==================================================

CREATED: OSX-REMOTE-DESKTOP-SHARING (#1339)

Description

Identifies when Remote Desktop Sharing is enabled on macOS.

References

ATT&CK Technique T1021

==================================================

CREATED: OSX-ENABLE-ROOT-ACCOUNT (#1338)

Description

Identifies when the macOS root account is enabled via command-line.

References

ATT&CK Technique T1108

==================================================

CREATED: OSX-SET-REMOTELOGIN-ON (#1337)

Description

Identifies when remote login (SSH) is enabled on macOS.

References

ATT&CK Technique T1108

==================================================

CREATED: OSX-CHROME-CREDENTIAL-FILE-COPY (#1336)

Description

Identifies when Google Chrome credential files (saved passwords, cookies) are being copied, possibly for the intent of theft.

References

ATT&CK Technique T1081

==================================================

CREATED: WIN-CSEXEC (#1335)

Description

Identifies the use of CSExec (A c-sharp psexec implementation), typically used by red teams and adversaries.

References

ATT&CK Technique T1035

==================================================

CREATED: OSX-KEYCHAIN-ARCHIVE (#1334)

Description

Identifies when keychain (password) material is being captured via an archival utility, possibly for the intent of theft.

References

ATT&CK Technique T1081

==================================================

CREATED: OSX-TCCDB-SERVICE-ACCESSIBILITY (#1333)

Description

Identifies when an attempt is made to give an application Accessibility permissions by directly modifying the TCC.db file. These permissions allow the application to control the device. While Standard Integrity Protection (SIP) prevents this from being successful in macOS Sierra+, malware may still attempt to perform this action as a result of poor testing, an outdated device and/or the device having disabled SIP.

References

ATT&CK Technique T1015

==================================================

CREATED: WIN-MSHTA-ENABLE-OFFICE-COM-ACCESS (#1340)

Description

Identifies mshta enabling programatic access to MS office COM via registry key modification.

References

https://gist.github.com/Kaicastledine/a98a9deee802255b4bc3000082356f26

ATT&CK Technique T1170

Did this answer your question?