{"description": "Enterprise techniques used by macOS.OSAMiner, ATT&CK software S1048 (v1.0)", "name": "macOS.OSAMiner (S1048)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.002", "comment": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) has used `osascript` to call itself via the `do shell script` command in the [Launch Agent](https://attack.mitre.org/techniques/T1543/001) `.plist` file.(Citation: SentinelLabs reversing run-only applescripts 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.001", "comment": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) has placed a [Stripped Payloads](https://attack.mitre.org/techniques/T1027/008) with a `plist` extension in the [Launch Agent](https://attack.mitre.org/techniques/T1543/001)'s folder. (Citation: SentinelLabs reversing run-only applescripts 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) has searched for the Activity Monitor process in the System Events process list and kills the process if running. [macOS.OSAMiner](https://attack.mitre.org/software/S1048) also searches the operating system's `install.log` for apps matching its hardcoded list, killing all matching process names.(Citation: SentinelLabs reversing run-only applescripts 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) has used `curl` to download a [Stripped Payloads](https://attack.mitre.org/techniques/T1027/008) from a public facing adversary-controlled webpage. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.008", "comment": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) has used run-only Applescripts, a compiled and stripped version of [AppleScript](https://attack.mitre.org/techniques/T1059/002), to remove human readable indicators to evade detection.(Citation: SentinelLabs reversing run-only applescripts 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) has embedded [Stripped Payloads](https://attack.mitre.org/techniques/T1027/008) within another run-only [Stripped Payloads](https://attack.mitre.org/techniques/T1027/008).(Citation: SentinelLabs reversing run-only applescripts 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) has used `ps ax | grep  | grep -v grep | ...` and `ps ax | grep -E...` to conduct process discovery.(Citation: SentinelLabs reversing run-only applescripts 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) can gather the device serial number and has checked to ensure there is enough disk space using the Unix utility `df`.(Citation: SentinelLabs reversing run-only applescripts 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.001", "comment": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) has used `launchctl` to restart the [Launch Agent](https://attack.mitre.org/techniques/T1543/001).(Citation: SentinelLabs reversing run-only applescripts 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) can parse the output of the native `system_profiler` tool to determine if the machine is running with 4 cores.(Citation: SentinelLabs reversing run-only applescripts 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by macOS.OSAMiner", "color": "#66b1ff"}]}