philhagen-rc
42 KiB
42 KiB
| 1 | Tactic | Technique # | Technique Name | Test # | Test Name | Test GUID | Executor Name |
|---|---|---|---|---|---|---|---|
| 2 | stealth | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | 1 | Decode Eicar File and Write to File | 7693ccaa-8d64-4043-92a5-a2eb70359535 | powershell |
| 3 | stealth | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | 2 | Decrypt Eicar File and Write to File | b404caaa-12ce-43c7-9214-62a531c044f7 | powershell |
| 4 | stealth | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | 3 | Password-Protected ZIP Payload Extraction and Execution | c2ca068a-eb1e-498f-9f93-3d554c455916 | bash |
| 5 | stealth | T1036.005 | Masquerading: Match Legitimate Name or Location | 1 | Execute a process from a directory masquerading as the current parent directory | 812c3ab8-94b0-4698-a9bf-9420af23ce24 | sh |
| 6 | stealth | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 4 | Detect Virtualization Environment via ioreg | a960185f-aef6-4547-8350-d1ce16680d09 | sh |
| 7 | stealth | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 6 | Detect Virtualization Environment using sysctl (hw.model) | 6beae646-eb4c-4730-95be-691a4094408c | sh |
| 8 | stealth | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 7 | Check if System Integrity Protection is enabled | 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945 | sh |
| 9 | stealth | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 8 | Detect Virtualization Environment using system_profiler | e04d2e89-de15-4d90-92f9-a335c7337f0f | sh |
| 10 | stealth | T1070.003 | Indicator Removal on Host: Clear Command History | 1 | Clear Bash history (rm) | a934276e-2be5-4a36-93fd-98adbb5bd4fc | sh |
| 11 | stealth | T1070.003 | Indicator Removal on Host: Clear Command History | 3 | Clear Bash history (cat dev/null) | b1251c35-dcd3-4ea1-86da-36d27b54f31f | sh |
| 12 | stealth | T1070.003 | Indicator Removal on Host: Clear Command History | 4 | Clear Bash history (ln dev/null) | 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 | sh |
| 13 | stealth | T1070.003 | Indicator Removal on Host: Clear Command History | 6 | Clear history of a bunch of shells | 7e6721df-5f08-4370-9255-f06d8a77af4c | sh |
| 14 | stealth | T1070.003 | Indicator Removal on Host: Clear Command History | 7 | Clear and Disable Bash History Logging | 784e4011-bd1a-4ecd-a63a-8feb278512e6 | bash |
| 15 | stealth | T1070.003 | Indicator Removal on Host: Clear Command History | 8 | Use Space Before Command to Avoid Logging to History | 53b03a54-4529-4992-852d-a00b4b7215a6 | sh |
| 16 | stealth | T1140 | Deobfuscate/Decode Files or Information | 3 | Base64 decoding with Python | 356dc0e8-684f-4428-bb94-9313998ad608 | sh |
| 17 | stealth | T1140 | Deobfuscate/Decode Files or Information | 4 | Base64 decoding with Perl | 6604d964-b9f6-4d4b-8ce8-499829a14d0a | sh |
| 18 | stealth | T1140 | Deobfuscate/Decode Files or Information | 5 | Base64 decoding with shell utilities | b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e | sh |
| 19 | stealth | T1140 | Deobfuscate/Decode Files or Information | 8 | Hex decoding with shell utilities | 005943f9-8dd5-4349-8b46-0313c0a9f973 | sh |
| 20 | stealth | T1140 | Deobfuscate/Decode Files or Information | 9 | Linux Base64 Encoded Shebang in CLI | 3a15c372-67c1-4430-ac8e-ec06d641ce4d | sh |
| 21 | stealth | T1140 | Deobfuscate/Decode Files or Information | 10 | XOR decoding and command execution using Python | c3b65cd5-ee51-4e98-b6a3-6cbdec138efc | bash |
| 22 | stealth | T1070.008 | Email Collection: Mailbox Manipulation | 3 | Copy and Delete Mailbox Data on macOS | 3824130e-a6e4-4528-8091-3a52eeb540f6 | bash |
| 23 | stealth | T1070.008 | Email Collection: Mailbox Manipulation | 6 | Copy and Modify Mailbox Data on macOS | 8a0b1579-5a36-483a-9cde-0236983e1665 | bash |
| 24 | stealth | T1070.006 | Indicator Removal on Host: Timestomp | 1 | Set a file's access timestamp | 5f9113d5-ed75-47ed-ba23-ea3573d05810 | sh |
| 25 | stealth | T1070.006 | Indicator Removal on Host: Timestomp | 2 | Set a file's modification timestamp | 20ef1523-8758-4898-b5a2-d026cc3d2c52 | sh |
| 26 | stealth | T1070.006 | Indicator Removal on Host: Timestomp | 3 | Set a file's creation timestamp | 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b | sh |
| 27 | stealth | T1070.006 | Indicator Removal on Host: Timestomp | 4 | Modify file timestamps using reference file | 631ea661-d661-44b0-abdb-7a7f3fc08e50 | sh |
| 28 | stealth | T1070.006 | Indicator Removal on Host: Timestomp | 9 | MacOS - Timestomp Date Modified | 87fffff4-d371-4057-a539-e3b24c37e564 | sh |
| 29 | stealth | T1497.003 | Time Based Evasion | 1 | Delay execution with ping | 8b87dd03-8204-478c-bac3-3959f6528de3 | sh |
| 30 | stealth | T1027.001 | Obfuscated Files or Information: Binary Padding | 1 | Pad Binary to Change Hash - Linux/macOS dd | ffe2346c-abd5-4b45-a713-bf5f1ebd573a | sh |
| 31 | stealth | T1027.001 | Obfuscated Files or Information: Binary Padding | 2 | Pad Binary to Change Hash using truncate command - Linux/macOS | e22a9e89-69c7-410f-a473-e6c212cd2292 | sh |
| 32 | stealth | T1078.001 | Valid Accounts: Default Accounts | 3 | Enable Guest Account on macOS | 0315bdff-4178-47e9-81e4-f31a6d23f7e4 | sh |
| 33 | stealth | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 3 | Dylib Injection via DYLD_INSERT_LIBRARIES | 4d66029d-7355-43fd-93a4-b63ba92ea1be | bash |
| 34 | stealth | T1564.002 | Hide Artifacts: Hidden Users | 1 | Create Hidden User using UniqueID < 500 | 4238a7f0-a980-4fff-98a2-dfc0a363d507 | sh |
| 35 | stealth | T1564.002 | Hide Artifacts: Hidden Users | 2 | Create Hidden User using IsHidden option | de87ed7b-52c3-43fd-9554-730f695e7f31 | sh |
| 36 | stealth | T1027 | Obfuscated Files or Information | 1 | Decode base64 Data into Script | f45df6be-2e1e-4136-a384-8f18ab3826fb | sh |
| 37 | stealth | T1027.004 | Obfuscated Files or Information: Compile After Delivery | 3 | C compile | d0377aa6-850a-42b2-95f0-de558d80be57 | sh |
| 38 | stealth | T1027.004 | Obfuscated Files or Information: Compile After Delivery | 4 | CC compile | da97bb11-d6d0-4fc1-b445-e443d1346efe | sh |
| 39 | stealth | T1027.004 | Obfuscated Files or Information: Compile After Delivery | 5 | Go compile | 78bd3fa7-773c-449e-a978-dc1f1500bc52 | sh |
| 40 | stealth | T1070.004 | Indicator Removal on Host: File Deletion | 1 | Delete a single file - FreeBSD/Linux/macOS | 562d737f-2fc6-4b09-8c2a-7f8ff0828480 | sh |
| 41 | stealth | T1070.004 | Indicator Removal on Host: File Deletion | 2 | Delete an entire folder - FreeBSD/Linux/macOS | a415f17e-ce8d-4ce2-a8b4-83b674e7017e | sh |
| 42 | stealth | T1027.002 | Obfuscated Files or Information: Software Packing | 3 | Binary simply packed by UPX | b16ef901-00bb-4dda-b4fc-a04db5067e20 | sh |
| 43 | stealth | T1027.002 | Obfuscated Files or Information: Software Packing | 4 | Binary packed by UPX, with modified headers | 4d46e16b-5765-4046-9f25-a600d3e65e4d | sh |
| 44 | stealth | T1036.006 | Masquerading: Space after Filename | 1 | Space After Filename (Manual) | 89a7dd26-e510-4c9f-9b15-f3bae333360f | manual |
| 45 | stealth | T1036.006 | Masquerading: Space after Filename | 2 | Space After Filename | b95ce2eb-a093-4cd8-938d-5258cef656ea | sh |
| 46 | stealth | T1564.001 | Hide Artifacts: Hidden Files and Directories | 1 | Create a hidden file in a hidden directory | 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be | sh |
| 47 | stealth | T1564.001 | Hide Artifacts: Hidden Files and Directories | 2 | Mac Hidden file | cddb9098-3b47-4e01-9d3b-6f5f323288a9 | sh |
| 48 | stealth | T1564.001 | Hide Artifacts: Hidden Files and Directories | 5 | Hidden files | 3b7015f2-3144-4205-b799-b05580621379 | sh |
| 49 | stealth | T1564.001 | Hide Artifacts: Hidden Files and Directories | 6 | Hide a Directory | b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 | sh |
| 50 | stealth | T1564.001 | Hide Artifacts: Hidden Files and Directories | 7 | Show all hidden files | 9a1ec7da-b892-449f-ad68-67066d04380c | sh |
| 51 | stealth | T1078.003 | Valid Accounts: Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 52 | stealth | T1078.003 | Valid Accounts: Local Accounts | 3 | Create local account with admin privileges using sysadminctl utility - MacOS | 191db57d-091a-47d5-99f3-97fde53de505 | bash |
| 53 | stealth | T1078.003 | Valid Accounts: Local Accounts | 4 | Enable root account using dsenableroot utility - MacOS | 20b40ea9-0e17-4155-b8e6-244911a678ac | bash |
| 54 | stealth | T1078.003 | Valid Accounts: Local Accounts | 5 | Add a new/existing user to the admin group using dseditgroup utility - macOS | 433842ba-e796-4fd5-a14f-95d3a1970875 | bash |
| 55 | persistence | T1053.003 | Scheduled Task/Job: Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | sh |
| 56 | persistence | T1053.003 | Scheduled Task/Job: Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 57 | persistence | T1176 | Browser Extensions | 1 | Chrome/Chromium (Developer Mode) | 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 | manual |
| 58 | persistence | T1176 | Browser Extensions | 2 | Firefox | cb790029-17e6-4c43-b96f-002ce5f10938 | manual |
| 59 | persistence | T1176 | Browser Extensions | 3 | Edge Chromium Addon - VPN | 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 | manual |
| 60 | persistence | T1037.002 | Boot or Logon Initialization Scripts: Logon Script (Mac) | 1 | Logon Scripts - Mac | f047c7de-a2d9-406e-a62b-12a09d9516f4 | manual |
| 61 | persistence | T1543.004 | Create or Modify System Process: Launch Daemon | 1 | Launch Daemon | 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf | bash |
| 62 | persistence | T1078.001 | Valid Accounts: Default Accounts | 3 | Enable Guest Account on macOS | 0315bdff-4178-47e9-81e4-f31a6d23f7e4 | sh |
| 63 | persistence | T1546.005 | Event Triggered Execution: Trap | 1 | Trap EXIT | a74b2e07-5952-4c03-8b56-56274b076b61 | sh |
| 64 | persistence | T1546.005 | Event Triggered Execution: Trap | 3 | Trap SIGINT | a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 | sh |
| 65 | persistence | T1136.001 | Create Account: Local Account | 3 | Create a user account on a MacOS system | 01993ba5-1da3-4e15-a719-b690d4f0f0b2 | bash |
| 66 | persistence | T1098.004 | SSH Authorized Keys | 1 | Modify SSH Authorized Keys | 342cc723-127c-4d3a-8292-9c0c6b4ecadc | sh |
| 67 | persistence | T1547.015 | Boot or Logon Autostart Execution: Login Items | 2 | Add macOS LoginItem using Applescript | 716e756a-607b-41f3-8204-b214baf37c1d | bash |
| 68 | persistence | T1546.014 | Event Triggered Execution: Emond | 1 | Persistance with Event Monitor - emond | 23c9c127-322b-4c75-95ca-eff464906114 | sh |
| 69 | persistence | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 2 | MacOS - Load Kernel Module via kextload and kmutil | f4391089-d3a5-4dd1-ab22-0419527f2672 | bash |
| 70 | persistence | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 3 | MacOS - Load Kernel Module via KextManagerLoadKextWithURL() | f0007753-beb3-41ea-9948-760785e4c1e5 | bash |
| 71 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 1 | Add command to .bash_profile | 94500ae1-7e31-47e3-886b-c328da46872f | sh |
| 72 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 2 | Add command to .bashrc | 0a898315-4cfa-4007-bafe-33a4646d115f | sh |
| 73 | persistence | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 1 | Add file to Local Library StartupItems | 134627c3-75db-410e-bff8-7a920075f198 | sh |
| 74 | persistence | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 2 | Add launch script to launch daemon | fc369906-90c7-4a15-86fd-d37da624dde6 | bash |
| 75 | persistence | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 3 | Add launch script to launch agent | 10cf5bec-49dd-4ebf-8077-8f47e420096f | bash |
| 76 | persistence | T1546.018 | Event Triggered Execution: Python Startup Hooks | 4 | Python Startup Hook - atomic_hook.pth (macOS) | 28ca4f81-fa96-47ff-8555-dde98017e89b | sh |
| 77 | persistence | T1546.018 | Event Triggered Execution: Python Startup Hooks | 5 | Python Startup Hook - usercustomize.py (Linux / MacOS) | 6e78084a-a433-4702-a838-cc7b765d87e8 | sh |
| 78 | persistence | T1543.001 | Create or Modify System Process: Launch Agent | 1 | Launch Agent | a5983dee-bf6c-4eaf-951c-dbc1a7b90900 | bash |
| 79 | persistence | T1543.001 | Create or Modify System Process: Launch Agent | 2 | Event Monitor Daemon Persistence | 11979f23-9b9d-482a-9935-6fc9cd022c3e | bash |
| 80 | persistence | T1543.001 | Create or Modify System Process: Launch Agent | 3 | Launch Agent - Root Directory | 66774fa8-c562-4bae-a58d-5264a0dd9dd7 | bash |
| 81 | persistence | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 1 | rc.common | 97a48daa-8bca-4bc0-b1a9-c1d163e762de | bash |
| 82 | persistence | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 1 | Copy in loginwindow.plist for Re-Opened Applications | 5fefd767-ef54-4ac6-84d3-751ab85e8aba | sh |
| 83 | persistence | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 2 | Re-Opened Applications using LoginHook | 5f5b71da-e03f-42e7-ac98-d63f9e0465cb | sh |
| 84 | persistence | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 3 | Append to existing loginwindow for Re-Opened Applications | 766b6c3c-9353-4033-8b7e-38b309fa3a93 | sh |
| 85 | persistence | T1078.003 | Valid Accounts: Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 86 | persistence | T1078.003 | Valid Accounts: Local Accounts | 3 | Create local account with admin privileges using sysadminctl utility - MacOS | 191db57d-091a-47d5-99f3-97fde53de505 | bash |
| 87 | persistence | T1078.003 | Valid Accounts: Local Accounts | 4 | Enable root account using dsenableroot utility - MacOS | 20b40ea9-0e17-4155-b8e6-244911a678ac | bash |
| 88 | persistence | T1078.003 | Valid Accounts: Local Accounts | 5 | Add a new/existing user to the admin group using dseditgroup utility - macOS | 433842ba-e796-4fd5-a14f-95d3a1970875 | bash |
| 89 | command-and-control | T1132.001 | Data Encoding: Standard Encoding | 1 | Base64 Encoded data. | 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 | sh |
| 90 | command-and-control | T1659 | Content Injection | 1 | MITM Proxy Injection | 9b360eaf-c778-4f07-a6e7-895c4f01ac1c | bash |
| 91 | command-and-control | T1572 | Protocol Tunneling | 5 | Microsoft Dev tunnels (Linux/macOS) | 9f94a112-1ce2-464d-a63b-83c1f465f801 | bash |
| 92 | command-and-control | T1572 | Protocol Tunneling | 6 | VSCode tunnels (Linux/macOS) | b877943f-0377-44f4-8477-f79db7f07c4d | sh |
| 93 | command-and-control | T1572 | Protocol Tunneling | 7 | Cloudflare tunnels (Linux/macOS) | 228c336a-2f79-4043-8aef-bfa453a611d5 | sh |
| 94 | command-and-control | T1090.003 | Proxy: Multi-hop Proxy | 4 | Tor Proxy Usage - MacOS | 12631354-fdbc-4164-92be-402527e748da | sh |
| 95 | command-and-control | T1571 | Non-Standard Port | 2 | Testing usage of uncommonly used port | 5db21e1d-dd9c-4a50-b885-b1e748912767 | sh |
| 96 | command-and-control | T1071.001 | Application Layer Protocol: Web Protocols | 3 | Malicious User Agents - Nix | 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 | sh |
| 97 | command-and-control | T1105 | Ingress Tool Transfer | 1 | rsync remote file copy (push) | 0fc6e977-cb12-44f6-b263-2824ba917409 | sh |
| 98 | command-and-control | T1105 | Ingress Tool Transfer | 2 | rsync remote file copy (pull) | 3180f7d5-52c0-4493-9ea0-e3431a84773f | sh |
| 99 | command-and-control | T1105 | Ingress Tool Transfer | 3 | scp remote file copy (push) | 83a49600-222b-4866-80a0-37736ad29344 | sh |
| 100 | command-and-control | T1105 | Ingress Tool Transfer | 4 | scp remote file copy (pull) | b9d22b9a-9778-4426-abf0-568ea64e9c33 | sh |
| 101 | command-and-control | T1105 | Ingress Tool Transfer | 5 | sftp remote file copy (push) | f564c297-7978-4aa9-b37a-d90477feea4e | bash |
| 102 | command-and-control | T1105 | Ingress Tool Transfer | 6 | sftp remote file copy (pull) | 0139dba1-f391-405e-a4f5-f3989f2c88ef | sh |
| 103 | command-and-control | T1105 | Ingress Tool Transfer | 14 | whois file download | c99a829f-0bb8-4187-b2c6-d47d1df74cab | sh |
| 104 | command-and-control | T1105 | Ingress Tool Transfer | 31 | File download via nscurl | 5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c | sh |
| 105 | command-and-control | T1090.001 | Proxy: Internal Proxy | 1 | Connection Proxy | 0ac21132-4485-4212-a681-349e8a6637cd | sh |
| 106 | command-and-control | T1090.001 | Proxy: Internal Proxy | 2 | Connection Proxy for macOS UI | 648d68c1-8bcd-4486-9abe-71c6655b6a2c | sh |
| 107 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 5 | Data Compressed - nix - zip | c51cec55-28dd-4ad2-9461-1eacbc82c3a0 | bash |
| 108 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 6 | Data Compressed - nix - gzip Single File | cde3c2af-3485-49eb-9c1f-0ed60e9cc0af | sh |
| 109 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 7 | Data Compressed - nix - tar Folder or File | 7af2b51e-ad1c-498c-aca8-d3290c19535a | sh |
| 110 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 8 | Data Encrypted with zip and gpg symmetric | 0286eb44-e7ce-41a0-b109-3da516e05a5f | sh |
| 111 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 9 | Encrypts collected data with AES-256 and Base64 | a743e3a6-e8b2-4a30-abe7-ca85d201b5d3 | bash |
| 112 | collection | T1113 | Screen Capture | 1 | Screencapture | 0f47ceb1-720f-4275-96b8-21f0562217ac | bash |
| 113 | collection | T1113 | Screen Capture | 2 | Screencapture (silent) | deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 | bash |
| 114 | collection | T1056.001 | Input Capture: Keylogging | 8 | MacOS Swift Keylogger | aee3a097-4c5c-4fff-bbd3-0a705867ae29 | bash |
| 115 | collection | T1123 | Audio Capture | 3 | using Quicktime Player | c7a0bb71-70ce-4a53-b115-881f241b795b | sh |
| 116 | collection | T1074.001 | Data Staged: Local Data Staging | 2 | Stage data from Discovery.sh | 39ce0303-ae16-4b9e-bb5b-4f53e8262066 | sh |
| 117 | collection | T1115 | Clipboard Data | 3 | Execute commands from clipboard | 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff | bash |
| 118 | collection | T1005 | Data from Local System | 3 | Copy Apple Notes database files using AppleScript | cfb6d400-a269-4c06-a347-6d88d584d5f7 | sh |
| 119 | collection | T1056.002 | Input Capture: GUI Input Capture | 1 | AppleScript - Prompt User for Password | 76628574-0bc1-4646-8fe2-8f4427b47d15 | bash |
| 120 | collection | T1056.002 | Input Capture: GUI Input Capture | 3 | AppleScript - Spoofing a credential prompt using osascript | b7037b89-947a-427a-ba29-e7e9f09bc045 | bash |
| 121 | lateral-movement | T1021.005 | Remote Services:VNC | 1 | Enable Apple Remote Desktop Agent | 8a930abe-841c-4d4f-a877-72e9fe90b9ea | sh |
| 122 | defense-impairment | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 1 | chmod - Change file or folder mode (numeric mode) | 34ca1464-de9d-40c6-8c77-690adf36a135 | sh |
| 123 | defense-impairment | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 2 | chmod - Change file or folder mode (symbolic mode) | fc9d6695-d022-4a80-91b1-381f5c35aff3 | sh |
| 124 | defense-impairment | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 3 | chmod - Change file or folder mode (numeric mode) recursively | ea79f937-4a4d-4348-ace6-9916aec453a4 | sh |
| 125 | defense-impairment | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 4 | chmod - Change file or folder mode (symbolic mode) recursively | 0451125c-b5f6-488f-993b-5a32b09f7d8f | bash |
| 126 | defense-impairment | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 5 | chown - Change file or folder ownership and group | d169e71b-85f9-44ec-8343-27093ff3dfc0 | bash |
| 127 | defense-impairment | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 6 | chown - Change file or folder ownership and group recursively | b78598be-ff39-448f-a463-adbf2a5b7848 | bash |
| 128 | defense-impairment | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 7 | chown - Change file or folder mode ownership only | 967ba79d-f184-4e0e-8d09-6362b3162e99 | sh |
| 129 | defense-impairment | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 8 | chown - Change file or folder ownership recursively | 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 | bash |
| 130 | defense-impairment | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 9 | chattr - Remove immutable file attribute | e7469fe2-ad41-4382-8965-99b94dd3c13f | sh |
| 131 | defense-impairment | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 11 | Chmod through c script | 973631cf-6680-4ffa-a053-045e1b6b67ab | sh |
| 132 | defense-impairment | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 13 | Chown through c script | 18592ba1-5f88-4e3c-abc8-ab1c6042e389 | sh |
| 133 | defense-impairment | T1553.001 | Subvert Trust Controls: Gatekeeper Bypass | 1 | Gatekeeper Bypass | fb3d46c6-9480-4803-8d7d-ce676e1f1a9b | sh |
| 134 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 1 | rm -rf | 989cc1b1-3642-4260-a809-54f9dd559683 | sh |
| 135 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 3 | Delete log files using built-in log utility | 653d39cd-bae7-499a-898c-9fb96b8b5cd1 | sh |
| 136 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 4 | Truncate system log files via truncate utility | 6290f8a8-8ee9-4661-b9cf-390031bf6973 | sh |
| 137 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 6 | Delete log files via cat utility by appending /dev/null or /dev/zero | c23bdb88-928d-493e-b46d-df2906a50941 | sh |
| 138 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 8 | System log file deletion via find utility | bc8eeb4a-cc3e-45ec-aa6e-41e973da2558 | sh |
| 139 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 9 | Overwrite macOS system log via echo utility | 0208ea60-98f1-4e8c-8052-930dce8f742c | sh |
| 140 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 11 | Real-time system log clearance/deletion | 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c | sh |
| 141 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 12 | Delete system log files via unlink utility | 03013b4b-01db-437d-909b-1fdaa5010ee8 | sh |
| 142 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 14 | Delete system log files using shred utility | 86f0e4d5-3ca7-45fb-829d-4eda32b232bb | sh |
| 143 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 15 | Delete system log files using srm utility | b0768a5e-0f32-4e75-ae5b-d036edcf96b6 | sh |
| 144 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 16 | Delete system log files using OSAScript | 810a465f-cd4f-47bc-b43e-d2de3b033ecc | sh |
| 145 | defense-impairment | T1685.006 | Disable or Modify Tools: Clear Linux or Mac System Logs | 17 | Delete system log files using Applescript | e62f8694-cbc7-468f-862c-b10cd07e1757 | sh |
| 146 | defense-impairment | T1647 | Plist File Modification | 1 | Plist Modification | 394a538e-09bb-4a4a-95d1-b93cf12682a8 | manual |
| 147 | defense-impairment | T1690 | Prevent Command History Logging | 1 | Disable history collection | 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 | sh |
| 148 | defense-impairment | T1690 | Prevent Command History Logging | 3 | Mac HISTCONTROL | 468566d5-83e5-40c1-b338-511e1659628d | manual |
| 149 | defense-impairment | T1685 | Disable or Modify Tools | 9 | Disable Carbon Black Response | 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c | sh |
| 150 | defense-impairment | T1685 | Disable or Modify Tools | 10 | Disable LittleSnitch | 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 | sh |
| 151 | defense-impairment | T1685 | Disable or Modify Tools | 11 | Disable OpenDNS Umbrella | 07f43b33-1e15-4e99-be70-bc094157c849 | sh |
| 152 | defense-impairment | T1685 | Disable or Modify Tools | 12 | Disable macOS Gatekeeper | 2a821573-fb3f-4e71-92c3-daac7432f053 | sh |
| 153 | defense-impairment | T1685 | Disable or Modify Tools | 13 | Stop and unload Crowdstrike Falcon on macOS | b3e7510c-2d4c-4249-a33f-591a2bc83eef | sh |
| 154 | defense-impairment | T1685 | Disable or Modify Tools | 50 | Tamper with Defender ATP on Linux/MacOS | 40074085-dbc8-492b-90a3-11bcfc52fda8 | sh |
| 155 | defense-impairment | T1553.004 | Subvert Trust Controls: Install Root Certificate | 4 | Install root CA on macOS | cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 | sh |
| 156 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 1 | Sudo usage | 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e | sh |
| 157 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 3 | Unlimited sudo cache timeout | a7b17659-dd5e-46f7-b7d1-e6792c91d0bc | sh |
| 158 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 5 | Disable tty_tickets for sudo caching | 91a60b03-fb75-4d24-a42e-2eb8956e8de1 | sh |
| 159 | privilege-escalation | T1053.003 | Scheduled Task/Job: Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | sh |
| 160 | privilege-escalation | T1053.003 | Scheduled Task/Job: Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 161 | privilege-escalation | T1037.002 | Boot or Logon Initialization Scripts: Logon Script (Mac) | 1 | Logon Scripts - Mac | f047c7de-a2d9-406e-a62b-12a09d9516f4 | manual |
| 162 | privilege-escalation | T1543.004 | Create or Modify System Process: Launch Daemon | 1 | Launch Daemon | 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf | bash |
| 163 | privilege-escalation | T1078.001 | Valid Accounts: Default Accounts | 3 | Enable Guest Account on macOS | 0315bdff-4178-47e9-81e4-f31a6d23f7e4 | sh |
| 164 | privilege-escalation | T1546.005 | Event Triggered Execution: Trap | 1 | Trap EXIT | a74b2e07-5952-4c03-8b56-56274b076b61 | sh |
| 165 | privilege-escalation | T1546.005 | Event Triggered Execution: Trap | 3 | Trap SIGINT | a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 | sh |
| 166 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 1 | Make and modify binary from C source | 896dfe97-ae43-4101-8e96-9a7996555d80 | sh |
| 167 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 3 | Set a SetUID flag on file | 759055b3-3885-4582-a8ec-c00c9d64dd79 | sh |
| 168 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 5 | Set a SetGID flag on file | db55f666-7cba-46c6-9fe6-205a05c3242c | sh |
| 169 | privilege-escalation | T1098.004 | SSH Authorized Keys | 1 | Modify SSH Authorized Keys | 342cc723-127c-4d3a-8292-9c0c6b4ecadc | sh |
| 170 | privilege-escalation | T1547.015 | Boot or Logon Autostart Execution: Login Items | 2 | Add macOS LoginItem using Applescript | 716e756a-607b-41f3-8204-b214baf37c1d | bash |
| 171 | privilege-escalation | T1546.014 | Event Triggered Execution: Emond | 1 | Persistance with Event Monitor - emond | 23c9c127-322b-4c75-95ca-eff464906114 | sh |
| 172 | privilege-escalation | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 2 | MacOS - Load Kernel Module via kextload and kmutil | f4391089-d3a5-4dd1-ab22-0419527f2672 | bash |
| 173 | privilege-escalation | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 3 | MacOS - Load Kernel Module via KextManagerLoadKextWithURL() | f0007753-beb3-41ea-9948-760785e4c1e5 | bash |
| 174 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 1 | Add command to .bash_profile | 94500ae1-7e31-47e3-886b-c328da46872f | sh |
| 175 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 2 | Add command to .bashrc | 0a898315-4cfa-4007-bafe-33a4646d115f | sh |
| 176 | privilege-escalation | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 1 | Add file to Local Library StartupItems | 134627c3-75db-410e-bff8-7a920075f198 | sh |
| 177 | privilege-escalation | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 2 | Add launch script to launch daemon | fc369906-90c7-4a15-86fd-d37da624dde6 | bash |
| 178 | privilege-escalation | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 3 | Add launch script to launch agent | 10cf5bec-49dd-4ebf-8077-8f47e420096f | bash |
| 179 | privilege-escalation | T1546.018 | Event Triggered Execution: Python Startup Hooks | 4 | Python Startup Hook - atomic_hook.pth (macOS) | 28ca4f81-fa96-47ff-8555-dde98017e89b | sh |
| 180 | privilege-escalation | T1546.018 | Event Triggered Execution: Python Startup Hooks | 5 | Python Startup Hook - usercustomize.py (Linux / MacOS) | 6e78084a-a433-4702-a838-cc7b765d87e8 | sh |
| 181 | privilege-escalation | T1543.001 | Create or Modify System Process: Launch Agent | 1 | Launch Agent | a5983dee-bf6c-4eaf-951c-dbc1a7b90900 | bash |
| 182 | privilege-escalation | T1543.001 | Create or Modify System Process: Launch Agent | 2 | Event Monitor Daemon Persistence | 11979f23-9b9d-482a-9935-6fc9cd022c3e | bash |
| 183 | privilege-escalation | T1543.001 | Create or Modify System Process: Launch Agent | 3 | Launch Agent - Root Directory | 66774fa8-c562-4bae-a58d-5264a0dd9dd7 | bash |
| 184 | privilege-escalation | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 1 | rc.common | 97a48daa-8bca-4bc0-b1a9-c1d163e762de | bash |
| 185 | privilege-escalation | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 1 | Copy in loginwindow.plist for Re-Opened Applications | 5fefd767-ef54-4ac6-84d3-751ab85e8aba | sh |
| 186 | privilege-escalation | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 2 | Re-Opened Applications using LoginHook | 5f5b71da-e03f-42e7-ac98-d63f9e0465cb | sh |
| 187 | privilege-escalation | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 3 | Append to existing loginwindow for Re-Opened Applications | 766b6c3c-9353-4033-8b7e-38b309fa3a93 | sh |
| 188 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 189 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 3 | Create local account with admin privileges using sysadminctl utility - MacOS | 191db57d-091a-47d5-99f3-97fde53de505 | bash |
| 190 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 4 | Enable root account using dsenableroot utility - MacOS | 20b40ea9-0e17-4155-b8e6-244911a678ac | bash |
| 191 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 5 | Add a new/existing user to the admin group using dseditgroup utility - macOS | 433842ba-e796-4fd5-a14f-95d3a1970875 | bash |
| 192 | credential-access | T1056.001 | Input Capture: Keylogging | 8 | MacOS Swift Keylogger | aee3a097-4c5c-4fff-bbd3-0a705867ae29 | bash |
| 193 | credential-access | T1539 | Steal Web Session Cookie | 3 | Steal Chrome Cookies via Remote Debugging (Mac) | e43cfdaf-3fb8-4a45-8de0-7eee8741d072 | bash |
| 194 | credential-access | T1539 | Steal Web Session Cookie | 5 | Copy Safari BinaryCookies files using AppleScript | e57ba07b-3a33-40cd-a892-748273b9b49a | sh |
| 195 | credential-access | T1555.001 | Credentials from Password Stores: Keychain | 1 | Keychain Dump | 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6 | sh |
| 196 | credential-access | T1555.001 | Credentials from Password Stores: Keychain | 2 | Export Certificate Item(s) | 1864fdec-ff86-4452-8c30-f12507582a93 | sh |
| 197 | credential-access | T1555.001 | Credentials from Password Stores: Keychain | 3 | Import Certificate Item(s) into Keychain | e544bbcb-c4e0-4bd0-b614-b92131635f59 | sh |
| 198 | credential-access | T1555.001 | Credentials from Password Stores: Keychain | 4 | Copy Keychain using cat utility | 5c32102a-c508-49d3-978f-288f8a9f6617 | sh |
| 199 | credential-access | T1040 | Network Sniffing | 3 | Packet Capture macOS using tcpdump or tshark | 9d04efee-eff5-4240-b8d2-07792b873608 | bash |
| 200 | credential-access | T1040 | Network Sniffing | 8 | Packet Capture macOS using /dev/bpfN with sudo | e6fe5095-545d-4c8b-a0ae-e863914be3aa | bash |
| 201 | credential-access | T1040 | Network Sniffing | 9 | Filtered Packet Capture macOS using /dev/bpfN with sudo | e2480aee-23f3-4f34-80ce-de221e27cd19 | bash |
| 202 | credential-access | T1552 | Unsecured Credentials | 1 | AWS - Retrieve EC2 Password Data using stratus | a21118de-b11e-4ebd-b655-42f11142df0c | sh |
| 203 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 2 | Search macOS Safari Cookies | c1402f7b-67ca-43a8-b5f3-3143abedc01b | sh |
| 204 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 14 | Simulating Access to Chrome Login Data - MacOS | 124e13e5-d8a1-4378-a6ee-a53cd0c7e369 | sh |
| 205 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 2 | Discover Private SSH Keys | 46959285-906d-40fa-9437-5a439accd878 | sh |
| 206 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 5 | Copy Private SSH Keys with rsync | 864bb0b2-6bb5-489a-b43b-a77b3a16d68a | sh |
| 207 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 7 | Copy the users GnuPG directory with rsync | 2a5a0601-f5fb-4e2e-aa09-73282ae6afca | sh |
| 208 | credential-access | T1552.003 | Unsecured Credentials: Bash History | 1 | Search Through Bash History | 3cfde62b-7c33-4b26-a61e-755d6131c8ce | sh |
| 209 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 1 | Find AWS credentials | 37807632-d3da-442e-8c2e-00f44928ff8f | sh |
| 210 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 2 | Extract Browser and System credentials with LaZagne | 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 | bash |
| 211 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 3 | Extract passwords with grep | bd4cf0d1-7646-474e-8610-78ccf5a097c4 | sh |
| 212 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 6 | Find and Access Github Credentials | da4f751a-020b-40d7-b9ff-d433b7799803 | bash |
| 213 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 15 | Find Azure credentials | a8f6148d-478a-4f43-bc62-5efee9f931a4 | sh |
| 214 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 16 | Find GCP credentials | aa12eb29-2dbb-414e-8b20-33d34af93543 | sh |
| 215 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 17 | Find OCI credentials | 9d9c22c9-fa97-4008-a204-478cf68c40af | sh |
| 216 | credential-access | T1056.002 | Input Capture: GUI Input Capture | 1 | AppleScript - Prompt User for Password | 76628574-0bc1-4646-8fe2-8f4427b47d15 | bash |
| 217 | credential-access | T1056.002 | Input Capture: GUI Input Capture | 3 | AppleScript - Spoofing a credential prompt using osascript | b7037b89-947a-427a-ba29-e7e9f09bc045 | bash |
| 218 | credential-access | T1110.004 | Brute Force: Credential Stuffing | 2 | SSH Credential Stuffing From MacOS | d546a3d9-0be5-40c7-ad82-5a7d79e1b66b | bash |
| 219 | discovery | T1033 | System Owner/User Discovery | 2 | System Owner/User Discovery | 2a9b677d-a230-44f4-ad86-782df1ef108c | sh |
| 220 | discovery | T1016.001 | System Network Configuration Discovery: Internet Connection Discovery | 2 | Check internet connection using ping freebsd, linux or macos | be8f4019-d8b6-434c-a814-53123cdcc11e | bash |
| 221 | discovery | T1652 | Device Driver Discovery | 4 | List loaded kernel extensions (macOS) | 71eab73d-5d7d-4681-9a72-7873489a5b85 | bash |
| 222 | discovery | T1652 | Device Driver Discovery | 5 | Find Kernel Extensions (macOS) | c63bbe52-6f17-4832-b221-f07ba8b1736f | bash |
| 223 | discovery | T1087.001 | Account Discovery: Local Account | 2 | View sudoers access | fed9be70-0186-4bde-9f8a-20945f9370c2 | sh |
| 224 | discovery | T1087.001 | Account Discovery: Local Account | 3 | View accounts with UID 0 | c955a599-3653-4fe5-b631-f11c00eb0397 | sh |
| 225 | discovery | T1087.001 | Account Discovery: Local Account | 4 | List opened files by user | 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb | sh |
| 226 | discovery | T1087.001 | Account Discovery: Local Account | 6 | Enumerate users and groups | e6f36545-dc1e-47f0-9f48-7f730f54a02e | sh |
| 227 | discovery | T1087.001 | Account Discovery: Local Account | 7 | Enumerate users and groups | 319e9f6c-7a9e-432e-8c62-9385c803b6f2 | sh |
| 228 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 4 | Detect Virtualization Environment via ioreg | a960185f-aef6-4547-8350-d1ce16680d09 | sh |
| 229 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 6 | Detect Virtualization Environment using sysctl (hw.model) | 6beae646-eb4c-4730-95be-691a4094408c | sh |
| 230 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 7 | Check if System Integrity Protection is enabled | 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945 | sh |
| 231 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 8 | Detect Virtualization Environment using system_profiler | e04d2e89-de15-4d90-92f9-a335c7337f0f | sh |
| 232 | discovery | T1007 | System Service Discovery | 5 | System Service Discovery - macOS launchctl | 9b378962-a75e-4856-b117-2503d6dcebba | sh |
| 233 | discovery | T1040 | Network Sniffing | 3 | Packet Capture macOS using tcpdump or tshark | 9d04efee-eff5-4240-b8d2-07792b873608 | bash |
| 234 | discovery | T1040 | Network Sniffing | 8 | Packet Capture macOS using /dev/bpfN with sudo | e6fe5095-545d-4c8b-a0ae-e863914be3aa | bash |
| 235 | discovery | T1040 | Network Sniffing | 9 | Filtered Packet Capture macOS using /dev/bpfN with sudo | e2480aee-23f3-4f34-80ce-de221e27cd19 | bash |
| 236 | discovery | T1135 | Network Share Discovery | 1 | Network Share Discovery | f94b5ad9-911c-4eff-9718-fd21899db4f7 | sh |
| 237 | discovery | T1082 | System Information Discovery | 2 | System Information Discovery | edff98ec-0f73-4f63-9890-6b117092aff6 | sh |
| 238 | discovery | T1082 | System Information Discovery | 3 | List OS Information | cccb070c-df86-4216-a5bc-9fb60c74e27c | sh |
| 239 | discovery | T1082 | System Information Discovery | 8 | Hostname Discovery | 486e88ea-4f56-470f-9b57-3f4d73f39133 | sh |
| 240 | discovery | T1082 | System Information Discovery | 12 | Environment variables discovery on freebsd, macos and linux | fcbdd43f-f4ad-42d5-98f3-0218097e2720 | sh |
| 241 | discovery | T1082 | System Information Discovery | 13 | Show System Integrity Protection status (MacOS) | 327cc050-9e99-4c8e-99b5-1d15f2fb6b96 | sh |
| 242 | discovery | T1082 | System Information Discovery | 33 | sysctl to gather macOS hardware info | c8d40da9-31bd-47da-a497-11ea55d1ef6c | sh |
| 243 | discovery | T1497.003 | Time Based Evasion | 1 | Delay execution with ping | 8b87dd03-8204-478c-bac3-3959f6528de3 | sh |
| 244 | discovery | T1217 | Browser Bookmark Discovery | 2 | List Mozilla Firefox Bookmark Database Files on macOS | 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b | sh |
| 245 | discovery | T1217 | Browser Bookmark Discovery | 3 | List Google Chrome Bookmark JSON Files on macOS | b789d341-154b-4a42-a071-9111588be9bc | sh |
| 246 | discovery | T1217 | Browser Bookmark Discovery | 9 | List Safari Bookmarks on MacOS | 5fc528dd-79de-47f5-8188-25572b7fafe0 | sh |
| 247 | discovery | T1016 | System Network Configuration Discovery | 3 | System Network Configuration Discovery | c141bbdb-7fca-4254-9fd6-f47e79447e17 | sh |
| 248 | discovery | T1016 | System Network Configuration Discovery | 8 | List macOS Firewall Rules | ff1d8c25-2aa4-4f18-a425-fede4a41ee88 | bash |
| 249 | discovery | T1083 | File and Directory Discovery | 3 | Nix File and Directory Discovery | ffc8b249-372a-4b74-adcd-e4c0430842de | sh |
| 250 | discovery | T1083 | File and Directory Discovery | 4 | Nix File and Directory Discovery 2 | 13c5e1ae-605b-46c4-a79f-db28c77ff24e | sh |
| 251 | discovery | T1049 | System Network Connections Discovery | 4 | System Network Connections Discovery via ss or lsof (Linux/MacOS) | bcf05343-ef1d-4052-8a27-b00c9be42b9f | bash |
| 252 | discovery | T1049 | System Network Connections Discovery | 5 | System Network Connections Discovery FreeBSD, Linux & MacOS | 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 | sh |
| 253 | discovery | T1057 | Process Discovery | 1 | Process Discovery - ps | 4ff64f0b-aaf2-4866-b39d-38d9791407cc | sh |
| 254 | discovery | T1069.001 | Permission Groups Discovery: Local Groups | 1 | Permission Groups Discovery (Local) | 952931a4-af0b-4335-bbbe-73c8c5b327ae | sh |
| 255 | discovery | T1201 | Password Policy Discovery | 8 | Examine password policy - macOS | 4b7fa042-9482-45e1-b348-4b756b2a0742 | bash |
| 256 | discovery | T1614 | System Location Discovery | 2 | Get geolocation info through IP-Lookup services using curl freebsd, linux or macos | 552b4db3-8850-412c-abce-ab5cc8a86604 | bash |
| 257 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 3 | Security Software Discovery - ps (macOS) | ba62ce11-e820-485f-9c17-6f3c857cd840 | sh |
| 258 | discovery | T1018 | Remote System Discovery | 6 | Remote System Discovery - arp nix | acb6b1ff-e2ad-4d64-806c-6c35fe73b951 | sh |
| 259 | discovery | T1018 | Remote System Discovery | 7 | Remote System Discovery - sweep | 96db2632-8417-4dbb-b8bb-a8b92ba391de | sh |
| 260 | discovery | T1046 | Network Service Discovery | 1 | Port Scan | 68e907da-2539-48f6-9fc9-257a78c05540 | bash |
| 261 | discovery | T1046 | Network Service Discovery | 2 | Port Scan Nmap | 515942b0-a09f-4163-a7bb-22fefb6f185f | sh |
| 262 | discovery | T1046 | Network Service Discovery | 12 | Port Scan using nmap (Port range) | 0d5a2b03-3a26-45e4-96ae-89485b4d1f97 | sh |
| 263 | discovery | T1518 | Software Discovery | 3 | Find and Display Safari Browser Version | 103d6533-fd2a-4d08-976a-4a598565280f | sh |
| 264 | discovery | T1124 | System Time Discovery | 3 | System Time Discovery in FreeBSD/macOS | f449c933-0891-407f-821e-7916a21a1a6f | sh |
| 265 | execution | T1053.003 | Scheduled Task/Job: Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | sh |
| 266 | execution | T1053.003 | Scheduled Task/Job: Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 267 | execution | T1059.002 | Command and Scripting Interpreter: AppleScript | 1 | AppleScript | 3600d97d-81b9-4171-ab96-e4386506e2c2 | sh |
| 268 | execution | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 3 | Dylib Injection via DYLD_INSERT_LIBRARIES | 4d66029d-7355-43fd-93a4-b63ba92ea1be | bash |
| 269 | execution | T1569.001 | System Services: Launchctl | 1 | Launchctl | 6fb61988-724e-4755-a595-07743749d4e2 | bash |
| 270 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 1 | Create and Execute Bash Shell Script | 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 | sh |
| 271 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 2 | Command-Line Interface | d0c88567-803d-4dca-99b4-7ce65e7b257c | sh |
| 272 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 14 | Shell Creation using awk command | ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5 | sh |
| 273 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 15 | Creating shell using cpan command | bcd4c2bc-490b-4f91-bd31-3709fe75bbdf | sh |
| 274 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 17 | emacs spawning an interactive system shell | e0742e38-6efe-4dd4-ba5c-2078095b6156 | sh |
| 275 | impact | T1531 | Account Access Removal | 4 | Change User Password via passwd | 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6 | sh |
| 276 | impact | T1531 | Account Access Removal | 5 | Delete User via dscl utility | 4d938c43-2fe8-4d70-a5b3-5bf239aa7846 | sh |
| 277 | impact | T1531 | Account Access Removal | 6 | Delete User via sysadminctl utility | d3812c4e-30ee-466a-a0aa-07e355b561d6 | sh |
| 278 | impact | T1486 | Data Encrypted for Impact | 6 | Encrypt files using 7z utility - macOS | 645f0f5a-ef09-48d8-b9bc-f0e24c642d72 | sh |
| 279 | impact | T1486 | Data Encrypted for Impact | 7 | Encrypt files using openssl utility - macOS | 1a01f6b8-b1e8-418e-bbe3-78a6f822759e | sh |
| 280 | impact | T1496 | Resource Hijacking | 1 | FreeBSD/macOS/Linux - Simulate CPU Load with Yes | 904a5a0e-fb02-490d-9f8d-0e256eb37549 | sh |
| 281 | impact | T1485 | Data Destruction | 2 | FreeBSD/macOS/Linux - Overwrite file with DD | 38deee99-fd65-4031-bec8-bfa4f9f26146 | sh |
| 282 | impact | T1490 | Inhibit System Recovery | 12 | Disable Time Machine | ed952f70-91d4-445a-b7ff-30966bfb1aff | sh |
| 283 | impact | T1529 | System Shutdown/Reboot | 3 | Restart System via `shutdown` - FreeBSD/macOS/Linux | 6326dbc4-444b-4c04-88f4-27e94d0327cb | sh |
| 284 | impact | T1529 | System Shutdown/Reboot | 4 | Shutdown System via `shutdown` - FreeBSD/macOS/Linux | 4963a81e-a3ad-4f02-adda-812343b351de | sh |
| 285 | impact | T1529 | System Shutdown/Reboot | 5 | Restart System via `reboot` - FreeBSD/macOS/Linux | 47d0b042-a918-40ab-8cf9-150ffe919027 | sh |
| 286 | initial-access | T1659 | Content Injection | 1 | MITM Proxy Injection | 9b360eaf-c778-4f07-a6e7-895c4f01ac1c | bash |
| 287 | initial-access | T1078.001 | Valid Accounts: Default Accounts | 3 | Enable Guest Account on macOS | 0315bdff-4178-47e9-81e4-f31a6d23f7e4 | sh |
| 288 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 289 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 3 | Create local account with admin privileges using sysadminctl utility - MacOS | 191db57d-091a-47d5-99f3-97fde53de505 | bash |
| 290 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 4 | Enable root account using dsenableroot utility - MacOS | 20b40ea9-0e17-4155-b8e6-244911a678ac | bash |
| 291 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 5 | Add a new/existing user to the admin group using dseditgroup utility - macOS | 433842ba-e796-4fd5-a14f-95d3a1970875 | bash |
| 292 | exfiltration | T1048.002 | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 2 | Exfiltrate data HTTPS using curl freebsd,linux or macos | 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 | bash |
| 293 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 1 | Exfiltration Over Alternative Protocol - SSH | f6786cc8-beda-4915-a4d6-ac2f193bb988 | sh |
| 294 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 2 | Exfiltration Over Alternative Protocol - SSH | 7c3cb337-35ae-4d06-bf03-3032ed2ec268 | sh |
| 295 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 4 | Exfiltrate Data using DNS Queries via dig | a27916da-05f2-4316-a3ee-feec67a437be | bash |
| 296 | exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | 2 | Exfiltrate data with rclone to cloud Storage - AWS S3 | a4b74723-5cee-4300-91c3-5e34166909b4 | powershell |
| 297 | exfiltration | T1030 | Data Transfer Size Limits | 1 | Data Transfer Size Limits | ab936c51-10f4-46ce-9144-e02137b2016a | sh |
| 298 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 1 | Exfiltration Over Alternative Protocol - HTTP | 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff | manual |