{"description": "Enterprise techniques used by XAgentOSX, ATT&CK software S0161 (v1.3)", "name": "XAgentOSX (S0161)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[XAgentOSX](https://attack.mitre.org/software/S0161) contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.(Citation: XAgentOSX 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[XAgentOSX](https://attack.mitre.org/software/S0161) contains the getFirefoxPassword function to attempt to locate Firefox passwords.(Citation: XAgentOSX 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[XAgentOSX](https://attack.mitre.org/software/S0161) contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.(Citation: XAgentOSX 2017) [XAgentOSX](https://attack.mitre.org/software/S0161) contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\\ Support/MobileSync/Backup/.(Citation: XAgentOSX 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[XAgentOSX](https://attack.mitre.org/software/S0161) contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.(Citation: XAgentOSX 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[XAgentOSX](https://attack.mitre.org/software/S0161) contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.(Citation: XAgentOSX 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[XAgentOSX](https://attack.mitre.org/software/S0161) contains the execFile function to execute a specified file on the system using the NSTask:launch method.(Citation: XAgentOSX 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[XAgentOSX](https://attack.mitre.org/software/S0161) contains the getProcessList function to run ps aux to get running processes.(Citation: XAgentOSX 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[XAgentOSX](https://attack.mitre.org/software/S0161) contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods.(Citation: XAgentOSX 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[XAgentOSX](https://attack.mitre.org/software/S0161) contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed.(Citation: XAgentOSX 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[XAgentOSX](https://attack.mitre.org/software/S0161) contains the getInfoOSX function to return the OS X version as well as the current user.(Citation: XAgentOSX 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by XAgentOSX", "color": "#66b1ff"}]}