Skip to content

Latest commit

 

History

History
33 lines (33 loc) · 10.2 KB

macos-matrix.md

File metadata and controls

33 lines (33 loc) · 10.2 KB

macOS Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control
Drive-by Compromise CONTRIBUTE A TEST AppleScript .bash_profile and .bashrc Dylib Hijacking CONTRIBUTE A TEST Binary Padding Bash History Account Discovery AppleScript Audio Capture Automated Exfiltration CONTRIBUTE A TEST Commonly Used Port CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Command-Line Interface Browser Extensions Exploitation for Privilege Escalation CONTRIBUTE A TEST Clear Command History Brute Force Application Window Discovery Application Deployment Software CONTRIBUTE A TEST Automated Collection Data Compressed Communication Through Removable Media CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST Create Account Launch Daemon Code Signing CONTRIBUTE A TEST Credential Dumping Browser Bookmark Discovery Exploitation of Remote Services CONTRIBUTE A TEST Clipboard Data Data Encrypted Connection Proxy
Spearphishing Attachment Graphical User Interface CONTRIBUTE A TEST Dylib Hijacking CONTRIBUTE A TEST Plist Modification Compile After Delivery CONTRIBUTE A TEST Credentials in Files File and Directory Discovery Logon Scripts Data Staged Data Transfer Size Limits Custom Command and Control Protocol CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Launchctl Hidden Files and Directories Process Injection Disabling Security Tools Exploitation for Credential Access CONTRIBUTE A TEST Network Service Scanning Remote File Copy Data from Information Repositories CONTRIBUTE A TEST Exfiltration Over Alternative Protocol Custom Cryptographic Protocol CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST Local Job Scheduling Kernel Modules and Extensions CONTRIBUTE A TEST Setuid and Setgid Execution Guardrails CONTRIBUTE A TEST Input Capture Network Share Discovery Remote Services CONTRIBUTE A TEST Data from Local System Exfiltration Over Command and Control Channel CONTRIBUTE A TEST Data Encoding
Supply Chain Compromise CONTRIBUTE A TEST Scripting LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Startup Items Exploitation for Defense Evasion CONTRIBUTE A TEST Input Prompt Network Sniffing SSH Hijacking CONTRIBUTE A TEST Data from Network Shared Drive CONTRIBUTE A TEST Exfiltration Over Other Network Medium CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST Source Launch Agent Sudo File Deletion Keychain Password Policy Discovery Third-party Software CONTRIBUTE A TEST Data from Removable Media CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Space after Filename Launch Daemon Sudo Caching File Permissions Modification Network Sniffing Permission Groups Discovery Input Capture Scheduled Transfer CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST
Third-party Software CONTRIBUTE A TEST Launchctl Valid Accounts CONTRIBUTE A TEST Gatekeeper Bypass Private Keys Process Discovery Screen Capture Fallback Channels CONTRIBUTE A TEST
Trap Local Job Scheduling Web Shell HISTCONTROL Securityd Memory CONTRIBUTE A TEST Remote System Discovery Video Capture CONTRIBUTE A TEST Multi-Stage Channels CONTRIBUTE A TEST
User Execution CONTRIBUTE A TEST Login Item CONTRIBUTE A TEST Hidden Files and Directories Two-Factor Authentication Interception CONTRIBUTE A TEST Security Software Discovery Multi-hop Proxy CONTRIBUTE A TEST
Logon Scripts Hidden Users System Information Discovery Multiband Communication CONTRIBUTE A TEST
Plist Modification Hidden Window CONTRIBUTE A TEST System Network Configuration Discovery Multilayer Encryption CONTRIBUTE A TEST
Port Knocking CONTRIBUTE A TEST Indicator Removal from Tools CONTRIBUTE A TEST System Network Connections Discovery Port Knocking CONTRIBUTE A TEST
Rc.common Indicator Removal on Host System Owner/User Discovery Remote Access Tools CONTRIBUTE A TEST
Re-opened Applications Install Root Certificate Remote File Copy
Redundant Access CONTRIBUTE A TEST LC_MAIN Hijacking CONTRIBUTE A TEST Standard Application Layer Protocol
Setuid and Setgid Launchctl Standard Cryptographic Protocol CONTRIBUTE A TEST
Startup Items Masquerading Standard Non-Application Layer Protocol CONTRIBUTE A TEST
Trap Obfuscated Files or Information Uncommonly Used Port
Valid Accounts CONTRIBUTE A TEST Plist Modification Web Service CONTRIBUTE A TEST
Web Shell Port Knocking CONTRIBUTE A TEST
Process Injection
Redundant Access CONTRIBUTE A TEST
Rootkit
Scripting
Space after Filename
Valid Accounts CONTRIBUTE A TEST
Web Service CONTRIBUTE A TEST