Skip to content

Latest commit

 

History

History
65 lines (65 loc) · 25.5 KB

macos-matrix.md

File metadata and controls

65 lines (65 loc) · 25.5 KB

macOS Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control impact
Compromise Hardware Supply Chain CONTRIBUTE A TEST AppleScript .bash_profile and .bashrc .bash_profile and .bashrc Abuse Elevation Control Mechanism CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST Account Discovery CONTRIBUTE A TEST Exploitation of Remote Services CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST Automated Exfiltration CONTRIBUTE A TEST Application Layer Protocol CONTRIBUTE A TEST Account Access Removal CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST Command and Scripting Interpreter CONTRIBUTE A TEST Account Manipulation CONTRIBUTE A TEST Abuse Elevation Control Mechanism CONTRIBUTE A TEST Binary Padding Bash History Application Window Discovery CONTRIBUTE A TEST Internal Spearphishing CONTRIBUTE A TEST Archive Collected Data CONTRIBUTE A TEST Data Transfer Size Limits Asymmetric Cryptography CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST Cron Boot or Logon Autostart Execution CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST Clear Command History Brute Force CONTRIBUTE A TEST Browser Bookmark Discovery Lateral Tool Transfer CONTRIBUTE A TEST Archive via Custom Method CONTRIBUTE A TEST Exfiltration Over Alternative Protocol Bidirectional Communication CONTRIBUTE A TEST Application or System Exploitation CONTRIBUTE A TEST
Default Accounts CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Clear Linux or Mac System Logs Credential Stuffing CONTRIBUTE A TEST Domain Account CONTRIBUTE A TEST Remote Service Session Hijacking CONTRIBUTE A TEST Archive via Library CONTRIBUTE A TEST Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Commonly Used Port CONTRIBUTE A TEST Data Destruction
Domain Accounts CONTRIBUTE A TEST Graphical User Interface CONTRIBUTE A TEST Browser Extensions Create or Modify System Process CONTRIBUTE A TEST Code Signing CONTRIBUTE A TEST Credentials In Files Domain Groups CONTRIBUTE A TEST Remote Services CONTRIBUTE A TEST Archive via Utility Exfiltration Over Bluetooth CONTRIBUTE A TEST Communication Through Removable Media CONTRIBUTE A TEST Data Encrypted for Impact CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST JavaScript/JScript CONTRIBUTE A TEST Compromise Client Software Binary CONTRIBUTE A TEST Cron Compile After Delivery CONTRIBUTE A TEST Credentials from Password Stores CONTRIBUTE A TEST File and Directory Discovery SSH CONTRIBUTE A TEST Audio Capture CONTRIBUTE A TEST Exfiltration Over C2 Channel CONTRIBUTE A TEST DNS CONTRIBUTE A TEST Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Launchctl Create Account CONTRIBUTE A TEST Default Accounts CONTRIBUTE A TEST Default Accounts CONTRIBUTE A TEST Credentials from Web Browsers Local Account SSH Hijacking CONTRIBUTE A TEST Automated Collection CONTRIBUTE A TEST Exfiltration Over Other Network Medium CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Defacement CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Launchd Create or Modify System Process CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Deobfuscate/Decode Files or Information CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Local Groups Software Deployment Tools CONTRIBUTE A TEST Clipboard Data Exfiltration Over Physical Medium CONTRIBUTE A TEST Data Encoding CONTRIBUTE A TEST Direct Network Flood CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST Malicious File CONTRIBUTE A TEST Cron Dylib Hijacking CONTRIBUTE A TEST Disable or Modify System Firewall CONTRIBUTE A TEST GUI Input Capture Network Service Scanning VNC CONTRIBUTE A TEST Data Staged CONTRIBUTE A TEST Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST Disk Content Wipe CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST Malicious Link CONTRIBUTE A TEST Default Accounts CONTRIBUTE A TEST Elevated Execution with Prompt CONTRIBUTE A TEST Disable or Modify Tools Input Capture CONTRIBUTE A TEST Network Share Discovery Data from Information Repositories CONTRIBUTE A TEST Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Dead Drop Resolver CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Spearphishing Attachment CONTRIBUTE A TEST Native API CONTRIBUTE A TEST Domain Account CONTRIBUTE A TEST Emond Domain Accounts CONTRIBUTE A TEST Keychain Network Sniffing Data from Local System CONTRIBUTE A TEST Exfiltration Over Web Service CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST Disk Wipe CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Python CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Event Triggered Execution CONTRIBUTE A TEST Dylib Hijacking CONTRIBUTE A TEST Keylogging CONTRIBUTE A TEST Password Policy Discovery Data from Network Shared Drive CONTRIBUTE A TEST Exfiltration over USB CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST Endpoint Denial of Service CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Dylib Hijacking CONTRIBUTE A TEST Exploitation for Privilege Escalation CONTRIBUTE A TEST Elevated Execution with Prompt CONTRIBUTE A TEST Man-in-the-Middle CONTRIBUTE A TEST Peripheral Device Discovery CONTRIBUTE A TEST Data from Removable Media CONTRIBUTE A TEST Exfiltration to Cloud Storage CONTRIBUTE A TEST Dynamic Resolution CONTRIBUTE A TEST External Defacement CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST Scripting CONTRIBUTE A TEST Emond Hijack Execution Flow CONTRIBUTE A TEST Environmental Keying CONTRIBUTE A TEST Modify Authentication Process CONTRIBUTE A TEST Permission Groups Discovery CONTRIBUTE A TEST GUI Input Capture Exfiltration to Code Repository CONTRIBUTE A TEST Encrypted Channel CONTRIBUTE A TEST Firmware Corruption CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST Software Deployment Tools CONTRIBUTE A TEST Event Triggered Execution CONTRIBUTE A TEST Kernel Modules and Extensions CONTRIBUTE A TEST Execution Guardrails CONTRIBUTE A TEST Network Sniffing Process Discovery Input Capture CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST External Proxy CONTRIBUTE A TEST Inhibit System Recovery CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Source CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Exploitation for Defense Evasion CONTRIBUTE A TEST OS Credential Dumping CONTRIBUTE A TEST Remote System Discovery Keylogging CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST Internal Defacement CONTRIBUTE A TEST
System Services CONTRIBUTE A TEST Kernel Modules and Extensions CONTRIBUTE A TEST Launch Agent File Deletion Password Cracking CONTRIBUTE A TEST Security Software Discovery Local Data Staging Fast Flux DNS CONTRIBUTE A TEST Network Denial of Service CONTRIBUTE A TEST
Unix Shell LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Launch Daemon File and Directory Permissions Modification CONTRIBUTE A TEST Password Guessing CONTRIBUTE A TEST Software Discovery Man-in-the-Middle CONTRIBUTE A TEST File Transfer Protocols CONTRIBUTE A TEST OS Exhaustion Flood CONTRIBUTE A TEST
User Execution CONTRIBUTE A TEST Launch Agent Launchd Gatekeeper Bypass Password Spraying CONTRIBUTE A TEST System Checks Remote Data Staging CONTRIBUTE A TEST Ingress Tool Transfer Reflection Amplification CONTRIBUTE A TEST
Visual Basic CONTRIBUTE A TEST Launch Daemon Local Accounts CONTRIBUTE A TEST Hidden File System CONTRIBUTE A TEST Pluggable Authentication Modules CONTRIBUTE A TEST System Information Discovery Screen Capture Internal Proxy Resource Hijacking
Launchd Logon Script (Mac) Hidden Files and Directories Private Keys System Network Configuration Discovery Video Capture CONTRIBUTE A TEST Junk Data CONTRIBUTE A TEST Runtime Data Manipulation CONTRIBUTE A TEST
Local Account Plist Modification Hidden Users Securityd Memory CONTRIBUTE A TEST System Network Connections Discovery Web Portal Capture CONTRIBUTE A TEST Mail Protocols CONTRIBUTE A TEST Service Exhaustion Flood CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST Process Injection CONTRIBUTE A TEST Hidden Window CONTRIBUTE A TEST Steal Web Session Cookie CONTRIBUTE A TEST System Owner/User Discovery Multi-Stage Channels CONTRIBUTE A TEST Service Stop CONTRIBUTE A TEST
Logon Script (Mac) Rc.common Hide Artifacts CONTRIBUTE A TEST Two-Factor Authentication Interception CONTRIBUTE A TEST Time Based Evasion CONTRIBUTE A TEST Multi-hop Proxy CONTRIBUTE A TEST Stored Data Manipulation CONTRIBUTE A TEST
Plist Modification Re-opened Applications Hijack Execution Flow CONTRIBUTE A TEST Unsecured Credentials CONTRIBUTE A TEST User Activity Based Checks CONTRIBUTE A TEST Multiband Communication CONTRIBUTE A TEST System Shutdown/Reboot
Port Knocking CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Impair Command History Logging Web Portal Capture CONTRIBUTE A TEST Virtualization/Sandbox Evasion CONTRIBUTE A TEST Non-Application Layer Protocol CONTRIBUTE A TEST Transmitted Data Manipulation CONTRIBUTE A TEST
Rc.common Setuid and Setgid Impair Defenses CONTRIBUTE A TEST Non-Standard Encoding CONTRIBUTE A TEST
Re-opened Applications Startup Items Indicator Blocking CONTRIBUTE A TEST Non-Standard Port
Redundant Access CONTRIBUTE A TEST Sudo and Sudo Caching Indicator Removal from Tools CONTRIBUTE A TEST One-Way Communication CONTRIBUTE A TEST
SSH Authorized Keys Trap Indicator Removal on Host CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
Scheduled Task/Job CONTRIBUTE A TEST Valid Accounts CONTRIBUTE A TEST Install Root Certificate Protocol Impersonation CONTRIBUTE A TEST
Server Software Component CONTRIBUTE A TEST Invalid Code Signature CONTRIBUTE A TEST Protocol Tunneling CONTRIBUTE A TEST
Startup Items LC_MAIN Hijacking CONTRIBUTE A TEST Proxy CONTRIBUTE A TEST
Traffic Signaling CONTRIBUTE A TEST Linux and Mac File and Directory Permissions Modification Remote Access Software CONTRIBUTE A TEST
Trap Local Accounts CONTRIBUTE A TEST Standard Encoding
Valid Accounts CONTRIBUTE A TEST Masquerading CONTRIBUTE A TEST Steganography CONTRIBUTE A TEST
Web Shell CONTRIBUTE A TEST Match Legitimate Name or Location CONTRIBUTE A TEST Symmetric Cryptography CONTRIBUTE A TEST
Modify Authentication Process CONTRIBUTE A TEST Traffic Signaling CONTRIBUTE A TEST
Obfuscated Files or Information Web Protocols
Pluggable Authentication Modules CONTRIBUTE A TEST Web Service CONTRIBUTE A TEST
Port Knocking CONTRIBUTE A TEST
Process Injection CONTRIBUTE A TEST
Redundant Access CONTRIBUTE A TEST
Rename System Utilities CONTRIBUTE A TEST
Right-to-Left Override CONTRIBUTE A TEST
Rootkit CONTRIBUTE A TEST
Run Virtual Instance CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST
Setuid and Setgid
Software Packing
Space after Filename
Steganography CONTRIBUTE A TEST
Subvert Trust Controls CONTRIBUTE A TEST
Sudo and Sudo Caching
System Checks
Time Based Evasion CONTRIBUTE A TEST
Timestomp
Traffic Signaling CONTRIBUTE A TEST
User Activity Based Checks CONTRIBUTE A TEST
VBA Stomping CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST
Virtualization/Sandbox Evasion CONTRIBUTE A TEST