CircleCI Atomic Red Team doc generator
19 KiB
19 KiB
| 1 | Tactic | Technique # | Technique Name | Test # | Test Name | Test GUID | Executor Name |
|---|---|---|---|---|---|---|---|
| 2 | privilege-escalation | T1546.004 | .bash_profile and .bashrc | 1 | Add command to .bash_profile | 94500ae1-7e31-47e3-886b-c328da46872f | sh |
| 3 | privilege-escalation | T1546.004 | .bash_profile and .bashrc | 2 | Add command to .bashrc | 0a898315-4cfa-4007-bafe-33a4646d115f | sh |
| 4 | privilege-escalation | T1053.003 | Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | bash |
| 5 | privilege-escalation | T1053.003 | Cron | 2 | Cron - Add script to cron folder | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 6 | privilege-escalation | T1546.014 | Emond | 1 | Persistance with Event Monitor - emond | 23c9c127-322b-4c75-95ca-eff464906114 | sh |
| 7 | privilege-escalation | T1543.001 | Launch Agent | 1 | Launch Agent | a5983dee-bf6c-4eaf-951c-dbc1a7b90900 | bash |
| 8 | privilege-escalation | T1543.004 | Launch Daemon | 1 | Launch Daemon | 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf | bash |
| 9 | privilege-escalation | T1053.004 | Launchd | 1 | Event Monitor Daemon Persistence | 11979f23-9b9d-482a-9935-6fc9cd022c3e | bash |
| 10 | privilege-escalation | T1037.002 | Logon Script (Mac) | 1 | Logon Scripts - Mac | f047c7de-a2d9-406e-a62b-12a09d9516f4 | manual |
| 11 | privilege-escalation | T1547.011 | Plist Modification | 1 | Plist Modification | 394a538e-09bb-4a4a-95d1-b93cf12682a8 | manual |
| 12 | privilege-escalation | T1037.004 | Rc.common | 1 | rc.common | 97a48daa-8bca-4bc0-b1a9-c1d163e762de | bash |
| 13 | privilege-escalation | T1547.007 | Re-opened Applications | 1 | Re-Opened Applications | 5fefd767-ef54-4ac6-84d3-751ab85e8aba | manual |
| 14 | privilege-escalation | T1547.007 | Re-opened Applications | 2 | Re-Opened Applications | 5f5b71da-e03f-42e7-ac98-d63f9e0465cb | sh |
| 15 | privilege-escalation | T1548.001 | Setuid and Setgid | 1 | Make and modify binary from C source | 896dfe97-ae43-4101-8e96-9a7996555d80 | sh |
| 16 | privilege-escalation | T1548.001 | Setuid and Setgid | 2 | Set a SetUID flag on file | 759055b3-3885-4582-a8ec-c00c9d64dd79 | sh |
| 17 | privilege-escalation | T1548.001 | Setuid and Setgid | 3 | Set a SetGID flag on file | db55f666-7cba-46c6-9fe6-205a05c3242c | sh |
| 18 | privilege-escalation | T1037.005 | Startup Items | 1 | Add file to Local Library StartupItems | 134627c3-75db-410e-bff8-7a920075f198 | sh |
| 19 | privilege-escalation | T1548.003 | Sudo and Sudo Caching | 1 | Sudo usage | 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e | sh |
| 20 | privilege-escalation | T1548.003 | Sudo and Sudo Caching | 2 | Unlimited sudo cache timeout | a7b17659-dd5e-46f7-b7d1-e6792c91d0bc | sh |
| 21 | privilege-escalation | T1548.003 | Sudo and Sudo Caching | 3 | Disable tty_tickets for sudo caching | 91a60b03-fb75-4d24-a42e-2eb8956e8de1 | sh |
| 22 | privilege-escalation | T1546.005 | Trap | 1 | Trap | a74b2e07-5952-4c03-8b56-56274b076b61 | sh |
| 23 | persistence | T1546.004 | .bash_profile and .bashrc | 1 | Add command to .bash_profile | 94500ae1-7e31-47e3-886b-c328da46872f | sh |
| 24 | persistence | T1546.004 | .bash_profile and .bashrc | 2 | Add command to .bashrc | 0a898315-4cfa-4007-bafe-33a4646d115f | sh |
| 25 | persistence | T1176 | Browser Extensions | 1 | Chrome (Developer Mode) | 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 | manual |
| 26 | persistence | T1176 | Browser Extensions | 2 | Chrome (Chrome Web Store) | 4c83940d-8ca5-4bb2-8100-f46dc914bc3f | manual |
| 27 | persistence | T1176 | Browser Extensions | 3 | Firefox | cb790029-17e6-4c43-b96f-002ce5f10938 | manual |
| 28 | persistence | T1176 | Browser Extensions | 4 | Edge Chromium Addon - VPN | 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 | manual |
| 29 | persistence | T1053.003 | Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | bash |
| 30 | persistence | T1053.003 | Cron | 2 | Cron - Add script to cron folder | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 31 | persistence | T1546.014 | Emond | 1 | Persistance with Event Monitor - emond | 23c9c127-322b-4c75-95ca-eff464906114 | sh |
| 32 | persistence | T1543.001 | Launch Agent | 1 | Launch Agent | a5983dee-bf6c-4eaf-951c-dbc1a7b90900 | bash |
| 33 | persistence | T1543.004 | Launch Daemon | 1 | Launch Daemon | 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf | bash |
| 34 | persistence | T1053.004 | Launchd | 1 | Event Monitor Daemon Persistence | 11979f23-9b9d-482a-9935-6fc9cd022c3e | bash |
| 35 | persistence | T1136.001 | Local Account | 2 | Create a user account on a MacOS system | 01993ba5-1da3-4e15-a719-b690d4f0f0b2 | bash |
| 36 | persistence | T1037.002 | Logon Script (Mac) | 1 | Logon Scripts - Mac | f047c7de-a2d9-406e-a62b-12a09d9516f4 | manual |
| 37 | persistence | T1547.011 | Plist Modification | 1 | Plist Modification | 394a538e-09bb-4a4a-95d1-b93cf12682a8 | manual |
| 38 | persistence | T1037.004 | Rc.common | 1 | rc.common | 97a48daa-8bca-4bc0-b1a9-c1d163e762de | bash |
| 39 | persistence | T1547.007 | Re-opened Applications | 1 | Re-Opened Applications | 5fefd767-ef54-4ac6-84d3-751ab85e8aba | manual |
| 40 | persistence | T1547.007 | Re-opened Applications | 2 | Re-Opened Applications | 5f5b71da-e03f-42e7-ac98-d63f9e0465cb | sh |
| 41 | persistence | T1098.004 | SSH Authorized Keys | 1 | Modify SSH Authorized Keys | 342cc723-127c-4d3a-8292-9c0c6b4ecadc | bash |
| 42 | persistence | T1037.005 | Startup Items | 1 | Add file to Local Library StartupItems | 134627c3-75db-410e-bff8-7a920075f198 | sh |
| 43 | persistence | T1546.005 | Trap | 1 | Trap | a74b2e07-5952-4c03-8b56-56274b076b61 | sh |
| 44 | defense-evasion | T1027.001 | Binary Padding | 1 | Pad Binary to Change Hash - Linux/macOS dd | ffe2346c-abd5-4b45-a713-bf5f1ebd573a | sh |
| 45 | defense-evasion | T1070.003 | Clear Command History | 1 | Clear Bash history (rm) | a934276e-2be5-4a36-93fd-98adbb5bd4fc | sh |
| 46 | defense-evasion | T1070.003 | Clear Command History | 2 | Clear Bash history (echo) | cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 | sh |
| 47 | defense-evasion | T1070.003 | Clear Command History | 3 | Clear Bash history (cat dev/null) | b1251c35-dcd3-4ea1-86da-36d27b54f31f | sh |
| 48 | defense-evasion | T1070.003 | Clear Command History | 4 | Clear Bash history (ln dev/null) | 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 | sh |
| 49 | defense-evasion | T1070.003 | Clear Command History | 6 | Clear history of a bunch of shells | 7e6721df-5f08-4370-9255-f06d8a77af4c | sh |
| 50 | defense-evasion | T1070.003 | Clear Command History | 7 | Clear and Disable Bash History Logging | 784e4011-bd1a-4ecd-a63a-8feb278512e6 | sh |
| 51 | defense-evasion | T1070.003 | Clear Command History | 8 | Use Space Before Command to Avoid Logging to History | 53b03a54-4529-4992-852d-a00b4b7215a6 | sh |
| 52 | defense-evasion | T1070.002 | Clear Linux or Mac System Logs | 1 | rm -rf | 989cc1b1-3642-4260-a809-54f9dd559683 | sh |
| 53 | defense-evasion | T1562.001 | Disable or Modify Tools | 5 | Disable Carbon Black Response | 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c | sh |
| 54 | defense-evasion | T1562.001 | Disable or Modify Tools | 6 | Disable LittleSnitch | 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 | sh |
| 55 | defense-evasion | T1562.001 | Disable or Modify Tools | 7 | Disable OpenDNS Umbrella | 07f43b33-1e15-4e99-be70-bc094157c849 | sh |
| 56 | defense-evasion | T1562.001 | Disable or Modify Tools | 8 | Disable macOS Gatekeeper | 2a821573-fb3f-4e71-92c3-daac7432f053 | sh |
| 57 | defense-evasion | T1562.001 | Disable or Modify Tools | 9 | Stop and unload Crowdstrike Falcon on macOS | b3e7510c-2d4c-4249-a33f-591a2bc83eef | sh |
| 58 | defense-evasion | T1070.004 | File Deletion | 1 | Delete a single file - Linux/macOS | 562d737f-2fc6-4b09-8c2a-7f8ff0828480 | sh |
| 59 | defense-evasion | T1070.004 | File Deletion | 2 | Delete an entire folder - Linux/macOS | a415f17e-ce8d-4ce2-a8b4-83b674e7017e | sh |
| 60 | defense-evasion | T1553.001 | Gatekeeper Bypass | 1 | Gatekeeper Bypass | fb3d46c6-9480-4803-8d7d-ce676e1f1a9b | sh |
| 61 | defense-evasion | T1562.003 | HISTCONTROL | 1 | Disable history collection | 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 | sh |
| 62 | defense-evasion | T1562.003 | HISTCONTROL | 2 | Mac HISTCONTROL | 468566d5-83e5-40c1-b338-511e1659628d | manual |
| 63 | defense-evasion | T1564.001 | Hidden Files and Directories | 1 | Create a hidden file in a hidden directory | 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be | sh |
| 64 | defense-evasion | T1564.001 | Hidden Files and Directories | 2 | Mac Hidden file | cddb9098-3b47-4e01-9d3b-6f5f323288a9 | sh |
| 65 | defense-evasion | T1564.001 | Hidden Files and Directories | 5 | Hidden files | 3b7015f2-3144-4205-b799-b05580621379 | sh |
| 66 | defense-evasion | T1564.001 | Hidden Files and Directories | 6 | Hide a Directory | b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 | sh |
| 67 | defense-evasion | T1564.001 | Hidden Files and Directories | 7 | Show all hidden files | 9a1ec7da-b892-449f-ad68-67066d04380c | sh |
| 68 | defense-evasion | T1564.002 | Hidden Users | 1 | Create Hidden User using UniqueID < 500 | 4238a7f0-a980-4fff-98a2-dfc0a363d507 | sh |
| 69 | defense-evasion | T1564.002 | Hidden Users | 2 | Create Hidden User using IsHidden option | de87ed7b-52c3-43fd-9554-730f695e7f31 | sh |
| 70 | defense-evasion | T1553.004 | Install Root Certificate | 3 | Install root CA on macOS | cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 | command_prompt |
| 71 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 1 | chmod - Change file or folder mode (numeric mode) | 34ca1464-de9d-40c6-8c77-690adf36a135 | bash |
| 72 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 2 | chmod - Change file or folder mode (symbolic mode) | fc9d6695-d022-4a80-91b1-381f5c35aff3 | bash |
| 73 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 3 | chmod - Change file or folder mode (numeric mode) recursively | ea79f937-4a4d-4348-ace6-9916aec453a4 | bash |
| 74 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 4 | chmod - Change file or folder mode (symbolic mode) recursively | 0451125c-b5f6-488f-993b-5a32b09f7d8f | bash |
| 75 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 5 | chown - Change file or folder ownership and group | d169e71b-85f9-44ec-8343-27093ff3dfc0 | bash |
| 76 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 6 | chown - Change file or folder ownership and group recursively | b78598be-ff39-448f-a463-adbf2a5b7848 | bash |
| 77 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 7 | chown - Change file or folder mode ownership only | 967ba79d-f184-4e0e-8d09-6362b3162e99 | bash |
| 78 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 8 | chown - Change file or folder ownership recursively | 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 | bash |
| 79 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 9 | chattr - Remove immutable file attribute | e7469fe2-ad41-4382-8965-99b94dd3c13f | sh |
| 80 | defense-evasion | T1027 | Obfuscated Files or Information | 1 | Decode base64 Data into Script | f45df6be-2e1e-4136-a384-8f18ab3826fb | sh |
| 81 | defense-evasion | T1548.001 | Setuid and Setgid | 1 | Make and modify binary from C source | 896dfe97-ae43-4101-8e96-9a7996555d80 | sh |
| 82 | defense-evasion | T1548.001 | Setuid and Setgid | 2 | Set a SetUID flag on file | 759055b3-3885-4582-a8ec-c00c9d64dd79 | sh |
| 83 | defense-evasion | T1548.001 | Setuid and Setgid | 3 | Set a SetGID flag on file | db55f666-7cba-46c6-9fe6-205a05c3242c | sh |
| 84 | defense-evasion | T1027.002 | Software Packing | 3 | Binary simply packed by UPX | b16ef901-00bb-4dda-b4fc-a04db5067e20 | sh |
| 85 | defense-evasion | T1027.002 | Software Packing | 4 | Binary packed by UPX, with modified headers | 4d46e16b-5765-4046-9f25-a600d3e65e4d | sh |
| 86 | defense-evasion | T1036.006 | Space after Filename | 1 | Space After Filename | 89a7dd26-e510-4c9f-9b15-f3bae333360f | manual |
| 87 | defense-evasion | T1548.003 | Sudo and Sudo Caching | 1 | Sudo usage | 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e | sh |
| 88 | defense-evasion | T1548.003 | Sudo and Sudo Caching | 2 | Unlimited sudo cache timeout | a7b17659-dd5e-46f7-b7d1-e6792c91d0bc | sh |
| 89 | defense-evasion | T1548.003 | Sudo and Sudo Caching | 3 | Disable tty_tickets for sudo caching | 91a60b03-fb75-4d24-a42e-2eb8956e8de1 | sh |
| 90 | defense-evasion | T1497.001 | System Checks | 3 | Detect Virtualization Environment (MacOS) | a960185f-aef6-4547-8350-d1ce16680d09 | sh |
| 91 | defense-evasion | T1070.006 | Timestomp | 1 | Set a file's access timestamp | 5f9113d5-ed75-47ed-ba23-ea3573d05810 | sh |
| 92 | defense-evasion | T1070.006 | Timestomp | 2 | Set a file's modification timestamp | 20ef1523-8758-4898-b5a2-d026cc3d2c52 | sh |
| 93 | defense-evasion | T1070.006 | Timestomp | 3 | Set a file's creation timestamp | 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b | sh |
| 94 | defense-evasion | T1070.006 | Timestomp | 4 | Modify file timestamps using reference file | 631ea661-d661-44b0-abdb-7a7f3fc08e50 | sh |
| 95 | impact | T1485 | Data Destruction | 2 | macOS/Linux - Overwrite file with DD | 38deee99-fd65-4031-bec8-bfa4f9f26146 | bash |
| 96 | impact | T1496 | Resource Hijacking | 1 | macOS/Linux - Simulate CPU Load with Yes | 904a5a0e-fb02-490d-9f8d-0e256eb37549 | bash |
| 97 | impact | T1529 | System Shutdown/Reboot | 3 | Restart System via `shutdown` - macOS/Linux | 6326dbc4-444b-4c04-88f4-27e94d0327cb | bash |
| 98 | impact | T1529 | System Shutdown/Reboot | 4 | Shutdown System via `shutdown` - macOS/Linux | 4963a81e-a3ad-4f02-adda-812343b351de | bash |
| 99 | impact | T1529 | System Shutdown/Reboot | 5 | Restart System via `reboot` - macOS/Linux | 47d0b042-a918-40ab-8cf9-150ffe919027 | bash |
| 100 | discovery | T1217 | Browser Bookmark Discovery | 2 | List Mozilla Firefox Bookmark Database Files on macOS | 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b | sh |
| 101 | discovery | T1217 | Browser Bookmark Discovery | 3 | List Google Chrome Bookmark JSON Files on macOS | b789d341-154b-4a42-a071-9111588be9bc | sh |
| 102 | discovery | T1083 | File and Directory Discovery | 3 | Nix File and Diectory Discovery | ffc8b249-372a-4b74-adcd-e4c0430842de | sh |
| 103 | discovery | T1083 | File and Directory Discovery | 4 | Nix File and Directory Discovery 2 | 13c5e1ae-605b-46c4-a79f-db28c77ff24e | sh |
| 104 | discovery | T1087.001 | Local Account | 1 | Enumerate all accounts (Local) | f8aab3dd-5990-4bf8-b8ab-2226c951696f | sh |
| 105 | discovery | T1087.001 | Local Account | 2 | View sudoers access | fed9be70-0186-4bde-9f8a-20945f9370c2 | sh |
| 106 | discovery | T1087.001 | Local Account | 3 | View accounts with UID 0 | c955a599-3653-4fe5-b631-f11c00eb0397 | sh |
| 107 | discovery | T1087.001 | Local Account | 4 | List opened files by user | 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb | sh |
| 108 | discovery | T1087.001 | Local Account | 6 | Enumerate users and groups | e6f36545-dc1e-47f0-9f48-7f730f54a02e | sh |
| 109 | discovery | T1087.001 | Local Account | 7 | Enumerate users and groups | 319e9f6c-7a9e-432e-8c62-9385c803b6f2 | sh |
| 110 | discovery | T1069.001 | Local Groups | 1 | Permission Groups Discovery (Local) | 952931a4-af0b-4335-bbbe-73c8c5b327ae | sh |
| 111 | discovery | T1046 | Network Service Scanning | 1 | Port Scan | 68e907da-2539-48f6-9fc9-257a78c05540 | sh |
| 112 | discovery | T1046 | Network Service Scanning | 2 | Port Scan Nmap | 515942b0-a09f-4163-a7bb-22fefb6f185f | sh |
| 113 | discovery | T1135 | Network Share Discovery | 1 | Network Share Discovery | f94b5ad9-911c-4eff-9718-fd21899db4f7 | sh |
| 114 | discovery | T1040 | Network Sniffing | 2 | Packet Capture macOS | 9d04efee-eff5-4240-b8d2-07792b873608 | bash |
| 115 | discovery | T1201 | Password Policy Discovery | 7 | Examine password policy - macOS | 4b7fa042-9482-45e1-b348-4b756b2a0742 | bash |
| 116 | discovery | T1057 | Process Discovery | 1 | Process Discovery - ps | 4ff64f0b-aaf2-4866-b39d-38d9791407cc | sh |
| 117 | discovery | T1018 | Remote System Discovery | 6 | Remote System Discovery - arp nix | acb6b1ff-e2ad-4d64-806c-6c35fe73b951 | sh |
| 118 | discovery | T1018 | Remote System Discovery | 7 | Remote System Discovery - sweep | 96db2632-8417-4dbb-b8bb-a8b92ba391de | sh |
| 119 | discovery | T1518.001 | Security Software Discovery | 3 | Security Software Discovery - ps (macOS) | ba62ce11-e820-485f-9c17-6f3c857cd840 | sh |
| 120 | discovery | T1518 | Software Discovery | 3 | Find and Display Safari Browser Version | 103d6533-fd2a-4d08-976a-4a598565280f | command_prompt |
| 121 | discovery | T1497.001 | System Checks | 3 | Detect Virtualization Environment (MacOS) | a960185f-aef6-4547-8350-d1ce16680d09 | sh |
| 122 | discovery | T1082 | System Information Discovery | 2 | System Information Discovery | edff98ec-0f73-4f63-9890-6b117092aff6 | sh |
| 123 | discovery | T1082 | System Information Discovery | 3 | List OS Information | cccb070c-df86-4216-a5bc-9fb60c74e27c | sh |
| 124 | discovery | T1082 | System Information Discovery | 7 | Hostname Discovery | 486e88ea-4f56-470f-9b57-3f4d73f39133 | bash |
| 125 | discovery | T1016 | System Network Configuration Discovery | 3 | System Network Configuration Discovery | c141bbdb-7fca-4254-9fd6-f47e79447e17 | sh |
| 126 | discovery | T1016 | System Network Configuration Discovery | 6 | List macOS Firewall Rules | ff1d8c25-2aa4-4f18-a425-fede4a41ee88 | bash |
| 127 | discovery | T1049 | System Network Connections Discovery | 3 | System Network Connections Discovery Linux & MacOS | 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 | sh |
| 128 | discovery | T1033 | System Owner/User Discovery | 2 | System Owner/User Discovery | 2a9b677d-a230-44f4-ad86-782df1ef108c | sh |
| 129 | execution | T1059.002 | AppleScript | 1 | AppleScript | 3600d97d-81b9-4171-ab96-e4386506e2c2 | sh |
| 130 | execution | T1053.003 | Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | bash |
| 131 | execution | T1053.003 | Cron | 2 | Cron - Add script to cron folder | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 132 | execution | T1569.001 | Launchctl | 1 | Launchctl | 6fb61988-724e-4755-a595-07743749d4e2 | bash |
| 133 | execution | T1053.004 | Launchd | 1 | Event Monitor Daemon Persistence | 11979f23-9b9d-482a-9935-6fc9cd022c3e | bash |
| 134 | execution | T1059.004 | Unix Shell | 1 | Create and Execute Bash Shell Script | 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 | sh |
| 135 | execution | T1059.004 | Unix Shell | 2 | Command-Line Interface | d0c88567-803d-4dca-99b4-7ce65e7b257c | sh |
| 136 | command-and-control | T1105 | Ingress Tool Transfer | 1 | rsync remote file copy (push) | 0fc6e977-cb12-44f6-b263-2824ba917409 | bash |
| 137 | command-and-control | T1105 | Ingress Tool Transfer | 2 | rsync remote file copy (pull) | 3180f7d5-52c0-4493-9ea0-e3431a84773f | bash |
| 138 | command-and-control | T1105 | Ingress Tool Transfer | 3 | scp remote file copy (push) | 83a49600-222b-4866-80a0-37736ad29344 | bash |
| 139 | command-and-control | T1105 | Ingress Tool Transfer | 4 | scp remote file copy (pull) | b9d22b9a-9778-4426-abf0-568ea64e9c33 | bash |
| 140 | command-and-control | T1105 | Ingress Tool Transfer | 5 | sftp remote file copy (push) | f564c297-7978-4aa9-b37a-d90477feea4e | bash |
| 141 | command-and-control | T1105 | Ingress Tool Transfer | 6 | sftp remote file copy (pull) | 0139dba1-f391-405e-a4f5-f3989f2c88ef | bash |
| 142 | command-and-control | T1090.001 | Internal Proxy | 1 | Connection Proxy | 0ac21132-4485-4212-a681-349e8a6637cd | sh |
| 143 | command-and-control | T1090.001 | Internal Proxy | 2 | Connection Proxy for macOS UI | 648d68c1-8bcd-4486-9abe-71c6655b6a2c | sh |
| 144 | command-and-control | T1571 | Non-Standard Port | 2 | Testing usage of uncommonly used port | 5db21e1d-dd9c-4a50-b885-b1e748912767 | sh |
| 145 | command-and-control | T1132.001 | Standard Encoding | 1 | Base64 Encoded data. | 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 | sh |
| 146 | command-and-control | T1071.001 | Web Protocols | 3 | Malicious User Agents - Nix | 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 | sh |
| 147 | collection | T1560.001 | Archive via Utility | 5 | Data Compressed - nix - zip | c51cec55-28dd-4ad2-9461-1eacbc82c3a0 | sh |
| 148 | collection | T1560.001 | Archive via Utility | 6 | Data Compressed - nix - gzip Single File | cde3c2af-3485-49eb-9c1f-0ed60e9cc0af | sh |
| 149 | collection | T1560.001 | Archive via Utility | 7 | Data Compressed - nix - tar Folder or File | 7af2b51e-ad1c-498c-aca8-d3290c19535a | sh |
| 150 | collection | T1560.001 | Archive via Utility | 8 | Data Encrypted with zip and gpg symmetric | 0286eb44-e7ce-41a0-b109-3da516e05a5f | sh |
| 151 | collection | T1115 | Clipboard Data | 3 | Execute commands from clipboard | 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff | bash |
| 152 | collection | T1056.002 | GUI Input Capture | 1 | AppleScript - Prompt User for Password | 76628574-0bc1-4646-8fe2-8f4427b47d15 | bash |
| 153 | collection | T1074.001 | Local Data Staging | 2 | Stage data from Discovery.sh | 39ce0303-ae16-4b9e-bb5b-4f53e8262066 | bash |
| 154 | collection | T1113 | Screen Capture | 1 | Screencapture | 0f47ceb1-720f-4275-96b8-21f0562217ac | bash |
| 155 | collection | T1113 | Screen Capture | 2 | Screencapture (silent) | deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 | bash |
| 156 | exfiltration | T1030 | Data Transfer Size Limits | 1 | Data Transfer Size Limits | ab936c51-10f4-46ce-9144-e02137b2016a | sh |
| 157 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 1 | Exfiltration Over Alternative Protocol - SSH | f6786cc8-beda-4915-a4d6-ac2f193bb988 | sh |
| 158 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 2 | Exfiltration Over Alternative Protocol - SSH | 7c3cb337-35ae-4d06-bf03-3032ed2ec268 | sh |
| 159 | exfiltration | T1048.003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 1 | Exfiltration Over Alternative Protocol - HTTP | 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff | manual |
| 160 | credential-access | T1552.003 | Bash History | 1 | Search Through Bash History | 3cfde62b-7c33-4b26-a61e-755d6131c8ce | sh |
| 161 | credential-access | T1552.001 | Credentials In Files | 1 | Extract Browser and System credentials with LaZagne | 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 | bash |
| 162 | credential-access | T1552.001 | Credentials In Files | 2 | Extract passwords with grep | bd4cf0d1-7646-474e-8610-78ccf5a097c4 | sh |
| 163 | credential-access | T1555.003 | Credentials from Web Browsers | 2 | Search macOS Safari Cookies | c1402f7b-67ca-43a8-b5f3-3143abedc01b | sh |
| 164 | credential-access | T1056.002 | GUI Input Capture | 1 | AppleScript - Prompt User for Password | 76628574-0bc1-4646-8fe2-8f4427b47d15 | bash |
| 165 | credential-access | T1555.001 | Keychain | 1 | Keychain | 1864fdec-ff86-4452-8c30-f12507582a93 | sh |
| 166 | credential-access | T1040 | Network Sniffing | 2 | Packet Capture macOS | 9d04efee-eff5-4240-b8d2-07792b873608 | bash |
| 167 | credential-access | T1552.004 | Private Keys | 2 | Discover Private SSH Keys | 46959285-906d-40fa-9437-5a439accd878 | sh |
| 168 | credential-access | T1552.004 | Private Keys | 4 | Copy Private SSH Keys with rsync | 864bb0b2-6bb5-489a-b43b-a77b3a16d68a | sh |