Calisto
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .001 | 从密码存储中获取凭证: Keychain |
Calisto collects Keychain storage data and copies those passwords/tokens to a file.[1][2] |
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Calisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.[1] |
| Enterprise | T1543 | .001 | 创建或修改系统进程: Launch Agent |
Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.[1] |
| Enterprise | T1136 | .001 | 创建账户: Local Account |
Calisto has the capability to add its own account to the victim's machine.[2] |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
Calisto uses the |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.[1][2] |
| Enterprise | T1217 | 浏览器信息发现 |
Calisto collects information on bookmarks from Google Chrome.[1] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Calisto has the capability to use |
| Enterprise | T1569 | .001 | 系统服务: Launchctl |
Calisto uses launchctl to enable screen sharing on the victim’s machine.[1] |
| Enterprise | T1016 | 系统网络配置发现 |
Calisto runs the |
|
| Enterprise | T1098 | 账号操控 | ||
| Enterprise | T1105 | 输入工具传输 |
Calisto has the capability to upload and download files to the victim's machine.[2] |
|
| Enterprise | T1056 | .002 | 输入捕获: GUI Input Capture |
Calisto presents an input prompt asking for the user's login and password.[2] |
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.[1][2] |