Malware and advanced attack testing > Mac

Advanced attack testing: Mac

NOTE: These commands will make temporary changes to the machine in order to demonstrate real world examples. However, they do not use live malware. You can also conduct testing scenarios with actual malware in the Windows-based CloudShare virtual environment. These instructions can be found on the Windows guide.


Estimated time

Minimum of 20 minutes depending on the
amount of testing you wish to conduct


Requirements

Windows or Mac Operating System
Google Chrome browser

1. Defense Evasion Techniques

  • Open a terminal.
  • Type or copy and paste this command:
    cd ~/Desktop; cp /usr/bin/whoami whoami.pdf; ./whoami.pdf; rm whoami.pdf
  • Next, go to the Falcon UI and navigate to Activity > Detections. You should see a new alert, which indicates that the malicious activity was detected.

ⓘ This detection illustrates Falcon’s ability to respond to malicious behaviors with IOAs. An Indicator of Attack or IOA, represents a series of actions that an application or adversary must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary and the outcomes that adversary is trying to achieve. This is superior to using Indicators of Compromise (IOCs) or signatures because it allows Falcon Prevent to block new and unknown threats. This specific command makes a copy of whoami with the pdf extension and then executes it. Changing the extension of an existing tool will trigger a Falcon detection for masquerading. The command includes a removal of the file so no additional clean up or reversal is needed.

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. The command listed below will query the 'shadowhash' for a user via terminal. This command could be used on a MacOS host to gather information used to decrypt passwords. No clean up is needed on the system after executing this command.

2. Credential Theft Detect

  • Open a terminal.
  • Type or copy and paste this command:
    sudo dscl . read /Users/$USER dsAttrTypeNative:ShadowHashData
  • Switch back to the Falcon UI and go to Activity > Detections and see that there is a new Prevention event with the Tactic & Technique Credential Access via Credential Dumping.
  • The green checkmark indicates that this activity was successfully blocked.

Was this helpful?

Your feedback is very appreciated and will help us improve our ability to serve you and other users of this and other guides. Please send feedback about this section of the trial guide to falcontrial@crowdstrike.com.