XAgentOSX
Associated Software Descriptions
| Name | Description |
|---|---|
| OSX.Sofacy |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.[1] |
| Enterprise | T1113 | 屏幕捕获 |
XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods.[1] |
|
| Enterprise | T1071 | .002 | 应用层协议: File Transfer Protocols |
XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.[1] |
| Enterprise | T1083 | 文件和目录发现 |
XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.[1] XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running |
|
| Enterprise | T1106 | 本机API |
XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.[1] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.[1] |
| Enterprise | T1082 | 系统信息发现 |
XAgentOSX contains the getInstalledAPP function to run |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
XAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user.[1] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.[1] |
| Enterprise | T1057 | 进程发现 |
XAgentOSX contains the getProcessList function to run |
|