Merge pull request #128 from infosecB/multiple-loobins

Release prep

LOOBins/GetFileInfo.yml

@@ -1,6 +1,6 @@
 name: GetFileInfo
 author: Chris Campbell (@texasbe2trill)
-short_description: A tool to get attributes of files and directories.
+short_description: Get attributes of files and directories.
 full_description: Uses the CommandLine/Terminal to return type, creator, attributes, created, and modified file information of a file or directory.
 created: 2023-04-23
 example_use_cases:

LOOBins/SetFile.yml

@@ -1,6 +1,6 @@
 name: SetFile
 author: Chris Campbell (@texasbe2trill)
-short_description: A tool to set attributes of files and directories.
+short_description: Set attributes of files and directories.
 full_description: Uses the CommandLine/Terminal to set file and or directory attributes. It can set attributes, creator, creation date, modification date, and file type for multiple files at a time.
 created: 2023-04-23
 example_use_cases:

LOOBins/csrutil.yml

@@ -1,6 +1,6 @@
 name: csrutil
 author: Megan Carney (https://infosec.exchange/@PwnieFan)
-short_description: Configure or view system security policies
+short_description: Configure or view system security policies.
 full_description: Used to enable/disable SIP, configure netboot and authenticated-root settings 
 created: 2023-05-14
 example_use_cases:

LOOBins/defaults.yml

@@ -0,0 +1,33 @@
+name: defaults
+author: Brendan Chamberlain (@infosecB)
+short_description: Read, write, and delete user preference values.
+full_description: A full length description of the binary goes here.
+created: 2023-05-24
+example_use_cases:
+- name: Disable Gatekeeper's auto rearm functionality
+  description: The following command can be used to disable Gatekeepers rearm functionality. This command requires root privileges.
+  code: sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool NO
+  tactics:
+  - Defense Evasion
+  tags:
+  - gatekeeper
+- name: Show mounted servers
+  description: Show all mounted servers on the desktop.
+  code: defaults read com.apple.finder "ShowMountedServersOnDesktop"
+  tactics:
+  - Discovery
+- name: Add a login item to the current user
+  description: An attacker can use defaults to add a login hook in attempt to gain persistence. This command requires root privileges.
+  code: sudo defaults write /Library/Preferences/com.apple.loginwindow LoginHook gain_persistence.sh
+  tactics:
+  - Persistence
+paths:
+- /usr/bin/defaults
+detections:
+- name: No detections at time of publishing
+  url: N/A
+resources:
+- name: "macOS defaults list: Uncomplete list of macOS defaults commands with demos"
+  url: https://macos-defaults.com/
+- name: Insistence on Persistence
+  url: https://www.huntress.com/blog/insistence-on-persistence

LOOBins/ditto.yml

@@ -1,6 +1,6 @@
 name: ditto
 author: Brendan Chamberlain (@infosecB)
-short_description: Copies files and directories while preserving file attributes and permissions.
+short_description: Copy files and directories while preserving file attributes and permissions.
 full_description: ditto is a command line utility that is commonly used to copy files and directories while preserving file attributes and permissions. The tool can be used by malicious actors to collect and exfiltrate sensitive data, move laterally, and/or perform DLL hijacking or binary replacement attacks.
 created: 2023-05-04
 example_use_cases:

LOOBins/dscl.yml

@@ -1,6 +1,6 @@
 name: dscl
 author: Jonathan Bar Or (@yo_yo_yo_jbo)
-short_description: Directory Services command-line utility.
+short_description: Interact with Directory Services.
 full_description: An extensive tool for communicating with the Directory Services, useful for Discovery.
 created: 2023-04-25
 example_use_cases:

LOOBins/hdiutil.yml

@@ -1,6 +1,6 @@
 name: hdiutil
 author: Mark Morowczynsk (@markmorow)
-short_description: Uses the DiskImages framework to manipulate disk images
+short_description: Manipulate disk images using the DiskImages framework.
 full_description: hdiutil manipulates disk images such as DMG and ISO files. You can mount, unmount, create, resize and verify disk images. Including encrypted images.  
 created: 2023-05-21
 example_use_cases:
@@ -66,4 +66,3 @@ detections:
 resources:
 - name: 'Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection'
   url: https://www.microsoft.com/en-us/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/
-

LOOBins/last.yml

@@ -1,6 +1,6 @@
 name: last
 author: Will Huang (@In0de_16)
-short_description: Indicate last logins of users and ttys.
+short_description: Show last user logins and TTYs.
 full_description: The command shows a list of user sessions including the user name, terminal used, host name, start and stop times, and duration. It also indicates if a session is still active or was terminated unexpectedly.
 created: 2023-04-27
 example_use_cases:
@@ -35,4 +35,4 @@ detections:
   url: https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml
 resources:
 - name: "last Man Page"
-  url: https://ss64.com/osx/last.html
+  url: https://ss64.com/osx/last.html

LOOBins/mdfind.yml

@@ -1,7 +1,7 @@
 name: mdfind
 author: Chris Campbell (@texasbe2trill)
-short_description: CommandLine alternative to Spotlight in MacOS
-full_description: Uses the CommandLine/Terminal to locate files on MacOS by searching a pre-built database.
+short_description: Locate files using the Spotlight database.
+full_description: mdfind to locate files on MacOS by searching a pre-built database. It is a command-line alternative to Spotlight in MacOS
 created: 2023-04-22
 example_use_cases:
   - name: Use mdfind to provide live updates to the number of files matching the query

LOOBins/networksetup.yml

@@ -1,7 +1,7 @@
 name: networksetup
 author: Jason Trost (@jason_trost)
-short_description: configuration tool for network settings in System Preferences.
-full_description: extensive tool for reading and setting various network configuration details useful for Discovery and Command and Control.
+short_description: Configure network settings in System Preferences.
+full_description: networksetup extensive tool for reading and setting various network configuration details useful for Discovery and Command and Control.
 created: 2023-04-22
 example_use_cases:
   - name: network device enumeration

LOOBins/nscurl.yml

@@ -1,6 +1,6 @@
 name: nscurl
 author: Leo Pitt (@_D00mfist)
-short_description: Download, upload, and read files
+short_description: Download, upload, and read files.
 full_description: macOS version of curl that is used to download files to a target without applying the quarantine extended attribute
 created: 2023-05-22
 example_use_cases:

LOOBins/osascript.yml

@@ -1,6 +1,6 @@
 name: osascript
 author: Cedric Owens (@cedowens)
-short_description: Executes AppleScripts and other OSA language scripts and commands.
+short_description: Execute AppleScripts and other OSA language scripts and commands.
 full_description: The osascript binary is a command-line utility included in macOS that allows users to run AppleScript and Open Scripting Architecture (OSA) scripts or commands. AppleScript is a scripting language that is designed for power users to automate various tasks, application actions, and to interact with the operating system.
 created: 2023-04-19
 example_use_cases:

LOOBins/softwareupdate.yml

@@ -1,6 +1,6 @@
 name: softwareupdate
 author: Jonathan Bar Or (@yo_yo_yo_jbo)
-short_description: Software update utility.
+short_description: Interact with the macOS software update service.
 full_description: A command-line utility for running software updates.
 created: 2023-04-25
 example_use_cases:

LOOBins/ssh-keygen.yml

@@ -1,6 +1,6 @@
 name: ssh-keygen
 author: Leo Pitt (@_D00mfist)
-short_description: Load unsigned dynamic libraries into the ssh-keygen binary 
+short_description: Load unsigned dynamic libraries into the ssh-keygen binary.
 full_description: ssh-keygen is a tool for creating new authentication key pairs for SSH (Secure Shell). ssh-keygen holds the "com.apple.security.cs.disable-library-validation" entitlement and is capable of loading arbitary libraries without requiring signed code.
 created: 2023-05-22
 example_use_cases:

LOOBins/tclsh.yml

@@ -1,6 +1,6 @@
 name: tclsh
 author: Brendan Chamberlain (@infosecB)
-short_description: Run Tcl files or shell commands from standard input
+short_description: Run Tcl files or shell commands from standard input.
 full_description: tclsh is a shell-like utility that runs Tcl from standard input or a file. tclsh holds the "com.apple.security.cs.disable-library-validation" entitlement and is capable of loading arbitary plug-ins, framework, and libraries without requiring signed code.
 created: 2023-05-17
 example_use_cases:

LOOBins/tmutil.yml

@@ -1,6 +1,6 @@
 name: tmutil
 author: Brendan Chamberlain (@infosecb)
-short_description: A tool for managing Time Machine backups.
+short_description: Manage Time Machine backups.
 full_description: A tool for managing Time Machine, the native macOS backup utility. 
 created: 2023-05-01
 example_use_cases:

LOOBins/xattr.yml

@@ -1,6 +1,6 @@
 name: xattr
 author: Jason Trost (@jason_trost)
-short_description: display and manipulate extended attributes
+short_description: Display and manipulate extended attributes.
 full_description: The xattr command can be used to display, modify or remove the extended attributes of one or more files, including directories and symbolic links.  Extended attributes are arbitrary metadata stored with a file, but separate from the filesystem attributes (such as modification time or file size).  The metadata is often a null-terminated UTF-8 string, but can also be arbitrary binary data.  xattr can be used to bypass Gatekeeper.
 created: 2023-04-20
 example_use_cases:

README.md

@@ -1,17 +1,31 @@
 # LOOBins
-![GitHub license](https://img.shields.io/github/license/infosecB/LOOBins)
-![LOOBin Validity](https://github.com/infosecB/LOOBins/actions/workflows/validate_loobins.yml/badge.svg)
+
+![Total LOOBins](https://img.shields.io/github/directory-file-count/infosecb/LOOBins/LOOBins?color=maroon&label=Total%20LOOBins&style=for-the-badge&type=file)
+![Build Status](https://img.shields.io/github/actions/workflow/status/infosecB/LOOBins/validate_loobins.yml?style=for-the-badge)
+![pyloobins badge](https://img.shields.io/pypi/v/pyloobins?color=blue&label=pyloobins&style=for-the-badge)
+![Help Wanted Issues Badge](https://img.shields.io/github/issues/infosecb/LOOBins/help%20wanted?style=for-the-badge)
+![License](https://img.shields.io/github/license/infosecB/LOOBins?style=for-the-badge)
 
 The LOOBins web app can be found here: [https://loobins.io](https://loobins.io)
 
-**L**iving **O**ff the **O**rchard: macOS Binaries (LOOBins) is a resource designed to provide detailed information on various built-in macOS binaries and how they can be used by threat actors for nefarious purposes. The goal of this website is to serve as a one-stop resource for cybersecurity professionals and researchers attempting to understand and defend against the potential risks associated with each binary.
+## About
+
+**L**iving **O**ff the **O**rchard: macOS Binaries (LOOBins) is a resource designed to provide detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes. The goal of this website is to serve as a one-stop resource for cybersecurity professionals and researchers attempting to understand and defend against the potential risks associated with each binary.
 
-This website contains a working list of "living off the land" macOS binaries that can be leveraged for malicious purposes to achieve command execution, privilege escalation, persistence, and data exfiltration. By outlining the functions and potential misuse of each binary, this resource aims to raise awareness about the growing threat landscape in the macOS ecosystem.
+This website contains a working list of "living off the land" macOS binaries that can be leveraged for malicious purposes to achieve tactics such as command execution, privilege escalation, persistence, and data exfiltration. By outlining the functions and potential misuse of each binary, this resource aims to raise awareness about the growing threat landscape in the macOS ecosystem.
 
-Each LOOBin is categorized into MITRE ATT&CK tactics and various tags, allowing viewers to easily navigate and locate information on the macOS LOOBins of interest. Additionally, the resources provides example uses of each binary, recommendations and signatures on how to best detect malicious activity, and links to other third-party resources.
+Each LOOBin is categorized into MITRE ATT&CK tactics and various tags, allowing users to easily navigate and locate information on the macOS LOOBins of interest. Additionally, the resources provides example uses of each binary, recommendations and signatures on how to best detect malicious activity, and links to other third-party resources.
 
-The content contained in each LOOBin can also be programmatically consumed. All LOOBins can be consumed using the JSON API or by using the Python SDK/CLI tool, PyLOOBins.
+The content contained in each LOOBin can also be programmatically consumed. All LOOBins can be consumed using the JSON API or by using the [Python SDK/CLI tool, PyLOOBins](https://github.com/infosecB/LOOBins/tree/main/docs/pyloobins).
 
 It's important to note that LOOBins does not include overlapping Unix binaries that are detailed in [GTFOBins](https://gtfobins.github.io) unless there are notable macOS-specific use cases (e.g. sqlite3). For more information on Unix binaries, please refer to the GTFOBins project.
 
-We are in active development and welcome contributions. Please see [our guidelines](https://github.com/infosecB/LOOBins/blob/main/CONTRIBUTING.md) if you are interesting in helping out!
+## We Need Your Help!
+LOOBins is a living project and will likely never be complete. It will require continuous updating as new binaries and/or use cases are discovered by the community. Here are a few ways you can help:
+
+- Add new LOOBin binaries
+- Update existing LOOBin binaries by adding new use cases, detection sources, resources, or by simply fixing a typo
+- Help develop and maintain the PyLOOBins Python SDK/CLI
+- Submit an issue for any problems that you are experiencing with the website or PyLOOBins SDK/CLI
+
+If you would like to contribute, please see our contribution guidelines.

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "PyLOOBins"
-version = "0.1.9"
+version = "1.0.0"
 description = "Python package for managing the LOOBins model and schema."
 authors = ["infosecB <[email protected]>"]
 readme = "docs/pyloobins/README.md"