{"description": "Enterprise techniques used by MacMa, ATT&CK software S1016 (v2.0)", "name": "MacMa (S1016)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1123", "comment": "[MacMa](https://attack.mitre.org/software/S1016) has the ability to record audio.(Citation: Objective-See MacMa Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can execute supplied shell commands and uses bash scripts to perform additional actions.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.001", "comment": "[MacMa](https://attack.mitre.org/software/S1016) installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, [MacMa](https://attack.mitre.org/software/S1016) is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the [MacMa](https://attack.mitre.org/software/S1016) only runs when there is a logged in GUI user.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.001", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can dump credentials from the macOS keychain.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can collect then exfiltrate files from the compromised system.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[MacMa](https://attack.mitre.org/software/S1016) has stored collected files locally before exfiltration.(Citation: Objective-See MacMa Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[MacMa](https://attack.mitre.org/software/S1016) decrypts a downloaded file using AES-128-EBC with a custom delta.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "comment": "[MacMa](https://attack.mitre.org/software/S1016) has used TLS encryption to initialize a custom protocol for C2 communications.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[MacMa](https://attack.mitre.org/software/S1016) exfiltrates data from a supplied path over its C2 channel.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.002", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can clear possible malware traces such as application logs.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can delete itself from the compromised computer.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[MacMa](https://attack.mitre.org/software/S1016) has the capability to create and modify file timestamps.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[MacMa](https://attack.mitre.org/software/S1016) has downloaded additional files, including an exploit for used privilege escalation.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.(Citation: Objective-See MacMa Nov 2021)(Citation: SentinelOne MacMa Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[MacMa](https://attack.mitre.org/software/S1016) has used macOS API functions to perform tasks.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[MacMa](https://attack.mitre.org/software/S1016) has used a custom JSON-based protocol for its C&C communications.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[MacMa](https://attack.mitre.org/software/S1016) has used TCP port 5633 for C2 Communication.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can enumerate running processes.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can manage remote screen sessions.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[MacMa](https://attack.mitre.org/software/S1016) has used Apple\u2019s Core Graphic APIs, such as `CGWindowListCreateImageFromArray`, to capture the user's screen and open windows.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.001", "comment": "[MacMa](https://attack.mitre.org/software/S1016) has removed the `com.apple.quarantineattribute` from the dropped file, `$TMPDIR/airportpaird`.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[MacMa](https://attack.mitre.org/software/S1016) has been delivered using ad hoc Apple Developer code signing certificates.(Citation: SentinelOne Macma 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can collect IP addresses from a compromised host.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[MacMa](https://attack.mitre.org/software/S1016) can collect the username from the compromised machine.(Citation: ESET DazzleSpy Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by MacMa", "color": "#66b1ff"}]}