Merge remote-tracking branch 'origin/main' into loobin-stix-export

.github/workflows/bump.yml

@@ -0,0 +1,44 @@
+name: Bump version
+on:
+  workflow_dispatch:
+
+jobs:
+  poetry_bump:
+    name: bump version
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.DEPLOY }}
+
+      - name: Set up Python 3.10
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install Poetry
+        run: |
+          curl -sSL https://install.python-poetry.org | python - -y
+
+      - name: Update PATH
+        run: echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Run Poetry bump (patch)
+        run: poetry version patch
+
+      - name: Commit new version
+        run: |
+          git config --global user.name "infosecB"
+          git config --global user.email "[email protected]"
+          git commit -a -m "bump version"
+          git push
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bump version and push tag
+        id: tag_version
+        uses: mathieudutour/[email protected]
+        with:
+          github_token: ${{ secrets.PAT }}

.github/workflows/release.yml

@@ -0,0 +1,69 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - '*.*.*'
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.10
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install Poetry
+        run: |
+          curl -sSL https://install.python-poetry.org | python - -y
+
+      - name: Update PATH
+        run: echo "$HOME/.local/bin" >> $GITHUB_PATH
+      - name: Install dependecies
+        run: poetry install
+      - name: Run Tox
+        run: poetry run tox
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.10
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install Poetry
+        run: |
+          curl -sSL https://install.python-poetry.org | python - -y
+
+      - name: Update PATH
+        run: echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Build project for distribution
+        run: poetry build
+
+      - name: Check Version
+        id: check-version
+        run: |
+          [[ "$(poetry version --short)" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] || echo prerelease=true >> $GITHUB_OUTPUT
+
+      - name: Create Release
+        uses: ncipollo/release-action@v1
+        with:
+          artifacts: "dist/*"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          draft: true
+          prerelease: steps.check-version.outputs.prerelease == 'true'
+
+      - name: Publish to PyPI
+        env:
+          POETRY_PYPI_TOKEN_PYPI: ${{ secrets.PYPI_TOKEN }}
+        run: poetry publish

LOOBins/GetFileInfo.yml

@@ -8,7 +8,6 @@ example_use_cases:
     description: A bash or zsh oneliner can provide an attacker with information about specific files of interest.
     code: for FILE in ~/Downloads/*; do echo $(GetFileInfo $FILE) >> fileinfo.txt; sleep 2; done
     tactics:
-      - Reconnaissance
       - Discovery
     tags:
       - bash

LOOBins/caffeinate.yml

@@ -0,0 +1,36 @@
+name: caffeinate
+author: Ethan Nay
+short_description: Prevent the system from sleeping on behalf of a utility.
+full_description: |- 
+      caffeinate creates assertions to alter system sleep behavior.  If no assertion flags are specified, caffeinate creates an assertion to prevent idle sleep.
+      If a utility is specified, caffeinate creates the assertions on the utility's behalf, and those assertions will persist for the duration of the utility's execution.
+      Otherwise, caffeinate creates the assertions directly, and those assertions will persist until caffeinate exits.
+created: 2023-07-12
+example_use_cases:
+  - name: Fork a process
+    description: Make caffeinate fork a process and hold an assertion that prevents idle sleep as long as that process is running
+    code: caffeinate -i /tmp/evil
+    tactics:
+      - Execution
+      - Defense Evasion
+    tags:
+      - bash
+      - zsh
+  - name: Prevent a sleep
+    description: Prevent a macOS from going to sleep for 4 hours (14400 seconds)
+    code: caffeinate -u -t 14400
+    tactics:
+      - Execution
+    tags:
+      - bash
+      - zsh
+paths:
+  - /usr/bin/caffeinate
+detections:
+  - name: No detections at time of publishing
+    url: N/A
+resources:
+  - name: "macOS/binaries/caffeinate"
+    url: https://macosbin.com/bin/caffeinate
+  - name: "caffeinate man page"
+    url: https://ss64.com/osx/caffeinate.html

LOOBins/chflags.yml

@@ -0,0 +1,38 @@
+name: chflags
+author: demonduck
+short_description: Changes file or directory flags
+full_description: |-
+    The chflags utility modifies the file flags of the listed files as 
+    specified by the flags operand.
+created: 2024-07-25
+example_use_cases:
+- name: Hide a file
+  description: |-
+      Add the hidden flag to a file or directory to prevent it from being 
+      visible in Finder and Terminal.
+  code: chflags hidden ~/evil
+  tactics:
+  - Defense Evasion
+  tags:
+  - finder
+- name: Remove hidden flag
+  description: |-
+      Remove the hidden flag to a file or directory to make it visible in Finder
+      and Terminal.
+  code: chflags nohidden ~/evil
+  tactics:
+  - Defense Evasion
+  tags:
+  - finder
+paths:
+- /usr/bin/chflags
+detections:
+- name: "Sigma: Hidden Flag Set On File/Directory Via Chflags"
+  url: https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml
+resources:
+- name: "chflags man page"
+  url: https://ss64.com/mac/chflags.html
+- name: "macOS/binaries/chflags"
+  url: https://macosbin.com/bin/chflags
+- name: "How to hide files and folders"
+  url: https://eclecticlight.co/2024/07/03/how-to-hide-files-and-folders/

LOOBins/codesign.yml

@@ -0,0 +1,23 @@
+name: codesign
+author: Thijs Xhaflaire
+short_description: Create, manipulate and verify code signatures.
+full_description: The codesign command is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system.
+created: 2024-07-29
+example_use_cases:
+  - name: Ad-hod codesigning an app bundle
+    description: This command forcefully re-signs the MyApp.app application with an ad-hoc signature, applying the signature deeply to all nested code within the app
+    code: codesign --force --deep -s - MyApp.app
+    tactics:
+      - Defense Evasion
+    tags:
+      - codesign
+paths:
+  - /usr/bin/codesign
+detections:
+  - name: "Jamf Protect: Detect ad-hod codesigning activity"
+    url: https://github.com/jamf/jamfprotect/blob/main/custom_analytic_detections/adhoc_codesigning
+resources:
+  - name: "When Apple Admits macOS Malware Is A Problem – It’s Time To Take Notice"
+    url: https://www.sentinelone.com/blog/when-apple-admits-macos-malware-is-a-problem-its-time-to-take-notice/
+  - name: "codesign man page"
+    url: https://ss64.com/mac/codesign.html

LOOBins/csrutil.yml

@@ -33,11 +33,22 @@ example_use_cases:
       - Discovery
     tags:
       - configuration
+  - name: Determine if SIP is enabled
+    description: Determine if System Integrity Protection is enabled
+    code: csrutil status
+    tactics:
+      - Discovery
 paths:
   - /usr/bin/csrutil
 detections:
-  - name: No detections at time of publishing
-    url: N/A
+  - name: "Sigma: System Integrity Protection (SIP) Disabled"
+    url: https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml
+  - name: "Sigma: System Integrity Protection (SIP) Enumeration"
+    url: https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml
 resources:
   - name: "Discussion on how SIP interacts with bless and netboot"
     url: https://developer.apple.com/forums/thread/4002
+  - name: "MITRE ATT&CK T1518.001 Software Discovery: Security Software Discovery"
+    url: https://attack.mitre.org/techniques/T1518/001/
+  - name: "The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSSBackdoor Planting in Safari, and LeveragesTwo Zero-day Exploits"
+    url: https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf

LOOBins/defaults.yml

@@ -1,7 +1,7 @@
 name: defaults
 author: Brendan Chamberlain (@infosecB)
 short_description: Read, write, and delete user preference values.
-full_description: A full length description of the binary goes here.
+full_description: The defaults binary is normally used to interact with the user defaults system, a database of macOS used to manage system settings much like the Windows Registry. The database can be abused by threat actors to change settings in attempt to evade defenses or to gain persistence.
 created: 2023-05-24
 example_use_cases:
 - name: Disable Gatekeeper's auto rearm functionality
@@ -21,6 +21,25 @@ example_use_cases:
   code: sudo defaults write /Library/Preferences/com.apple.loginwindow LoginHook gain_persistence.sh
   tactics:
   - Persistence
+- name: Get Active Directory user info from Jamf Connect
+  description: Retrieve Active Directory user info from Jamf Connect defaults configuration.
+  code: defaults read com.jamf.connect.state
+  tactics:
+  - Discovery
+- name: Enable Firewall
+  description: Enables macOS' default firewall. This command requires root privileges.
+  code: sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1
+  tactics:
+  - Defense Evasion
+  tags:
+  - firewall
+- name: Disable Firewall
+  description: Disables macOS' default firewall. This command requires root privileges.
+  code: sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0
+  tactics:
+  - Defense Evasion
+  tags:
+  - firewall
 paths:
 - /usr/bin/defaults
 detections:

LOOBins/ditto.yml

@@ -33,6 +33,7 @@ example_use_cases:
   - Collection
   - Exfiltration
   - Lateral Movement
+  - Defense Evasion
   tags:
   - files
 - name: DLL hjiacking

LOOBins/dns-sd.yml

@@ -35,8 +35,8 @@ example_use_cases:
 paths:
 - /usr/bin/dns-sd
 detections:
-- name: No detections at time of publishing
-  url: N/A
+- name: "Jamf Protect: Detect dns-sd discovery activity"
+  url: https://github.com/jamf/jamfprotect/blob/main/custom_analytic_detections/dns_service_discovery
 resources:
 - name: What does APT Activity Look Like on macOS?
   url: https://themittenmac.com/what-does-apt-activity-look-like-on-macos

LOOBins/dscacheutil.yml

@@ -0,0 +1,34 @@
+name: dscacheutil
+author: Ethan Nay
+short_description: gather information, statistics and initiate queries to the Directory Service cache.
+full_description: |-
+  dscacheutil does various operations against the Directory Service cache including gathering statistics, initiating lookups, inspection, cache flush, etc.
+  This tool replaces most of the functionality of the lookupd tool previously available in the OS.
+created: 2023-08-23
+example_use_cases:
+  - name: Lookup  a user
+    description: List the user information
+    code: dscacheutil -q user -a name <USER_NAME>
+    tactics:
+      - Discovery
+    tags:
+      - bash
+      - zsh
+  - name: Lookup all users
+    description: List the all users information
+    code: dscacheutil -q user
+    tactics:
+      - Discovery
+    tags:
+      - bash
+      - zsh
+paths:
+  - /usr/bin/dscacheutil
+detections:
+  - name: No detections at time of publishing
+    url: N/A
+resources:
+  - name: "macOS/binaries/dscacheutil"
+    url: https://macosbin.com/bin/dscacheutil
+  - name: "dscacheutil man page"
+    url: https://ss64.com/osx/dscacheutil.html