invictus-ir
/ series_overview.csv
Last active
February 7, 2022 09:34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Part | Link | Mitre Phase | |
|---|---|---|---|
| Part 1 | https://invictus-ir.medium.com/responding-to-macos-attacks-33f32332e0c | Initial Access & Execution | |
| Part 2 | https://invictus-ir.medium.com/responding-to-macos-attacks-part-ii-8a23179cbc3d | Persistence | |
| Part 3(todo) | https://medium.com | Defense Evasion & Credential Access | |
| Part 4(todo) | https://medium.com | Discovery Lateral Movement & Collection | |
| Part 5(todo) | https://medium.com | Famous MacOS Malware Samples |
invictus-ir
/ AppleScript
Created
November 1, 2021 15:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| tell application "Google Chrome" | |
| get title of first window | |
| end tell |
invictus-ir
/ Persistence_techniques.csv
Last active
February 7, 2022 09:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Technique | File Location | Note | |
|---|---|---|---|
| T1543.001 | /System/Library/LaunchAgents | Apple-supplied agents that apply to all users on a per-user basis | |
| /Library/LaunchAgents | Third-party agents that apply to all users on a per-user basis | ||
| ~/Library/LaunchAgents | Third-party agents that apply only to the logged-in user | ||
| T1543.004 | /System/Library/LaunchDaemons | Apple-supplied system daemons | |
| /Library/LaunchDaemons | Third-party system daemons | ||
| T1546.014 | /private/var/db/emondClients | ||
| /private/etc/emon.d/rules | |||
| T1546.004 | /etc/zshenv | File can also exist in user home directory | |
| /etc/zprofile | File can also exist in user home directory |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Tactic | Technique | Procedure | |
|---|---|---|---|
| Initial Access (TA0001) | Phishing: Spearphishing Attachment | A spearphishing email was sent to employees | |
| Execution (TA0002) | Command and Scripting Interpreter: Windows Command Shell | Qbot was launched through the Windows Command Shell with cmd.exe. | |
| Execution (TA0001) | Command and Scripting Interpreter: PowerShell | Cobalt Strike was executed through encoded PowerShell commands. | |
| Persistence (TA0003) | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Qbot DLL was added to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | |
| Persistence (TA0003) | Create or Modify System Process: Windows Service | Cobalt Strike was installed as a Windows service on multiple systems. | |
| Privilege Escalation (TA0004) | Domain Accounts | Royal ransomware operators used (privileged) domain accounts for lateral movement | |
| Privilege Escalation (TA0004) | Abuse Elevation Control Mechanism: Bypass User Account Control | Royal ransomware operations executed a known UAC bypass that abuses a default sche |
invictus-ir
/ CloudTrail.csv
Last active
October 23, 2024 18:21
An overview of CloudTrail events that are interesting from an Incident Response perspective
We can make this file beautiful and searchable if this error is corrected: It looks like row 8 should actually have 10 columns, instead of 9 in line 7.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Initial Access","Execution","Persistence","Privilege Escalation","Defense Evasion","Credential Access","Discovery","Lateral Movement","Exfiltration","Impact" | |
| ConsoleLogin,StartInstance,CreateAccessKey,CreateGroup,StopLogging,GetSecretValue,ListUsers,AssumeRole,CreateSnapShot,PutBucketVersioning | |
| PasswordRecoveryRequested,StartInstances,CreateUser,CreateRole,DeleteTrail,GetPasswordData,ListRoles,SwitchRole,ModifySnapshotAttributes ,RunInstances | |
| ,Invoke,CreateNetworkAclEntry,UpdateAccessKey,UpdateTrail,RequestCertificate,ListIdentities,,ModifyImageAttribute,DeleteAccountPublicAccessBlock | |
| ,SendCommand,CreateRoute,PutGroupPolicy,PutEventSelectors,UpdateAssumeRolePolicy,ListAccessKeys,,SharedSnapshotCopyInitiated, | |
| ,,CreateLoginProfile,PutRolePolicy,DeleteFlowLogs,,ListServiceQuotas,,SharedSnapshotVolumeCreated, | |
| ,,AuthorizeSecurityGroupEgress,PutUserPolicy,DeleteDetector,,ListInstanceProfiles,,ModifyDBSnapshotAttribute, | |
| ,,AuthorizeSecurityGroupIngress,AddRoleToInstanceProfile,DeleteMembers,,ListBuckets,,PutBucketP |