Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Enterprise Matrix - macOS

The matrix below includes techniques spanning the macOS platform. The full Enterprise ATT&CK matrix along with the matrices for Windows and Linux are also available for navigation.

Last Modified: 2018-10-17T00:14:20.652Z
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Drive-by CompromiseAppleScript.bash_profile and .bashrcDylib HijackingBinary PaddingBash HistoryAccount DiscoveryAppleScriptAudio CaptureAutomated ExfiltrationCommonly Used Port
Exploit Public-Facing ApplicationCommand-Line InterfaceBrowser ExtensionsExploitation for Privilege EscalationClear Command HistoryBrute ForceApplication Window DiscoveryApplication Deployment SoftwareAutomated CollectionData CompressedCommunication Through Removable Media
Hardware AdditionsExploitation for Client ExecutionCreate AccountLaunch DaemonCode SigningCredential DumpingBrowser Bookmark DiscoveryExploitation of Remote ServicesClipboard DataData EncryptedCustom Command and Control Protocol
Spearphishing AttachmentGraphical User InterfaceDylib HijackingPlist ModificationDisabling Security ToolsCredentials in FilesFile and Directory DiscoveryLogon ScriptsData StagedData Transfer Size LimitsCustom Cryptographic Protocol
Spearphishing LinkLaunchctlHidden Files and DirectoriesProcess InjectionExploitation for Defense EvasionExploitation for Credential AccessNetwork Service ScanningRemote File CopyData from Information RepositoriesExfiltration Over Alternative ProtocolData Encoding
Spearphishing via ServiceLocal Job SchedulingKernel Modules and ExtensionsSetuid and SetgidFile DeletionInput CaptureNetwork Share DiscoveryRemote ServicesData from Local SystemExfiltration Over Command and Control ChannelData Obfuscation
Supply Chain CompromiseScriptingLC_LOAD_DYLIB AdditionStartup ItemsFile Permissions ModificationInput PromptNetwork SniffingSSH HijackingData from Network Shared DriveExfiltration Over Other Network MediumDomain Fronting
Trusted RelationshipSourceLaunch AgentSudo CachingGatekeeper BypassKeychainPassword Policy DiscoveryThird-party SoftwareData from Removable MediaExfiltration Over Physical MediumFallback Channels
Valid AccountsSpace after FilenameLaunch DaemonSudoHISTCONTROLNetwork SniffingPermission Groups DiscoveryInput CaptureScheduled TransferMulti-Stage Channels
Third-party SoftwareLaunchctlValid AccountsHidden Files and DirectoriesPrivate KeysProcess DiscoveryScreen CaptureMulti-hop Proxy
TrapLocal Job SchedulingWeb ShellHidden UsersSecurityd MemoryRemote System DiscoveryVideo CaptureMultiband Communication
User ExecutionLogin ItemHidden WindowTwo-Factor Authentication InterceptionSecurity Software DiscoveryMultilayer Encryption
Logon ScriptsIndicator Removal from ToolsSystem Information DiscoveryPort Knocking
Plist ModificationIndicator Removal on HostSystem Network Configuration DiscoveryRemote Access Tools
Port KnockingInstall Root CertificateSystem Network Connections DiscoveryRemote File Copy
Rc.commonLC_MAIN HijackingSystem Owner/User DiscoveryStandard Application Layer Protocol
Re-opened ApplicationsLaunchctlStandard Cryptographic Protocol
Redundant AccessMasqueradingStandard Non-Application Layer Protocol
Setuid and SetgidObfuscated Files or InformationUncommonly Used Port
Startup ItemsPlist ModificationWeb Service
TrapPort Knocking
Valid AccountsProcess Injection
Web ShellRedundant Access
Rootkit
Scripting
Space after Filename
Valid Accounts
Web Service