A collection of macOS shell scripts emulating threat actor activity for security testing and detection engineering.
- Accurate Threat Emulation - Scripts that replicate real-world macOS threat actor behaviors using native macOS tools.
- No External Dependencies - Exclusively uses built-in macOS commands, ensuring no third-party software is needed.
- Automated Construction - Scripts are dynamically constructed using YAML input, allowing for flexible automation.
- Mapped to MITRE ATT&CK - Each script is designed to align with specific MITRE ATT&CK techniques, providing clear coverage.
- Modular Design - Built for adaptability; functions handle specific tasks and can be reused across different scripts.
- Consistent Logging - Standardized logging across all scripts, enabling easy telemetry analysis.
- Scalable and Interoperable - Easily integrates with other tools and automation frameworks through wrapper script compatibility.
The attack-macOS project aims to provide security professionals with realistic, native threat emulation scripts to validate and improve detection capabilities on macOS systems. The scripts adhere to strict design principles, ensuring consistency, accuracy, and adaptability for various testing scenarios.
- Functions handle single, well-defined tasks and can be reused across different scripts.
- Encapsulation ensures that telemetry commands and tasks are executed via user-passed arguments, promoting flexibility.
- Designed to work seamlessly with wrapper scripts, orchestration tools, and automation frameworks.
- Inputs and outputs are managed using standardized methods to maintain compatibility with other tools.
- Each function is focused on a specific task, avoiding overlap and ensuring clear boundaries in functionality.
- Uniform structure across all scripts, with standardized naming conventions and predictable outputs.
- The execution flow is controlled using global variables and a centralized
main()
function, enabling the addition of new features or techniques without disruption.