1. Home
  2. Matrices
  3. macOS

macOS Matrix

Below are the tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise. The Matrix contains information for the macOS platform.

View on the ATT&CK® Navigator
Version Permalink
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
8 techniques 8 techniques 16 techniques 10 techniques 23 techniques 15 techniques 21 techniques 7 techniques 14 techniques 16 techniques 8 techniques 13 techniques
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Phishing (3)
=
Supply Chain Compromise (3)
=
Trusted Relationship
Valid Accounts (3)
=
Command and Scripting Interpreter (5)
=
Exploitation for Client Execution
Inter-Process Communication (1)
=
Native API
Scheduled Task/Job (2)
=
Software Deployment Tools
System Services (1)
=
User Execution (2)
=
Account Manipulation (1)
=
Boot or Logon Autostart Execution (3)
=
Boot or Logon Initialization Scripts (3)
=
Browser Extensions
Compromise Client Software Binary
Create Account (2)
=
Create or Modify System Process (2)
=
Event Triggered Execution (5)
=
External Remote Services
Hijack Execution Flow (2)
=
Modify Authentication Process (2)
=
Pre-OS Boot (1)
=
Scheduled Task/Job (2)
=
Server Software Component (1)
=
Traffic Signaling (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (3)
=
Boot or Logon Autostart Execution (3)
=
Boot or Logon Initialization Scripts (3)
=
Create or Modify System Process (2)
=
Event Triggered Execution (5)
=
Exploitation for Privilege Escalation
Hijack Execution Flow (2)
=
Process Injection
Scheduled Task/Job (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (3)
=
Debugger Evasion
Deobfuscate/Decode Files or Information
Execution Guardrails (1)
=
Exploitation for Defense Evasion
File and Directory Permissions Modification (1)
=
Hide Artifacts (8)
=
Hijack Execution Flow (2)
=
Impair Defenses (5)
=
Indicator Removal (7)
=
Masquerading (6)
=
Modify Authentication Process (2)
=
Obfuscated Files or Information (8)
=
Plist File Modification
Pre-OS Boot (1)
=
Process Injection
Reflective Code Loading
Rootkit
Subvert Trust Controls (4)
=
System Binary Proxy Execution
Traffic Signaling (2)
=
Valid Accounts (3)
=
Virtualization/Sandbox Evasion (3)
=
Adversary-in-the-Middle (2)
=
Brute Force (4)
=
Credentials from Password Stores (4)
=
Exploitation for Credential Access
Forge Web Credentials (1)
=
Input Capture (3)
=
Modify Authentication Process (2)
=
Multi-Factor Authentication Interception
Multi-Factor Authentication Request Generation
Network Sniffing
OS Credential Dumping
Steal or Forge Authentication Certificates
Steal or Forge Kerberos Tickets
Steal Web Session Cookie
Unsecured Credentials (3)
=
Account Discovery (2)
=
Application Window Discovery
Browser Bookmark Discovery
Debugger Evasion
File and Directory Discovery
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery (2)
=
Process Discovery
Remote System Discovery
Software Discovery (1)
=
System Information Discovery
System Location Discovery (1)
=
System Network Configuration Discovery (1)
=
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
Virtualization/Sandbox Evasion (3)
=
Exploitation of Remote Services
Internal Spearphishing
Lateral Tool Transfer
Remote Service Session Hijacking (1)
=
Remote Services (2)
=
Software Deployment Tools
Taint Shared Content
Adversary-in-the-Middle (2)
=
Archive Collected Data (3)
=
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged (2)
=
Email Collection (1)
=
Input Capture (3)
=
Screen Capture
Video Capture
Application Layer Protocol (4)
=
Communication Through Removable Media
Data Encoding (2)
=
Data Obfuscation (3)
=
Dynamic Resolution (3)
=
Encrypted Channel (2)
=
Fallback Channels
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
Proxy (4)
=
Remote Access Software
Traffic Signaling (2)
=
Web Service (3)
=
Automated Exfiltration
Data Transfer Size Limits
Exfiltration Over Alternative Protocol (3)
=
Exfiltration Over C2 Channel
Exfiltration Over Other Network Medium (1)
=
Exfiltration Over Physical Medium (1)
=
Exfiltration Over Web Service (2)
=
Scheduled Transfer
Account Access Removal
Data Destruction
Data Encrypted for Impact
Data Manipulation (3)
=
Defacement (2)
=
Disk Wipe (2)
=
Endpoint Denial of Service (4)
=
Firmware Corruption
Inhibit System Recovery
Network Denial of Service (2)
=
Resource Hijacking
Service Stop
System Shutdown/Reboot
Last modified: 01 April 2022
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
8 techniques 8 techniques 16 techniques 10 techniques 23 techniques 15 techniques 21 techniques 7 techniques 14 techniques 16 techniques 8 techniques 13 techniques
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
=
Phishing (3)
=
Supply Chain Compromise (3)
Trusted Relationship
=
Valid Accounts (3)
=
Command and Scripting Interpreter (5)
Exploitation for Client Execution
=
Inter-Process Communication (1)
Native API
=
Scheduled Task/Job (2)
Software Deployment Tools
=
System Services (1)
=
User Execution (2)
=
Account Manipulation (1)
=
Boot or Logon Autostart Execution (3)
=
Boot or Logon Initialization Scripts (3)
Browser Extensions
Compromise Client Software Binary
=
Create Account (2)
=
Create or Modify System Process (2)
=
Event Triggered Execution (5)
External Remote Services
=
Hijack Execution Flow (2)
=
Modify Authentication Process (2)
=
Pre-OS Boot (1)
=
Scheduled Task/Job (2)
=
Server Software Component (1)
=
Traffic Signaling (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (3)
=
Boot or Logon Autostart Execution (3)
=
Boot or Logon Initialization Scripts (3)
=
Create or Modify System Process (2)
=
Event Triggered Execution (5)
Exploitation for Privilege Escalation
=
Hijack Execution Flow (2)
Process Injection
=
Scheduled Task/Job (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (3)
Debugger Evasion
Deobfuscate/Decode Files or Information
=
Execution Guardrails (1)
Exploitation for Defense Evasion
=
File and Directory Permissions Modification (1)
=
Hide Artifacts (8)
=
Hijack Execution Flow (2)
=
Impair Defenses (5)
=
Indicator Removal (7)
=
Masquerading (6)
=
Modify Authentication Process (2)
=
Obfuscated Files or Information (8)
Plist File Modification
=
Pre-OS Boot (1)
Process Injection
Reflective Code Loading
Rootkit
=
Subvert Trust Controls (4)
System Binary Proxy Execution
=
Traffic Signaling (2)
=
Valid Accounts (3)
=
Virtualization/Sandbox Evasion (3)
=
Adversary-in-the-Middle (2)
=
Brute Force (4)
=
Credentials from Password Stores (4)
Exploitation for Credential Access
=
Forge Web Credentials (1)
=
Input Capture (3)
=
Modify Authentication Process (2)
Multi-Factor Authentication Interception
Multi-Factor Authentication Request Generation
Network Sniffing
OS Credential Dumping
Steal or Forge Authentication Certificates
Steal or Forge Kerberos Tickets
Steal Web Session Cookie
=
Unsecured Credentials (3)
=
Account Discovery (2)
Application Window Discovery
Browser Bookmark Discovery
Debugger Evasion
File and Directory Discovery
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
=
Permission Groups Discovery (2)
Process Discovery
Remote System Discovery
=
Software Discovery (1)
System Information Discovery
=
System Location Discovery (1)
=
System Network Configuration Discovery (1)
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
=
Virtualization/Sandbox Evasion (3)
Exploitation of Remote Services
Internal Spearphishing
Lateral Tool Transfer
=
Remote Service Session Hijacking (1)
=
Remote Services (2)
Software Deployment Tools
Taint Shared Content
=
Adversary-in-the-Middle (2)
=
Archive Collected Data (3)
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
=
Data Staged (2)
=
Email Collection (1)
=
Input Capture (3)
Screen Capture
Video Capture
=
Application Layer Protocol (4)
Communication Through Removable Media
=
Data Encoding (2)
=
Data Obfuscation (3)
=
Dynamic Resolution (3)
=
Encrypted Channel (2)
Fallback Channels
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
=
Proxy (4)
Remote Access Software
=
Traffic Signaling (2)
=
Web Service (3)
Automated Exfiltration
Data Transfer Size Limits
=
Exfiltration Over Alternative Protocol (3)
Exfiltration Over C2 Channel
=
Exfiltration Over Other Network Medium (1)
=
Exfiltration Over Physical Medium (1)
=
Exfiltration Over Web Service (2)
Scheduled Transfer
Account Access Removal
Data Destruction
Data Encrypted for Impact
=
Data Manipulation (3)
=
Defacement (2)
=
Disk Wipe (2)
=
Endpoint Denial of Service (4)
Firmware Corruption
Inhibit System Recovery
=
Network Denial of Service (2)
Resource Hijacking
Service Stop
System Shutdown/Reboot
Last modified: 01 April 2022