Merge pull request #57 from redcanaryco/Haag

Mac - Discovery Techniques

Mac/Discovery/Network_Service_Scanning.md

@@ -0,0 +1,9 @@
+## Network Service Scanning
+
+MITRE ATT&CK Technique: [T1046](https://attack.mitre.org/wiki/Technique/T1046)
+
+### Bash One Liner
+
+Input:
+
+    for port in {1..65535}; do echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ; done

Mac/Discovery/Network_Share_Discovery.md

@@ -0,0 +1,18 @@
+## Network Share Discovery
+
+MITRE ATT&CK Technique: [T1135](https://attack.mitre.org/wiki/Technique/T1135)
+
+### Local Mounts
+
+Input:
+
+    df -aH
+
+### Remote Find Mounts
+
+   smbutil view -g //<hostname>
+
+
+### NFS Show mounts
+
+    showmount hostname

Mac/Discovery/Permissions_Groups_Discovery.md

@@ -0,0 +1,20 @@
+## Permission Groups Discovery
+
+MITRE ATT&CK Technique: [T1069](https://attack.mitre.org/wiki/Technique/T1069)
+
+
+### Domain
+
+Input:
+
+    dscacheutil -q group
+
+### Local
+
+Input:
+
+    dscl . -list /Groups
+
+Input:
+
+    groups

Mac/Discovery/Process_Discovery.md

@@ -0,0 +1,14 @@
+## Process Discovery
+
+MITRE ATT&CK Technique: [T1057](https://attack.mitre.org/wiki/Technique/T1057)
+
+
+### Process Discovery
+
+Input:
+
+    ps
+
+Input:
+
+    ps aux

Mac/Discovery/Remote_System_Discovery.md

@@ -0,0 +1,18 @@
+## Remote System Discovery
+
+MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
+
+
+### arp
+
+Input:
+
+    arp -a | grep -v '^?'
+
+
+### Network scanning
+
+
+Input:
+
+    for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done

Mac/Discovery/Security_Software_Discovery.md

@@ -0,0 +1,12 @@
+# Security Software Discovery
+
+MITRE ATT&CK Technique: [T1063](https://attack.mitre.org/wiki/Technique/T1063)
+
+### LittleSnitch
+
+    ps -ef | grep Little\ Snitch | grep -v grep
+
+
+### CarbonBlack Response
+
+    ps aux | grep CbOsxSensorService

Mac/Discovery/System_Information_Discovery.md

@@ -0,0 +1,18 @@
+## System Information Discovery
+
+MITRE ATT&CK Technique: [T1082](https://attack.mitre.org/wiki/Technique/T1082)
+
+### System Information
+
+Input:
+
+    systemsetup
+
+Input:
+
+    system_profiler
+
+
+Input:
+
+    ls -al /Applications

Mac/Discovery/System_Network_Configuration_Discovery.md

@@ -0,0 +1,17 @@
+## System Network Configuration Discovery
+
+MITRE ATT&CK Technique: [T1016](https://attack.mitre.org/wiki/Technique/T1016)
+
+### Network Data
+
+Input:
+
+    arp -a
+
+Input:
+
+    netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
+
+Input:
+
+    ifconfig

Mac/Discovery/System_Owner_User_Discovery.md

@@ -0,0 +1,16 @@
+## System Owner/User Discovery
+
+MITRE ATT&CK Technique: [T1033](https://attack.mitre.org/wiki/Technique/T1033)
+
+
+Input:
+
+    Users
+
+Input:
+
+    w
+
+Input:
+
+    who

Mac/README.md

@@ -6,15 +6,15 @@
 | .bash_profile and .bashrc    | Dylib Hijacking               | Binary Padding                | [Bash History](Credential_Access/Bash_History.md)                           | [Account Discovery](Discovery/Account_Discovery.md )                      | [AppleScript](Execution/AppleScript.md)                     | [AppleScript](Execution/AppleScript.md)              | Automated Collection           | Automated Exfiltration                        | Commonly Used Port                      |
 | [Cron Job](Persistence/Cron_Job.md)                     | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md)         | Brute Force                            | Application Window Discovery           | Application Deployment Software | Command-Line Interface   | Clipboard Data                 | Data Compressed                               | Communication Through Removable Media   |
 | Dylib Hijacking              | [Launch Daemon](Persistence/Launch_Daemon.md)                 | Code Signing                  | [Create Account](Credential_Access/Create_Account.md)                         | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md)           | Exploitation of Vulnerability   | Graphical User Interface | Data Staged                    | Data Encrypted                                | Connection Proxy                        |
-| [Hidden Files and Directories](/Persistence/Hidden_Files_and_Directories.md) | [Plist Modification](Persistence/Plist_Modification.md)            | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md)      | Credentials in Files                   | Network Share Discovery                | Logon Scripts                   | [Launchctl](Defense_Evasion/Launchctl.md)                | Data from Local System         | Data Transfer Size Limits                     | Custom Command and Control Protocol     |
-| LC_LOAD_DYLIB Addition       | Setuid and Setgid             | Exploitation of Vulnerability | Exploitation of Vulnerability          | Permission Groups Discovery            | Remote File Copy                | Scripting                | Data from Network Shared Drive | Exfiltration Over Alternative Protocol        | Custom Cryptographic Protocol           |
-| [Launch Agent](Persistence/Launch_Agent.md)                 | [Startup Items](Persistence/Startup_Items.md)                 | File Deletion                 | Input Capture                          | Process Discovery                      | Remote Services                 | Source                   | Data from Removable Media      | Exfiltration Over Command and Control Channel | Data Encoding                           |
-| [Launch Daemon](Persistence/Launch_Daemon.md)               | Sudo                          | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md)             | [Input Prompt](Credential_Access/Input_Prompt.md)                           | Remote System Discovery                | Third-party Software            | Space after Filename     | Input Capture                  | Exfiltration Over Other Network Medium        | Data Obfuscation                        |
-| [Launchctl](Defense_Evasion/Launchctl.md)                    | Valid Accounts                | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md)                   | [Keychain](Credential_Access/Keychain.md)                               | Security Software Discovery            |                                 | Third-party Software     | Screen Capture                 | Exfiltration Over Physical Medium             | Fallback Channels                       |
-| Login Item                   | Web Shell                     | Hidden Files and Directories  | Network Sniffing                       | System Information Discovery           |                                 | Trap                     |                                | Scheduled Transfer                            | Multi-Stage Channels                    |
-| Logon Scripts                |                               | [Hidden Users](Defense_Evasion/Hidden_Users.md)                  | Private Keys                           | System Network Configuration Discovery |                                 |                          |                                |                                               | Multiband Communication                 |
+| [Hidden Files and Directories](/Persistence/Hidden_Files_and_Directories.md) | [Plist Modification](Persistence/Plist_Modification.md)            | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md)      | Credentials in Files                   | [Network Share Discovery](Discovery/Network_Share_Discovery.md)                | Logon Scripts                   | [Launchctl](Defense_Evasion/Launchctl.md)                | Data from Local System         | Data Transfer Size Limits                     | Custom Command and Control Protocol     |
+| LC_LOAD_DYLIB Addition       | Setuid and Setgid             | Exploitation of Vulnerability | Exploitation of Vulnerability          | [Permission Groups Discovery](Discovery/Permissions_Groups_Summary.md)            | Remote File Copy                | Scripting                | Data from Network Shared Drive | Exfiltration Over Alternative Protocol        | Custom Cryptographic Protocol           |
+| [Launch Agent](Persistence/Launch_Agent.md)                 | [Startup Items](Persistence/Startup_Items.md)                 | File Deletion                 | Input Capture                          | [Process Discovery](Discovery/Process_Discovery.md)                      | Remote Services                 | Source                   | Data from Removable Media      | Exfiltration Over Command and Control Channel | Data Encoding                           |
+| [Launch Daemon](Persistence/Launch_Daemon.md)               | Sudo                          | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md)             | [Input Prompt](Credential_Access/Input_Prompt.md)                           | [Remote System Discovery](Discovery/Remote_System_Discovery.md)                | Third-party Software            | Space after Filename     | Input Capture                  | Exfiltration Over Other Network Medium        | Data Obfuscation                        |
+| [Launchctl](Defense_Evasion/Launchctl.md)                    | Valid Accounts                | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md)                   | [Keychain](Credential_Access/Keychain.md)                               | [Security Software Discovery](Discovery/Security_Software_Discovery.md)            |                                 | Third-party Software     | Screen Capture                 | Exfiltration Over Physical Medium             | Fallback Channels                       |
+| Login Item                   | Web Shell                     | Hidden Files and Directories  | Network Sniffing                       | [System Information Discovery](Discovery/System_Information_Discovery.md)           |                                 | Trap                     |                                | Scheduled Transfer                            | Multi-Stage Channels                    |
+| Logon Scripts                |                               | [Hidden Users](Defense_Evasion/Hidden_Users.md)                  | Private Keys                           | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) |                                 |                          |                                |                                               | Multiband Communication                 |
 | [Plist Modification](Persistence/Plist_Modification.md)           |                               | Hidden Window                 | Securityd Memory                       | System Network Connections Discovery   |                                 |                          |                                |                                               | Multilayer Encryption                   |
-| Rc.common                    |                               | Indicator Removal from Tools  | Two-Factor Authentication Interception | System Owner/User Discovery            |                                 |                          |                                |                                               | Remote File Copy                        |
+| Rc.common                    |                               | Indicator Removal from Tools  | Two-Factor Authentication Interception | [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md)            |                                 |                          |                                |                                               | Remote File Copy                        |
 | [Re-opened Applications](Persistence/Re-opened_Applications.md)       |                               | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md)     |                                        |                                        |                                 |                          |                                |                                               | Standard Application Layer Protocol     |
 | Redundant Access             |                               | LC_MAIN Hijacking             |                                        |                                        |                                 |                          |                                |                                               | Standard Cryptographic Protocol         |
 | [Startup Items](Persistence/Startup_Items.md)                |                               | [Launchctl](Defense_Evasion/Launchctl.md)                     |                                        |                                        |                                 |                          |                                |                                               | Standard Non-Application Layer Protocol |

Windows/Discovery/Security_Software_Discovery.md

@@ -1,6 +1,6 @@
 # Security Software Discovery
 
-MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1063)
+MITRE ATT&CK Technique: [T1063](https://attack.mitre.org/wiki/Technique/T1063)
 
 ### netsh
 

Windows/Discovery/System_Owner-User_Discovery.md

@@ -1,6 +1,6 @@
 ## System Owner/User Discovery
 
-MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
+MITRE ATT&CK Technique: [T1033](https://attack.mitre.org/wiki/Technique/T1033)
 
 ### cmd.exe