Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Enterprise Matrix - macOS

The matrix below includes techniques spanning the macOS platform. The full Enterprise ATT&CK matrix along with the matrices for Windows and Linux are also available for navigation.

Last Modified: 2018-12-05T17:37:12.426Z
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Drive-by CompromiseAppleScript.bash_profile and .bashrcDylib HijackingBinary PaddingBash HistoryAccount DiscoveryAppleScriptAudio CaptureAutomated ExfiltrationCommonly Used Port
Exploit Public-Facing ApplicationCommand-Line InterfaceBrowser ExtensionsExploitation for Privilege EscalationClear Command HistoryBrute ForceApplication Window DiscoveryApplication Deployment SoftwareAutomated CollectionData CompressedCommunication Through Removable Media
Hardware AdditionsExploitation for Client ExecutionCreate AccountLaunch DaemonCode SigningCredential DumpingBrowser Bookmark DiscoveryExploitation of Remote ServicesClipboard DataData EncryptedConnection Proxy
Spearphishing AttachmentGraphical User InterfaceDylib HijackingPlist ModificationDisabling Security ToolsCredentials in FilesFile and Directory DiscoveryLogon ScriptsData StagedData Transfer Size LimitsCustom Command and Control Protocol
Spearphishing LinkLaunchctlHidden Files and DirectoriesProcess InjectionExploitation for Defense EvasionExploitation for Credential AccessNetwork Service ScanningRemote File CopyData from Information RepositoriesExfiltration Over Alternative ProtocolCustom Cryptographic Protocol
Spearphishing via ServiceLocal Job SchedulingKernel Modules and ExtensionsSetuid and SetgidFile DeletionInput CaptureNetwork Share DiscoveryRemote ServicesData from Local SystemExfiltration Over Command and Control ChannelData Encoding
Supply Chain CompromiseScriptingLC_LOAD_DYLIB AdditionStartup ItemsFile Permissions ModificationInput PromptNetwork SniffingSSH HijackingData from Network Shared DriveExfiltration Over Other Network MediumData Obfuscation
Trusted RelationshipSourceLaunch AgentSudo CachingGatekeeper BypassKeychainPassword Policy DiscoveryThird-party SoftwareData from Removable MediaExfiltration Over Physical MediumDomain Fronting
Valid AccountsSpace after FilenameLaunch DaemonSudoHISTCONTROLNetwork SniffingPermission Groups DiscoveryInput CaptureScheduled TransferFallback Channels
Third-party SoftwareLaunchctlValid AccountsHidden Files and DirectoriesPrivate KeysProcess DiscoveryScreen CaptureMulti-Stage Channels
TrapLocal Job SchedulingWeb ShellHidden UsersSecurityd MemoryRemote System DiscoveryVideo CaptureMulti-hop Proxy
User ExecutionLogin ItemHidden WindowTwo-Factor Authentication InterceptionSecurity Software DiscoveryMultiband Communication
Logon ScriptsIndicator Removal from ToolsSystem Information DiscoveryMultilayer Encryption
Plist ModificationIndicator Removal on HostSystem Network Configuration DiscoveryPort Knocking
Port KnockingInstall Root CertificateSystem Network Connections DiscoveryRemote Access Tools
Rc.commonLC_MAIN HijackingSystem Owner/User DiscoveryRemote File Copy
Re-opened ApplicationsLaunchctlStandard Application Layer Protocol
Redundant AccessMasqueradingStandard Cryptographic Protocol
Setuid and SetgidObfuscated Files or InformationStandard Non-Application Layer Protocol
Startup ItemsPlist ModificationUncommonly Used Port
TrapPort KnockingWeb Service
Valid AccountsProcess Injection
Web ShellRedundant Access
Rootkit
Scripting
Space after Filename
Valid Accounts
Web Service