Enterprise Matrix - macOS

The matrix below includes techniques spanning the macOS platform. The full Enterprise ATT&CK matrix along with the matrices for Windows and Linux are also available for navigation.

Last Modified: 2018-12-05T17:37:12.426Z

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Drive-by Compromise	AppleScript	.bash_profile and .bashrc	Dylib Hijacking	Binary Padding	Bash History	Account Discovery	AppleScript	Audio Capture	Automated Exfiltration	Commonly Used Port
Exploit Public-Facing Application	Command-Line Interface	Browser Extensions	Exploitation for Privilege Escalation	Clear Command History	Brute Force	Application Window Discovery	Application Deployment Software	Automated Collection	Data Compressed	Communication Through Removable Media
Hardware Additions	Exploitation for Client Execution	Create Account	Launch Daemon	Code Signing	Credential Dumping	Browser Bookmark Discovery	Exploitation of Remote Services	Clipboard Data	Data Encrypted	Connection Proxy
Spearphishing Attachment	Graphical User Interface	Dylib Hijacking	Plist Modification	Disabling Security Tools	Credentials in Files	File and Directory Discovery	Logon Scripts	Data Staged	Data Transfer Size Limits	Custom Command and Control Protocol
Spearphishing Link	Launchctl	Hidden Files and Directories	Process Injection	Exploitation for Defense Evasion	Exploitation for Credential Access	Network Service Scanning	Remote File Copy	Data from Information Repositories	Exfiltration Over Alternative Protocol	Custom Cryptographic Protocol
Spearphishing via Service	Local Job Scheduling	Kernel Modules and Extensions	Setuid and Setgid	File Deletion	Input Capture	Network Share Discovery	Remote Services	Data from Local System	Exfiltration Over Command and Control Channel	Data Encoding
Supply Chain Compromise	Scripting	LC_LOAD_DYLIB Addition	Startup Items	File Permissions Modification	Input Prompt	Network Sniffing	SSH Hijacking	Data from Network Shared Drive	Exfiltration Over Other Network Medium	Data Obfuscation
Trusted Relationship	Source	Launch Agent	Sudo Caching	Gatekeeper Bypass	Keychain	Password Policy Discovery	Third-party Software	Data from Removable Media	Exfiltration Over Physical Medium	Domain Fronting
Valid Accounts	Space after Filename	Launch Daemon	Sudo	HISTCONTROL	Network Sniffing	Permission Groups Discovery		Input Capture	Scheduled Transfer	Fallback Channels
	Third-party Software	Launchctl	Valid Accounts	Hidden Files and Directories	Private Keys	Process Discovery		Screen Capture		Multi-Stage Channels
	Trap	Local Job Scheduling	Web Shell	Hidden Users	Securityd Memory	Remote System Discovery		Video Capture		Multi-hop Proxy
	User Execution	Login Item		Hidden Window	Two-Factor Authentication Interception	Security Software Discovery				Multiband Communication
		Logon Scripts		Indicator Removal from Tools		System Information Discovery				Multilayer Encryption
		Plist Modification		Indicator Removal on Host		System Network Configuration Discovery				Port Knocking
		Port Knocking		Install Root Certificate		System Network Connections Discovery				Remote Access Tools
		Rc.common		LC_MAIN Hijacking		System Owner/User Discovery				Remote File Copy
		Re-opened Applications		Launchctl						Standard Application Layer Protocol
		Redundant Access		Masquerading						Standard Cryptographic Protocol
		Setuid and Setgid		Obfuscated Files or Information						Standard Non-Application Layer Protocol
		Startup Items		Plist Modification						Uncommonly Used Port
		Trap		Port Knocking						Web Service
		Valid Accounts		Process Injection
		Web Shell		Redundant Access
				Rootkit
				Scripting
				Space after Filename
				Valid Accounts
				Web Service