diff --git a/Mac/Defense_Evasion/Hidden_Files_and_Directories.md b/Mac/Defense_Evasion/Hidden_Files_and_Directories.md new file mode 100644 index 00000000..4242c459 --- /dev/null +++ b/Mac/Defense_Evasion/Hidden_Files_and_Directories.md @@ -0,0 +1,6 @@ +# Hidden Users + +MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158) + + + sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" diff --git a/Mac/README.md b/Mac/README.md index 90308285..c313be90 100644 --- a/Mac/README.md +++ b/Mac/README.md @@ -10,7 +10,7 @@ | LC_LOAD_DYLIB Addition | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | File Deletion | [Input Prompt](Credential_Access/Input_Prompt.md) | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) | Remote Services | Scripting | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | | [Launch Agent](Persistence/Launch_Agent.md) | Startup Items | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Keychain](Credential_Access/Keychain.md) | [Process Discovery](Discovery/Process_Discovery.md) | SSH Hijacking | Source | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | | [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Third-party Software | [Space after Filename](Execution/Space_After_Filename.md) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting | -| Launchctl | Valid Accounts | Hidden Files and Directories | Private Keys | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | | Third-party Software | Input Capture | Scheduled Transfer | Fallback Channels | +| Launchctl | Valid Accounts | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories) | Private Keys | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | | Third-party Software | Input Capture | Scheduled Transfer | Fallback Channels | | [Local Job Scheduling](Persistence/Local_Job_Scheduling.md) | Web Shell | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Securityd Memory | [System Information Discovery](Discovery/System_Information_Discovery.md) | | Trap | [Screen Capture](Collection/Screen_Capture.md) | | Multi-Stage Channels | | Login Item | | Hidden Window | Two-Factor Authentication Interception | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | | | Multi-hop Proxy | | [Logon Scripts](Persistence/Logon_Scripts.md) | | Indicator Removal from Tools | | System Network Connections Discovery | | | | | Multiband Communication |