==================================================

CREATED: OSX-GREP-LITTLESNITCH (#1316)

Description

Identifies post-exploitation behavior looking for the existence of the Little Snitch firewall.

ATT&CK Technique T1063

==================================================

CREATED: NIX-SETUID-SETGID-POSSIBLE-RECON (#1315)

Description

Identifies searches on MacOS/Linux systems for binaries with a SetUID or SetGID flag set. Binaries with se flags execute as the account owning the binaries, and adversaries search for them during recon stages of exploitation.

References

ATT&CK Technique T1083
ATT&CK Technique T1166

Did this answer your question?