invictus-ir’s gists

## CloudTrail.csv
"Initial Access","Execution","Persistence","Privilege Escalation","Defense Evasion","Credential Access","Discovery","Lateral Movement","Exfiltration","Impact"
ConsoleLogin,StartInstance,CreateAccessKey,CreateGroup,StopLogging,GetSecretValue,ListUsers,AssumeRole,CreateSnapShot,PutBucketVersioning
PasswordRecoveryRequested,StartInstances,CreateUser,CreateRole,DeleteTrail,GetPasswordData,ListRoles,SwitchRole,ModifySnapshotAttributes ,RunInstances
,Invoke,CreateNetworkAclEntry,UpdateAccessKey,UpdateTrail,RequestCertificate,ListIdentities,,ModifyImageAttribute,DeleteAccountPublicAccessBlock
,SendCommand,CreateRoute,PutGroupPolicy,PutEventSelectors,UpdateAssumeRolePolicy,ListAccessKeys,,SharedSnapshotCopyInitiated,
,,CreateLoginProfile,PutRolePolicy,DeleteFlowLogs,,ListServiceQuotas,,SharedSnapshotVolumeCreated,
,,AuthorizeSecurityGroupEgress,PutUserPolicy,DeleteDetector,,ListInstanceProfiles,,ModifyDBSnapshotAttribute,
,,AuthorizeSecurityGroupIngress,AddRoleToInstanceProfile,DeleteMembers,,ListBuckets,,PutBucketP

## Royal_TTPs.csv

          
            Tactic
            Technique
            Procedure

            
              Initial Access (TA0001)
              Phishing: Spearphishing Attachment
              A spearphishing email was sent to employees

            
              Execution (TA0002)
              Command and Scripting Interpreter: Windows Command Shell
              Qbot was launched through the Windows Command Shell with cmd.exe.

            
              Execution (TA0001)
              Command and Scripting Interpreter: PowerShell
              Cobalt Strike was executed through encoded PowerShell commands.

            
              Persistence (TA0003)
              Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
              Qbot DLL was added to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

            
              Persistence (TA0003)
              Create or Modify System Process: Windows Service
              Cobalt Strike was installed as a Windows service on multiple systems.

            
              Privilege Escalation (TA0004)
              Domain Accounts
              Royal ransomware operators used (privileged) domain accounts for lateral movement

            
              Privilege Escalation (TA0004)
              Abuse Elevation Control Mechanism: Bypass User Account Control
              Royal ransomware operations executed a known UAC bypass that abuses a default sche

## Persistence_techniques.csv

          
            Technique 
            File Location
            Note

            
              T1543.001
              /System/Library/LaunchAgents
              Apple-supplied agents that apply to all users on a per-user basis

            
              
              /Library/LaunchAgents
              Third-party agents that apply to all users on a per-user basis

            
              
              ~/Library/LaunchAgents
              Third-party agents that apply only to the logged-in user

            
              T1543.004
              /System/Library/LaunchDaemons
              Apple-supplied system daemons

            
              
              /Library/LaunchDaemons
              Third-party system daemons

            
              T1546.014
              /private/var/db/emondClients

            
              
              /private/etc/emon.d/rules

            
              T1546.004
              /etc/zshenv
              File can also exist in user home directory

            
              
              /etc/zprofile
              File can also exist in user home directory

## AppleScript
tell application "Google Chrome"
	get title of first window
end tell

## series_overview.csv

          
            Part
            Link
            Mitre Phase

            
              Part 1
              https://invictus-ir.medium.com/responding-to-macos-attacks-33f32332e0c
              Initial Access & Execution

            
              Part 2
               https://invictus-ir.medium.com/responding-to-macos-attacks-part-ii-8a23179cbc3d
               Persistence

            
              Part 3(todo)
              https://medium.com
               Defense Evasion & Credential Access

            
              Part 4(todo)
              https://medium.com
               Discovery Lateral Movement & Collection

            
              Part 5(todo)
              https://medium.com
               Famous MacOS Malware Samples
	"Initial Access","Execution","Persistence","Privilege Escalation","Defense Evasion","Credential Access","Discovery","Lateral Movement","Exfiltration","Impact"
	ConsoleLogin,StartInstance,CreateAccessKey,CreateGroup,StopLogging,GetSecretValue,ListUsers,AssumeRole,CreateSnapShot,PutBucketVersioning
	PasswordRecoveryRequested,StartInstances,CreateUser,CreateRole,DeleteTrail,GetPasswordData,ListRoles,SwitchRole,ModifySnapshotAttributes ,RunInstances
	,Invoke,CreateNetworkAclEntry,UpdateAccessKey,UpdateTrail,RequestCertificate,ListIdentities,,ModifyImageAttribute,DeleteAccountPublicAccessBlock
	,SendCommand,CreateRoute,PutGroupPolicy,PutEventSelectors,UpdateAssumeRolePolicy,ListAccessKeys,,SharedSnapshotCopyInitiated,
	,,CreateLoginProfile,PutRolePolicy,DeleteFlowLogs,,ListServiceQuotas,,SharedSnapshotVolumeCreated,
	,,AuthorizeSecurityGroupEgress,PutUserPolicy,DeleteDetector,,ListInstanceProfiles,,ModifyDBSnapshotAttribute,
	,,AuthorizeSecurityGroupIngress,AddRoleToInstanceProfile,DeleteMembers,,ListBuckets,,PutBucketP
Tactic	Technique	Procedure
Initial Access (TA0001)	Phishing: Spearphishing Attachment	A spearphishing email was sent to employees
Execution (TA0002)	Command and Scripting Interpreter: Windows Command Shell	Qbot was launched through the Windows Command Shell with cmd.exe.
Execution (TA0001)	Command and Scripting Interpreter: PowerShell	Cobalt Strike was executed through encoded PowerShell commands.
Persistence (TA0003)	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Qbot DLL was added to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Persistence (TA0003)	Create or Modify System Process: Windows Service	Cobalt Strike was installed as a Windows service on multiple systems.
Privilege Escalation (TA0004)	Domain Accounts	Royal ransomware operators used (privileged) domain accounts for lateral movement
Privilege Escalation (TA0004)	Abuse Elevation Control Mechanism: Bypass User Account Control	Royal ransomware operations executed a known UAC bypass that abuses a default sche
Technique	File Location	Note
T1543.001	/System/Library/LaunchAgents	Apple-supplied agents that apply to all users on a per-user basis
	/Library/LaunchAgents	Third-party agents that apply to all users on a per-user basis
	~/Library/LaunchAgents	Third-party agents that apply only to the logged-in user
T1543.004	/System/Library/LaunchDaemons	Apple-supplied system daemons
	/Library/LaunchDaemons	Third-party system daemons
T1546.014	/private/var/db/emondClients
	/private/etc/emon.d/rules
T1546.004	/etc/zshenv	File can also exist in user home directory
	/etc/zprofile	File can also exist in user home directory
	tell application "Google Chrome"
	get title of first window
	end tell
Part	Link	Mitre Phase
Part 1	https://invictus-ir.medium.com/responding-to-macos-attacks-33f32332e0c	Initial Access & Execution
Part 2	https://invictus-ir.medium.com/responding-to-macos-attacks-part-ii-8a23179cbc3d	Persistence
Part 3(todo)	https://medium.com	Defense Evasion & Credential Access
Part 4(todo)	https://medium.com	Discovery Lateral Movement & Collection
Part 5(todo)	https://medium.com	Famous MacOS Malware Samples