MATRICES
Enterprise
Cloud
Mobile
  1. Home
  2. Matrices
  3. macOS

macOS Matrix

Below are the tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise. The Matrix contains information for the macOS platform.

View on the ATT&CK® Navigator
About the Enterprise domain
Version Permalink
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
7 techniques 7 techniques 13 techniques 10 techniques 18 techniques 11 techniques 18 techniques 6 techniques 13 techniques 16 techniques 8 techniques 13 techniques
Drive-by Compromise
Exploit Public-Facing Application
Hardware Additions
Phishing (3)
=
Supply Chain Compromise (3)
=
Trusted Relationship
Valid Accounts (3)
=
Command and Scripting Interpreter (5)
=
Exploitation for Client Execution
Native API
Scheduled Task/Job (2)
=
Software Deployment Tools
System Services (1)
=
User Execution (2)
=
Account Manipulation (1)
=
Boot or Logon Autostart Execution (3)
=
Boot or Logon Initialization Scripts (3)
=
Browser Extensions
Compromise Client Software Binary
Create Account (2)
=
Create or Modify System Process (2)
=
Event Triggered Execution (4)
=
Hijack Execution Flow (1)
=
Scheduled Task/Job (2)
=
Server Software Component (1)
=
Traffic Signaling (1)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (3)
=
Boot or Logon Autostart Execution (3)
=
Boot or Logon Initialization Scripts (3)
=
Create or Modify System Process (2)
=
Event Triggered Execution (4)
=
Exploitation for Privilege Escalation
Hijack Execution Flow (1)
=
Process Injection
Scheduled Task/Job (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (3)
=
Deobfuscate/Decode Files or Information
Execution Guardrails (1)
=
Exploitation for Defense Evasion
File and Directory Permissions Modification (1)
=
Hide Artifacts (6)
=
Hijack Execution Flow (1)
=
Impair Defenses (4)
=
Indicator Removal on Host (4)
=
Masquerading (5)
=
Modify Authentication Process (1)
=
Obfuscated Files or Information (5)
=
Process Injection
Rootkit
Subvert Trust Controls (3)
=
Traffic Signaling (1)
=
Valid Accounts (3)
=
Virtualization/Sandbox Evasion (3)
=
Brute Force (4)
=
Credentials from Password Stores (3)
=
Exploitation for Credential Access
Input Capture (3)
=
Man-in-the-Middle (1)
=
Modify Authentication Process (1)
=
Network Sniffing
OS Credential Dumping
Steal Web Session Cookie
Two-Factor Authentication Interception
Unsecured Credentials (3)
=
Account Discovery (2)
=
Application Window Discovery
Browser Bookmark Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery (2)
=
Process Discovery
Remote System Discovery
Software Discovery (1)
=
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
Virtualization/Sandbox Evasion (3)
=
Exploitation of Remote Services
Internal Spearphishing
Lateral Tool Transfer
Remote Service Session Hijacking (1)
=
Remote Services (2)
=
Software Deployment Tools
Archive Collected Data (3)
=
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged (2)
=
Input Capture (3)
=
Man-in-the-Middle (1)
=
Screen Capture
Video Capture
Application Layer Protocol (4)
=
Communication Through Removable Media
Data Encoding (2)
=
Data Obfuscation (3)
=
Dynamic Resolution (3)
=
Encrypted Channel (2)
=
Fallback Channels
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
Proxy (4)
=
Remote Access Software
Traffic Signaling (1)
=
Web Service (3)
=
Automated Exfiltration
Data Transfer Size Limits
Exfiltration Over Alternative Protocol (3)
=
Exfiltration Over C2 Channel
Exfiltration Over Other Network Medium (1)
=
Exfiltration Over Physical Medium (1)
=
Exfiltration Over Web Service (2)
=
Scheduled Transfer
Account Access Removal
Data Destruction
Data Encrypted for Impact
Data Manipulation (3)
=
Defacement (2)
=
Disk Wipe (2)
=
Endpoint Denial of Service (4)
=
Firmware Corruption
Inhibit System Recovery
Network Denial of Service (2)
=
Resource Hijacking
Service Stop
System Shutdown/Reboot
Last modified: 27 October 2020
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
7 techniques 7 techniques 13 techniques 10 techniques 18 techniques 11 techniques 18 techniques 6 techniques 13 techniques 16 techniques 8 techniques 13 techniques
Drive-by Compromise
Exploit Public-Facing Application
Hardware Additions
=
Phishing (3)
=
Supply Chain Compromise (3)
Trusted Relationship
=
Valid Accounts (3)
=
Command and Scripting Interpreter (5)
Exploitation for Client Execution
Native API
=
Scheduled Task/Job (2)
Software Deployment Tools
=
System Services (1)
=
User Execution (2)
=
Account Manipulation (1)
=
Boot or Logon Autostart Execution (3)
=
Boot or Logon Initialization Scripts (3)
Browser Extensions
Compromise Client Software Binary
=
Create Account (2)
=
Create or Modify System Process (2)
=
Event Triggered Execution (4)
=
Hijack Execution Flow (1)
=
Scheduled Task/Job (2)
=
Server Software Component (1)
=
Traffic Signaling (1)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (3)
=
Boot or Logon Autostart Execution (3)
=
Boot or Logon Initialization Scripts (3)
=
Create or Modify System Process (2)
=
Event Triggered Execution (4)
Exploitation for Privilege Escalation
=
Hijack Execution Flow (1)
Process Injection
=
Scheduled Task/Job (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (3)
Deobfuscate/Decode Files or Information
=
Execution Guardrails (1)
Exploitation for Defense Evasion
=
File and Directory Permissions Modification (1)
=
Hide Artifacts (6)
=
Hijack Execution Flow (1)
=
Impair Defenses (4)
=
Indicator Removal on Host (4)
=
Masquerading (5)
=
Modify Authentication Process (1)
=
Obfuscated Files or Information (5)
Process Injection
Rootkit
=
Subvert Trust Controls (3)
=
Traffic Signaling (1)
=
Valid Accounts (3)
=
Virtualization/Sandbox Evasion (3)
=
Brute Force (4)
=
Credentials from Password Stores (3)
Exploitation for Credential Access
=
Input Capture (3)
=
Man-in-the-Middle (1)
=
Modify Authentication Process (1)
Network Sniffing
OS Credential Dumping
Steal Web Session Cookie
Two-Factor Authentication Interception
=
Unsecured Credentials (3)
=
Account Discovery (2)
Application Window Discovery
Browser Bookmark Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
=
Permission Groups Discovery (2)
Process Discovery
Remote System Discovery
=
Software Discovery (1)
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
=
Virtualization/Sandbox Evasion (3)
Exploitation of Remote Services
Internal Spearphishing
Lateral Tool Transfer
=
Remote Service Session Hijacking (1)
=
Remote Services (2)
Software Deployment Tools
=
Archive Collected Data (3)
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
=
Data Staged (2)
=
Input Capture (3)
=
Man-in-the-Middle (1)
Screen Capture
Video Capture
=
Application Layer Protocol (4)
Communication Through Removable Media
=
Data Encoding (2)
=
Data Obfuscation (3)
=
Dynamic Resolution (3)
=
Encrypted Channel (2)
Fallback Channels
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
=
Proxy (4)
Remote Access Software
=
Traffic Signaling (1)
=
Web Service (3)
Automated Exfiltration
Data Transfer Size Limits
=
Exfiltration Over Alternative Protocol (3)
Exfiltration Over C2 Channel
=
Exfiltration Over Other Network Medium (1)
=
Exfiltration Over Physical Medium (1)
=
Exfiltration Over Web Service (2)
Scheduled Transfer
Account Access Removal
Data Destruction
Data Encrypted for Impact
=
Data Manipulation (3)
=
Defacement (2)
=
Disk Wipe (2)
=
Endpoint Denial of Service (4)
Firmware Corruption
Inhibit System Recovery
=
Network Denial of Service (2)
Resource Hijacking
Service Stop
System Shutdown/Reboot
Last modified: 27 October 2020