Towards Extending Probabilistic Attack Graphs with Forensic Evidence : An investigation of property list files in macOS

Abstract: Cyber-attacks against all types of systems is a growing problem in society. Since the Mac operating systems are becoming more common, so are the attacks against them. Probabilistic attack graphs are a way to model cyber- attacks. The Meta Attack Language is a language that can be used to create domain-specific languages that in turn can be used to model an attack on the specific domain with a probabilistic attack graph. This report investigates how the Meta Attack Language can be extended so that it could be used for creating attack graphs with forensic evidence, by focusing on attacks on Mac operating systems that has left evidence in the form of property list files. The MITRE ATT&CK matrix is a knowledge base with information about cyber- attacks. A study of the matrix was made to examine what evidence has been found from attacks on a Mac operating system and also to motivate why this report focuses on evidence in the form of property list files. A study on grey literature was then made to investigate different types of attacks that has left evidence in the form of property list files. The studies showed that there are a multitude of evidence that could be left from an attack on a Mac operating system and that most evidence in the form of property list files was used by the adversary as persistence mechanisms. They also showed that the property list files often were placed at root level in the file system. The studies also showed that the adversary often tried to hide the files by giving them names that are common in a Mac operating system. After the studies were conducted a list of requirements for extending the Meta Attack Language was created. This list was based on the results from the studies and included requirements that says there must be a way of expressing the name and location of the files, detection evasion methods, connections between different types of evidence or between evidence and attack steps, and more.