M#
Index#
Default macOS commands the operator runs on the target or their own Apple workstation. The full A-Z table runs across pages 155-162 of the source handbook; the highlights below cover daily tradecraft.
DFIR triage on macOS hosts. The operator chains volatility-ordered collection, malware reversing primitives, and a long list of artifact locations spanning system logs, user preferences, browsers, and mail.
Recon, credential access, persistence, and post-exploitation tradecraft for macOS. The survey block snapshots the target; Bifrost handles Kerberos abuse; Dylib hijacking and Apple Notes / FileVault / APFS cracking…
Historical OSX / macOS services and ports across all versions. The operator hits the most common Apple-specific listeners during scan triage.
Sample sources, classification corpora, and C2-framework catalogues the operator pulls open during triage. Some require accounts; several rate-limit aggressive scraping. Operators handling live samples should isolate…
Reference catalog of malware families an operator should recognize, organized by category. Each row is a family + brief notes; for full technical write-ups follow the references at the end (Mandiant family pages,…
Reference of map data, tile servers, geocoders, and imagery providers an operator builds from. The space splits into raster tile services (slippy maps), vector tile / data, satellite + aerial imagery, geocoders,…
Measurement and signature intelligence. Specialized technical collection that produces intelligence by detecting, characterizing, identifying, and tracking the distinctive features of fixed and dynamic targets.
MDXFIND runs large numbers of unsolved hashes of any type, using many algorithms concurrently, against a large number of plaintext words and rules, very quickly. Its main use is to deal with large lists (20 to 50…
Reference of medical device categories, the major manufacturers, the standards governing them, and the cyber- risk surface (legacy OS, network exposure, and the FDA / EU MDR regulatory frame). Useful for hospital…
Metasploit is the world’s most-used penetration testing framework. The operator drives modules from msfconsole, manages sessions via Meterpreter, and pivots through compromised hosts.
Micro is a modern terminal editor with familiar GUI-style keybindings (Ctrl-S to save, Ctrl-C to copy, Ctrl-V to paste). Single static binary written in Go; no…
Reference of military identifiers an operator commonly meets: NATO phonetic alphabet, time + date conventions, rank-equivalent mappings across major armed forces, organizational hierarchies, and standard map /…
Hardening and detection recipes the operator turns to when defending Windows estates against Mimikatz abuse.
Mimikatz is the leading post-exploitation tool. The operator dumps plaintext passwords, NTLM hashes, PINs, and Kerberos tickets from memory and from on-disk hives.
A reference table of country and region time-zone names and UTC offsets. The operator reaches for this when correlating logs, parsing timestamps off a remote host, or working a target whose local time matters to…
Reference of the MITRE ATT&CK matrices: tactics, key techniques, and related frameworks the operator uses to map adversary behavior. ATT&CK is the standard taxonomy for TTPs across CTI, detection engineering, red…
MsfVenom is the Metasploit standalone payload generator. It replaces msfpayload and msfencode.