I am excited to announce the release of Living Off the Orchard: macOS Binaries (LOOBins). LOOBins is a new “living off the land” open-source project that aims to help defensive, offensive, and research cybersecurity professionals understand how various macOS binaries could be used for malicious purposes.
After taking advantage of the valuable information included in the LOLBAS and GTFOBins projects, I couldn’t help but wonder, “does something like this exist for macOS?” I posed the question on Twitter and received a symphony of crickets:
LOOBins is a library of macOS binaries that can be used for “living off the land” techniques. The list is comprised of binaries that are shipped with macOS and does not include binaries detailed in GTFOBins with some special exceptions (e.g., sqlite3). Each LOOBin is categorized into MITRE ATT&CK tactics and various tags, allowing viewers to easily navigate and locate information on the macOS LOOBins of interest. Additionally, the resource provides example uses of each binary, recommendations and signatures on how to best detect malicious activity, and links to other third-party resources.
We need your help! LOOBins is a living project and will likely never be complete. It will require continuous updating as new binaries and/or use cases are discovered by the community. Here are a few ways you can help: