Attack-macOS is a library of scripts mapped to MITRE ATT&CK. Security teams can use Attack-macOS to execute attack techniques and discover new detection opportunities in macOS environments.
This project aims to simplify the execution of Living Off The Land (LOTL) techniques via scripts to validate macOS endpoint security.
All Attack-macOS scripts use native macOS binaries, interpreters, playlists, libraries, tools, and utilities. If third-party tools are installed (brew
, slack
,jamf
), techniques that leverage third-party apps can be executed.
You can execute Attack-macOS scripts from the command line via piped execution or disk. It depends on what telemetry you need to produce. For example:
curl -sSL https://raw.githubusercontent.com/darmado/attack-macOS/main/Discovery/accounts.sh | sh -s -- --help
For more info, check out our wiki.
Wiki is in the works...
Attack-macOS is built as a community development project. Once we add 200+ TTPs, we'll open it up entirely to the community. For now:
For bugs, feature requests, or suggestions use Githhub > Issues or hit me up on x.com:
For new or modified features for scripts:
git checkout -b feature/AmazingFeature
)git commit -m 'Add some AmazingFeature'
)git push origin feature/AmazingFeature
)TTPs, attack scenarios, and code snippets are credited in the script's README.
Special thanks to:
This project is licensed under the Apache License, Version 2.0 - see the LICENSE file for details.