Skip to content

S0279 Proton

Proton is a macOS backdoor focusing on data theft and credential access 1.

Item Value
ID S0279
Associated Names
Version 1.2
Created 17 October 2018
Last Modified 22 January 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.003 Sudo and Sudo Caching Proton modifies the tty_tickets line in the sudoers file.1
enterprise T1560 Archive Collected Data Proton zips up files before exfiltrating them.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Proton uses macOS’ .command file type to script actions.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent Proton persists via Launch Agent.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.001 Keychain Proton gathers credentials in files for keychains.1
enterprise T1555.003 Credentials from Web Browsers Proton gathers credentials for Google Chrome.1
enterprise T1555.005 Password Managers Proton gathers credentials in files for 1password.1
enterprise T1140 Deobfuscate/Decode Files or Information Proton uses an encrypted file to store commands and configuration values.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Proton kills security tools like Wireshark that are running.1
enterprise T1070 Indicator Removal -
enterprise T1070.002 Clear Linux or Mac System Logs Proton removes logs from /var/logs and /Library/logs.1
enterprise T1070.004 File Deletion Proton removes all files in the /tmp directory.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Proton uses a keylogger to capture keystrokes.1
enterprise T1056.002 GUI Input Capture Proton prompts users for their credentials.1
enterprise T1021 Remote Services -
enterprise T1021.005 VNC Proton uses VNC to connect into systems.1
enterprise T1113 Screen Capture Proton captures the content of the desktop with the screencapture binary.1