Queries the hardware information (I/O Kit registry).

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

Queries the macOS version information.

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

Modify File

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

File Deletion

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.

Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.

Timestomp

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.

Event Triggered Execution: Component Object Model Hijacking

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

Executes dropped EXE

Checks installed software on the system

Looks up Uninstall key entries in the registry to enumerate software on the system.

Installs/modifies Browser Helper Object

BHOs are DLL modules which act as plugins for Internet Explorer.

Drops file in System32 directory