S0279: Proton
Analyst context for executives and security teams
Proton is a macOS backdoor described by ATT&CK as focused on data theft and credential access. Its mapped behaviors make it material beyond “Mac malware”: it can relate to credential harvesting from Keychain, browsers, password managers, keylogging and fake GUI prompts, persistence through Launch Agents, shell execution, screen capture, data archiving, VNC remote control, file deletion, and log/security-tool impairment. For leaders, the decision point is whether macOS endpoints are covered with the same identity, logging, and response rigor as Windows systems.
Executive priority
Prioritize Proton as a test case for macOS security readiness: endpoint visibility, credential-store protection, remote-access governance, and incident response evidence preservation. The business risk is concentrated around theft of user credentials and sensitive data from macOS workstations, which can affect identity security, executive/user privacy, audit evidence, and continuity of investigations if logs or tools are impaired.
Technical view
SOC and IR teams should validate macOS coverage for the ATT&CK relationships supplied: Launch Agent persistence, Unix shell execution, sudo/sudo caching activity, Keychain/browser/password-manager access, keylogging or GUI credential prompts, screen capture, archive creation, VNC/RFB remote access, file deletion, and clearing Linux or Mac system logs. Because ATT&CK provides no official detection text for Proton, detection engineering should be behavior-led rather than signature-led and should map detections to the related techniques.
Likely telemetry
- macOS endpoint process execution, including shell activity and parent/child process context
- Launch Agent plist creation or modification in system and user LaunchAgents paths
- Authentication and privilege elevation evidence, including sudo usage where collected
- File system telemetry for credential stores, browser credential files, password-manager vault files, archives, and unusual deletion activity
- macOS system logs under /var/log/ and evidence of log clearing or tampering
Detection direction
- Build behavior-based detections around the mapped techniques rather than relying on a Proton-specific detection, since official detection is not provided.
- Tune Launch Agent detections to distinguish expected enterprise management agents from new, user-writable, or unusual plist-based persistence.
- Correlate credential-access signals: Keychain, browser credential files, password-manager access, keylogging-like behavior, and GUI prompts are higher confidence when paired with suspicious shell execution or persistence.
- Review VNC detections against approved remote-support workflows to reduce false positives while still alerting on unauthorized or unexpected remote-control sessions.
- Monitor for evidence destruction: file deletion, archive staging, and clearing of Linux or Mac system logs can reduce IR visibility and should trigger preservation actions.
Mitigation priorities
- Establish baseline macOS endpoint monitoring and response coverage before focusing on malware-family-specific rules.
- Harden identity and credential storage exposure: restrict unnecessary password storage, protect Keychain access, and govern password-manager use with enterprise policy.
- Control remote access by inventorying and limiting VNC use to approved systems and accounts.
- Restrict persistence and privilege escalation paths by monitoring LaunchAgents and sudo configuration or usage.
- Protect logging and security tooling from tampering, and ensure logs are centrally retained where feasible for incident reconstruction.
Analyst notes and limits
The ATT&CK object is a malware entry for Proton, a macOS backdoor, with no tactics listed directly on the object and no official detection guidance. Practical defensive value comes from the supplied technique relationships, especially credential access, collection, persistence, privilege escalation, lateral movement via VNC, and defense impairment behaviors.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, attribution, prevalence, specific indicators, or guaranteed detection. Local environment baselines are required to determine which macOS behaviors are suspicious versus normal administration.
Proton
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | Proton prompts users for their credentials.Citationobjsee mac malware 2017 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | Proton persists via Launch Agent.Citationobjsee mac malware 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Proton removes all files in the /tmp directory.Citationobjsee mac malware 2017 |
| Enterprise | T1021.005 | VNC Sub-technique | Proton uses VNC to connect into systems.Citationobjsee mac malware 2017 |
| Enterprise | T1548.003 | Sudo and Sudo Caching Sub-technique | Proton modifies the tty_tickets line in the sudoers file.Citationobjsee mac malware 2017 |
| Enterprise | T1555.001 | Keychain Sub-technique | Proton gathers credentials in files for keychains.Citationobjsee mac malware 2017 |
| Enterprise | T1685 | Disable or Modify Tools | Proton kills security tools like Wireshark that are running.Citationobjsee mac malware 2017 |
| Enterprise | T1685.006 | Clear Linux or Mac System Logs Sub-technique | Proton removes logs from |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Proton uses an encrypted file to store commands and configuration values.Citationobjsee mac malware 2017 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Proton gathers credentials for Google Chrome.Citationobjsee mac malware 2017 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Proton uses a keylogger to capture keystrokes.Citationobjsee mac malware 2017 |
| Enterprise | T1555.005 | Password Managers Sub-technique | Proton gathers credentials in files for 1password.Citationobjsee mac malware 2017 |
| Enterprise | T1113 | Screen Capture | Proton captures the content of the desktop with the screencapture binary.Citationobjsee mac malware 2017 |
| Enterprise | T1560 | Archive Collected Data | Proton zips up files before exfiltrating them.Citationobjsee mac malware 2017 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Proton uses macOS' .command file type to script actions.Citationobjsee mac malware 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 90bfb789b098… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
objsee mac malware 2017
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
Open source URL -
[2]
Proton
(Citation: objsee mac malware 2017).
-
[3]
mitre-attack S0279Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.