Note: The attack procedure built in this post will not work for every macOS operating system or in every scenario. There are many factors that can block scripts from running at boot time, and you should always test against your target operating system.

The MITRE ATT&CK framework is a universally accepted knowledge-base of tactics, techniques and procedures designed to organize and display how adversaries attack real-world assets. Blue teams use ATT&CK to better understand the multitude of new (and old) attacks and map those to their internal tools and systems. Red teams can use ATT&CK as a sort of playbook, using specific “plays” (combinations of TTPs) to try and test their systems, which can be easily communicated to the rest of the security team.

Digging into some terminology:

  • A tactic is what an attacker hopes to achieve.
  • A technique is how an attacker plans to achieve or execute the tactic.
  • A procedure is a specific implementation of the technique.

Sound confusing? Let’s walk through an example:

An attacker may execute a Collection tactic to steal data from a computer, picking the Clipboard Data (T1115) technique and executing the Get-Clipboard PowerShell cmdlet as the procedure to complete the action.

ATT&CK helps defenders in a variety of ways:

  • It offers a common language to discuss tactics, techniques and procedures.
  • It provides a dynamic kill-chain for blue team members to detect and respond.
  • It supplies resources related to threat groups and the behaviors they use in the wild.

For those on the offensive side, the ATT&CK matrix offers another quite remarkable benefit: it acts a classification system to design your attacks into distinct kill-chains.

Offensive operators, including those in cyber operations and red teams alike, spend their time crafting exploits, coding implants and researching ways to conduct post-compromise activities without getting caught. In (Read more...)