for Credential Access.
4. Input Capture.
5. Man-in-the-Middle (MiTM) Attacks.
6. Modify Authentication Process.
7. Network Sniffing.
8. OS Credential Dumping.
9. Steal Web Session Cookie.
10. 2FA Interception.
11. Insecure Credentials.
Discovery – macOS
1. Account Discovery.
2. Application Window Discovery.
3. Browser Bookmark Discovery.
4. File and Directory Discovery.
5. Network Service Scanning.
6. Network Share Discovery.
7. Network Sniffing.
8. Password Policy Discovery.
9. Peripheral Device Discovery.
10. Permission Groups Discovery.
11. Process Discovery.
12. Remote System Discovery.
13. Software Discovery.
14. System Information Discovery.
15. System Network Configuration Discovery.
16. System Network Connections Discovery.
17. System Owner/User Discovery.
18. Virtualisation or Sandbox Evasion.
2. Application Window Discovery.
3. Browser Bookmark Discovery.
4. File and Directory Discovery.
5. Network Service Scanning.
6. Network Share Discovery.
7. Network Sniffing.
8. Password Policy Discovery.
9. Peripheral Device Discovery.
10. Permission Groups Discovery.
11. Process Discovery.
12. Remote System Discovery.
13. Software Discovery.
14. System Information Discovery.
15. System Network Configuration Discovery.
16. System Network Connections Discovery.
17. System Owner/User Discovery.
18. Virtualisation or Sandbox Evasion.
Collection – macOS
1. Archive Collected Data.
2. Audio Capture.
3. Automated Collection.
4. Clipboard Data.
5. Data from Information Repositories.
6. Data from Local System.
7. Data from Network Shared Drive.
8. Data from Removable Media.
9. Data Staged.
10. Input Capture.
11. Man-in-the-Middle (MiTM) Attacks.
12. Screen Capture.
13. Video Capture.
2. Audio Capture.
3. Automated Collection.
4. Clipboard Data.
5. Data from Information Repositories.
6. Data from Local System.
7. Data from Network Shared Drive.
8. Data from Removable Media.
9. Data Staged.
10. Input Capture.
11. Man-in-the-Middle (MiTM) Attacks.
12. Screen Capture.
13. Video Capture.
Command and Control – macOS
1. Application Layer Protocol.
2. Communication Through Removable Media.
3. Data Encoding.
4. Data Obfuscation.
5. Dynamic Resolution.
6. Encrypted Channel.
7. Fallback Channels.
8. Ingress Tool Transfer
9. Multi-Stage Channels.
10. Non-Application Layer Protocols.
11. Non-Standard Ports.
12. Protocol Tunnelling.
13. Proxy.
14. Remote Access Software.
15. Traffic Signalling.
16. Web Services.
2. Communication Through Removable Media.
3. Data Encoding.
4. Data Obfuscation.
5. Dynamic Resolution.
6. Encrypted Channel.
7. Fallback Channels.
8. Ingress Tool Transfer
9. Multi-Stage Channels.
10. Non-Application Layer Protocols.
11. Non-Standard Ports.
12. Protocol Tunnelling.
13. Proxy.
14. Remote Access Software.
15. Traffic Signalling.
16. Web Services.
Impact of macOS Attacks
1. Account Access Removal.
2. Data Destruction.
3. Data Encrypted for Impact.
4. Data Manipulation.
5. Defacement.
6. Disk Wipe.
7. Endpoint Denial of Service.
8. Firmware Corruption.
9. Inhibit System Recovery.
10. Network Denial of Service.
11. Resource Hijacking.
12. System Shutdown/Reboot.
2. Data Destruction.
3. Data Encrypted for Impact.
4. Data Manipulation.
5. Defacement.
6. Disk Wipe.
7. Endpoint Denial of Service.
8. Firmware Corruption.
9. Inhibit System Recovery.
10. Network Denial of Service.
11. Resource Hijacking.
12. System Shutdown/Reboot.