Enterprise Matrix - macOS

The matrix below includes techniques spanning the macOS platform. The full Enterprise ATT&CK matrix along with the matrices for Windows and Linux are also available for navigation.

Last Modified: 2019-04-25 20:53:07.719000
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Drive-by CompromiseAppleScript.bash_profile and .bashrcDylib HijackingBinary PaddingBash HistoryAccount DiscoveryAppleScriptAudio CaptureCommonly Used PortAutomated ExfiltrationData Destruction
Exploit Public-Facing ApplicationCommand-Line InterfaceBrowser ExtensionsExploitation for Privilege EscalationClear Command HistoryBrute ForceApplication Window DiscoveryApplication Deployment SoftwareAutomated CollectionCommunication Through Removable MediaData CompressedData Encrypted for Impact
Hardware AdditionsExploitation for Client ExecutionCreate AccountLaunch DaemonCode SigningCredential DumpingBrowser Bookmark DiscoveryExploitation of Remote ServicesClipboard DataConnection ProxyData EncryptedDefacement
Spearphishing AttachmentGraphical User InterfaceDylib HijackingPlist ModificationCompile After DeliveryCredentials in FilesFile and Directory DiscoveryLogon ScriptsData StagedCustom Command and Control ProtocolData Transfer Size LimitsDisk Content Wipe
Spearphishing LinkLaunchctlHidden Files and DirectoriesProcess InjectionDisabling Security ToolsExploitation for Credential AccessNetwork Service ScanningRemote File CopyData from Information RepositoriesCustom Cryptographic ProtocolExfiltration Over Alternative ProtocolDisk Structure Wipe
Spearphishing via ServiceLocal Job SchedulingKernel Modules and ExtensionsSetuid and SetgidExecution GuardrailsInput CaptureNetwork Share DiscoveryRemote ServicesData from Local SystemData EncodingExfiltration Over Command and Control ChannelEndpoint Denial of Service
Supply Chain CompromiseScriptingLC_LOAD_DYLIB AdditionStartup ItemsExploitation for Defense EvasionInput PromptNetwork SniffingSSH HijackingData from Network Shared DriveData ObfuscationExfiltration Over Other Network MediumFirmware Corruption
Trusted RelationshipSourceLaunch AgentSudo CachingFile DeletionKeychainPassword Policy DiscoveryThird-party SoftwareData from Removable MediaDomain FrontingExfiltration Over Physical MediumInhibit System Recovery
Valid AccountsSpace after FilenameLaunch DaemonSudoFile Permissions ModificationNetwork SniffingPermission Groups DiscoveryInput CaptureDomain Generation AlgorithmsScheduled TransferNetwork Denial of Service
Third-party SoftwareLaunchctlValid AccountsGatekeeper BypassPrivate KeysProcess DiscoveryScreen CaptureFallback ChannelsResource Hijacking
TrapLocal Job SchedulingWeb ShellHISTCONTROLSecurityd MemoryRemote System DiscoveryVideo CaptureMulti-Stage ChannelsRuntime Data Manipulation
User ExecutionLogin ItemHidden Files and DirectoriesTwo-Factor Authentication InterceptionSecurity Software DiscoveryMulti-hop ProxyStored Data Manipulation
Logon ScriptsHidden UsersSystem Information DiscoveryMultiband CommunicationTransmitted Data Manipulation
Plist ModificationHidden WindowSystem Network Configuration DiscoveryMultilayer Encryption
Port KnockingIndicator Removal from ToolsSystem Network Connections DiscoveryPort Knocking
Rc.commonIndicator Removal on HostSystem Owner/User DiscoveryRemote Access Tools
Re-opened ApplicationsInstall Root CertificateRemote File Copy
Redundant AccessLC_MAIN HijackingStandard Application Layer Protocol
Setuid and SetgidLaunchctlStandard Cryptographic Protocol
Startup ItemsMasqueradingStandard Non-Application Layer Protocol
TrapObfuscated Files or InformationUncommonly Used Port
Valid AccountsPlist ModificationWeb Service
Web ShellPort Knocking
Process Injection
Redundant Access
Rootkit
Scripting
Space after Filename
Valid Accounts
Web Service