Skip to content

Latest commit

 

History

History
23 lines (21 loc) · 6.42 KB

ds_apple_macos.md

File metadata and controls

23 lines (21 loc) · 6.42 KB

Vendor: Apple

Product: macOS

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
40 19 9 1 0
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access endpoint-login:success (local-logon)
apple-macos-str-endpoint-login-success-storingcredential
 T1078 - Valid Accounts
T1078.003 - Valid Accounts: Local Accounts
  • 22 Rules
  • 10 Models
Compromised Credentials endpoint-login:success (local-logon)
apple-macos-str-endpoint-login-success-storingcredential
 T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 27 Rules
  • 12 Models
Lateral Movement endpoint-login:success (local-logon)
apple-macos-str-endpoint-login-success-storingcredential
 T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 1 Rules
Malware endpoint-login:success (local-logon)
apple-macos-str-endpoint-login-success-storingcredential
 T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Privilege Abuse endpoint-login:success (local-logon)
apple-macos-str-endpoint-login-success-storingcredential
 T1078 - Valid Accounts
T1078.002 - T1078.002
  • 9 Rules
  • 6 Models
Privilege Escalation endpoint-login:success (local-logon)
apple-macos-str-endpoint-login-success-storingcredential
 T1078 - Valid Accounts
T1555 - Credentials from Password Stores
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models
Privileged Activity endpoint-login:success (local-logon)
apple-macos-str-endpoint-login-success-storingcredential
 T1078 - Valid Accounts
T1078.002 - T1078.002
  • 11 Rules
  • 5 Models

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Valid Accounts

 Valid Accounts

 Valid Accounts

 Valid Accounts

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Ticket

Valid Accounts: Local Accounts

 Steal or Forge Kerberos Tickets

Credentials from Password Stores

 Use Alternate Authentication Material