macOS Matrix

Below are the tactics and techniques representing the MITRE ATT&CK^® macOS platform. The techniques below are known to target hosts running macOS operating systems. The Matrix contains information for the macOS platform.

View on the ATT&CK^® Navigator

Version Permalink

Live Version

10 techniques

18 techniques

11 techniques

25 techniques

15 techniques

25 techniques

7 techniques

14 techniques

18 techniques

8 techniques

15 techniques

Content Injection

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Phishing ₍₄₎

Supply Chain Compromise ₍₃₎

Trusted Relationship

Valid Accounts ₍₃₎

Wi-Fi Networks

Command and Scripting Interpreter ₍₆₎

Exploitation for Client Execution

Input Injection

Inter-Process Communication ₍₁₎

Native API

Scheduled Task/Job ₍₂₎

Shared Modules

Software Deployment Tools

System Services ₍₁₎

User Execution ₍₃₎

Account Manipulation ₍₂₎

Boot or Logon Autostart Execution ₍₃₎

Boot or Logon Initialization Scripts ₍₃₎

Compromise Host Software Binary

Create Account ₍₂₎

Create or Modify System Process ₍₂₎

Event Triggered Execution ₍₅₎

Exclusive Control

External Remote Services

Hijack Execution Flow ₍₃₎

Modify Authentication Process ₍₂₎

Power Settings

Pre-OS Boot ₍₁₎

Scheduled Task/Job ₍₂₎

Server Software Component ₍₁₎

Software Extensions ₍₂₎

Traffic Signaling ₍₂₎

Valid Accounts ₍₃₎

Abuse Elevation Control Mechanism ₍₄₎

Account Manipulation ₍₂₎

Boot or Logon Autostart Execution ₍₃₎

Boot or Logon Initialization Scripts ₍₃₎

Create or Modify System Process ₍₂₎

Event Triggered Execution ₍₅₎

Exploitation for Privilege Escalation

Hijack Execution Flow ₍₃₎

Process Injection

Scheduled Task/Job ₍₂₎

Valid Accounts ₍₃₎

Abuse Elevation Control Mechanism ₍₄₎

Debugger Evasion

Deobfuscate/Decode Files or Information

Email Spoofing

Execution Guardrails ₍₂₎

Exploitation for Defense Evasion

File and Directory Permissions Modification ₍₁₎

Hide Artifacts ₍₁₁₎

Hijack Execution Flow ₍₃₎

Impair Defenses ₍₆₎

Impersonation

Indicator Removal ₍₈₎

Masquerading ₍₉₎

Modify Authentication Process ₍₂₎

Obfuscated Files or Information ₍₁₄₎

Plist File Modification

Pre-OS Boot ₍₁₎

Process Injection

Reflective Code Loading

Rootkit

Subvert Trust Controls ₍₄₎

System Binary Proxy Execution ₍₁₎

Traffic Signaling ₍₂₎

Valid Accounts ₍₃₎

Virtualization/Sandbox Evasion ₍₃₎

Adversary-in-the-Middle ₍₂₎

Brute Force ₍₄₎

Credentials from Password Stores ₍₄₎

Exploitation for Credential Access

Forge Web Credentials ₍₁₎

Input Capture ₍₄₎

Modify Authentication Process ₍₂₎

Multi-Factor Authentication Interception

Multi-Factor Authentication Request Generation

Network Sniffing

OS Credential Dumping

Steal or Forge Authentication Certificates

Steal or Forge Kerberos Tickets ₍₁₎

Steal Web Session Cookie

Unsecured Credentials ₍₃₎

Account Discovery ₍₂₎

Application Window Discovery

Browser Information Discovery

Debugger Evasion

Device Driver Discovery

File and Directory Discovery

Log Enumeration

Network Service Discovery

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery ₍₂₎

Process Discovery

Remote System Discovery

Software Discovery ₍₁₎

System Information Discovery

System Location Discovery ₍₁₎

System Network Configuration Discovery ₍₂₎

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtual Machine Discovery

Virtualization/Sandbox Evasion ₍₃₎

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

Remote Service Session Hijacking ₍₁₎

Remote Services ₍₂₎

Software Deployment Tools

Taint Shared Content

Adversary-in-the-Middle ₍₂₎

Archive Collected Data ₍₃₎

Audio Capture

Automated Collection

Clipboard Data

Data from Information Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Data Staged ₍₂₎

Email Collection ₍₁₎

Input Capture ₍₄₎

Screen Capture

Video Capture

Application Layer Protocol ₍₅₎

Communication Through Removable Media

Content Injection

Data Encoding ₍₂₎

Data Obfuscation ₍₃₎

Dynamic Resolution ₍₃₎

Encrypted Channel ₍₂₎

Fallback Channels

Hide Infrastructure

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

Proxy ₍₄₎

Remote Access Tools ₍₃₎

Traffic Signaling ₍₂₎

Web Service ₍₃₎

Automated Exfiltration

Data Transfer Size Limits

Exfiltration Over Alternative Protocol ₍₃₎

Exfiltration Over C2 Channel

Exfiltration Over Other Network Medium ₍₁₎

Exfiltration Over Physical Medium ₍₁₎

Exfiltration Over Web Service ₍₄₎

Scheduled Transfer

Account Access Removal

Data Destruction

Data Encrypted for Impact

Data Manipulation ₍₃₎

Defacement ₍₂₎

Disk Wipe ₍₂₎

Email Bombing

Endpoint Denial of Service ₍₄₎

Financial Theft

Firmware Corruption

Inhibit System Recovery

Network Denial of Service ₍₂₎

Resource Hijacking ₍₂₎

Service Stop

System Shutdown/Reboot

10 techniques

18 techniques

11 techniques

25 techniques

15 techniques

25 techniques

7 techniques

14 techniques

18 techniques

8 techniques

15 techniques

Content Injection

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

=	Phishing ₍₄₎
	Spearphishing Attachment Spearphishing Link Spearphishing via Service Spearphishing Voice

=	Supply Chain Compromise ₍₃₎
	Compromise Software Dependencies and Development Tools Compromise Software Supply Chain Compromise Hardware Supply Chain

Trusted Relationship

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

Wi-Fi Networks

=	Command and Scripting Interpreter ₍₆₎
	AppleScript Unix Shell Visual Basic Python JavaScript Lua

Exploitation for Client Execution

Input Injection

=	Inter-Process Communication ₍₁₎
	XPC Services

Native API

=	Scheduled Task/Job ₍₂₎
	At Cron

Shared Modules

Software Deployment Tools

=	System Services ₍₁₎
	Launchctl

=	User Execution ₍₃₎
	Malicious Link Malicious File Malicious Copy and Paste

=	Account Manipulation ₍₂₎
	SSH Authorized Keys Additional Local or Domain Groups

=	Boot or Logon Autostart Execution ₍₃₎
	Kernel Modules and Extensions Re-opened Applications Login Items

=	Boot or Logon Initialization Scripts ₍₃₎
	Login Hook RC Scripts Startup Items

Compromise Host Software Binary

=	Create Account ₍₂₎
	Local Account Domain Account

=	Create or Modify System Process ₍₂₎
	Launch Agent Launch Daemon

=	Event Triggered Execution ₍₅₎
	Unix Shell Configuration Modification Trap LC_LOAD_DYLIB Addition Emond Installer Packages

Exclusive Control

External Remote Services

=	Hijack Execution Flow ₍₃₎
	Dylib Hijacking Dynamic Linker Hijacking Path Interception by PATH Environment Variable

=	Modify Authentication Process ₍₂₎
	Pluggable Authentication Modules Multi-Factor Authentication

Power Settings

=	Pre-OS Boot ₍₁₎
	Component Firmware

=	Scheduled Task/Job ₍₂₎
	At Cron

=	Server Software Component ₍₁₎
	Web Shell

=	Software Extensions ₍₂₎
	Browser Extensions IDE Extensions

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

=	Abuse Elevation Control Mechanism ₍₄₎
	Setuid and Setgid Sudo and Sudo Caching Elevated Execution with Prompt TCC Manipulation

=	Account Manipulation ₍₂₎
	SSH Authorized Keys Additional Local or Domain Groups

=	Boot or Logon Autostart Execution ₍₃₎
	Kernel Modules and Extensions Re-opened Applications Login Items

=	Boot or Logon Initialization Scripts ₍₃₎
	Login Hook RC Scripts Startup Items

=	Create or Modify System Process ₍₂₎
	Launch Agent Launch Daemon

=	Event Triggered Execution ₍₅₎
	Unix Shell Configuration Modification Trap LC_LOAD_DYLIB Addition Emond Installer Packages

Exploitation for Privilege Escalation

=	Hijack Execution Flow ₍₃₎
	Dylib Hijacking Dynamic Linker Hijacking Path Interception by PATH Environment Variable

Process Injection

=	Scheduled Task/Job ₍₂₎
	At Cron

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

=	Abuse Elevation Control Mechanism ₍₄₎
	Setuid and Setgid Sudo and Sudo Caching Elevated Execution with Prompt TCC Manipulation

Debugger Evasion

Deobfuscate/Decode Files or Information

Email Spoofing

=	Execution Guardrails ₍₂₎
	Environmental Keying Mutual Exclusion

Exploitation for Defense Evasion

=	File and Directory Permissions Modification ₍₁₎
	Linux and Mac File and Directory Permissions Modification

=	Hide Artifacts ₍₁₁₎
	Hidden Files and Directories Hidden Users Hidden Window Hidden File System Run Virtual Instance VBA Stomping Email Hiding Rules Resource Forking Ignore Process Interrupts File/Path Exclusions Extended Attributes

=	Hijack Execution Flow ₍₃₎
	Dylib Hijacking Dynamic Linker Hijacking Path Interception by PATH Environment Variable

=	Impair Defenses ₍₆₎
	Disable or Modify Tools Impair Command History Logging Disable or Modify System Firewall Indicator Blocking Downgrade Attack Spoof Security Alerting

Impersonation

=	Indicator Removal ₍₈₎
	Clear Linux or Mac System Logs Clear Command History File Deletion Timestomp Clear Network Connection History and Configurations Clear Mailbox Data Clear Persistence Relocate Malware

=	Masquerading ₍₉₎
	Invalid Code Signature Right-to-Left Override Rename Legitimate Utilities Masquerade Task or Service Match Legitimate Resource Name or Location Space after Filename Masquerade File Type Break Process Trees Masquerade Account Name

=	Modify Authentication Process ₍₂₎
	Pluggable Authentication Modules Multi-Factor Authentication

=	Obfuscated Files or Information ₍₁₄₎
	Binary Padding Software Packing Steganography Compile After Delivery Indicator Removal from Tools HTML Smuggling Stripped Payloads Embedded Payloads Command Obfuscation Encrypted/Encoded File Polymorphic Code Compression Junk Code Insertion SVG Smuggling

Plist File Modification

=	Pre-OS Boot ₍₁₎
	Component Firmware

Process Injection

Reflective Code Loading

Rootkit

=	Subvert Trust Controls ₍₄₎
	Gatekeeper Bypass Code Signing Install Root Certificate Code Signing Policy Modification

=	System Binary Proxy Execution ₍₁₎
	Electron Applications

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

=	Virtualization/Sandbox Evasion ₍₃₎
	System Checks User Activity Based Checks Time Based Evasion

=	Adversary-in-the-Middle ₍₂₎
	ARP Cache Poisoning DHCP Spoofing

=	Brute Force ₍₄₎
	Password Guessing Password Cracking Password Spraying Credential Stuffing

=	Credentials from Password Stores ₍₄₎
	Keychain Securityd Memory Credentials from Web Browsers Password Managers

Exploitation for Credential Access

=	Forge Web Credentials ₍₁₎
	Web Cookies

=	Input Capture ₍₄₎
	Keylogging GUI Input Capture Web Portal Capture Credential API Hooking

=	Modify Authentication Process ₍₂₎
	Pluggable Authentication Modules Multi-Factor Authentication

Multi-Factor Authentication Interception

Multi-Factor Authentication Request Generation

Network Sniffing

OS Credential Dumping

Steal or Forge Authentication Certificates

=	Steal or Forge Kerberos Tickets ₍₁₎
	Ccache Files

Steal Web Session Cookie

=	Unsecured Credentials ₍₃₎
	Credentials In Files Bash History Private Keys

=	Account Discovery ₍₂₎
	Local Account Domain Account

Application Window Discovery

Browser Information Discovery

Debugger Evasion

Device Driver Discovery

File and Directory Discovery

Log Enumeration

Network Service Discovery

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

=	Permission Groups Discovery ₍₂₎
	Local Groups Domain Groups

Process Discovery

Remote System Discovery

=	Software Discovery ₍₁₎
	Security Software Discovery

System Information Discovery

=	System Location Discovery ₍₁₎
	System Language Discovery

=	System Network Configuration Discovery ₍₂₎
	Internet Connection Discovery Wi-Fi Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtual Machine Discovery

=	Virtualization/Sandbox Evasion ₍₃₎
	System Checks User Activity Based Checks Time Based Evasion

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

=	Remote Service Session Hijacking ₍₁₎
	SSH Hijacking

=	Remote Services ₍₂₎
	SSH VNC

Software Deployment Tools

Taint Shared Content

=	Adversary-in-the-Middle ₍₂₎
	ARP Cache Poisoning DHCP Spoofing

=	Archive Collected Data ₍₃₎
	Archive via Utility Archive via Library Archive via Custom Method

Audio Capture

Automated Collection

Clipboard Data

Data from Information Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

=	Data Staged ₍₂₎
	Local Data Staging Remote Data Staging

=	Email Collection ₍₁₎
	Email Forwarding Rule

=	Input Capture ₍₄₎
	Keylogging GUI Input Capture Web Portal Capture Credential API Hooking

Screen Capture

Video Capture

=	Application Layer Protocol ₍₅₎
	Web Protocols File Transfer Protocols Mail Protocols DNS Publish/Subscribe Protocols

Communication Through Removable Media

Content Injection

=	Data Encoding ₍₂₎
	Standard Encoding Non-Standard Encoding

=	Data Obfuscation ₍₃₎
	Junk Data Steganography Protocol or Service Impersonation

=	Dynamic Resolution ₍₃₎
	Fast Flux DNS Domain Generation Algorithms DNS Calculation

=	Encrypted Channel ₍₂₎
	Symmetric Cryptography Asymmetric Cryptography

Fallback Channels

Hide Infrastructure

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

=	Proxy ₍₄₎
	Internal Proxy External Proxy Multi-hop Proxy Domain Fronting

=	Remote Access Tools ₍₃₎
	IDE Tunneling Remote Desktop Software Remote Access Hardware

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Web Service ₍₃₎
	Dead Drop Resolver Bidirectional Communication One-Way Communication

Automated Exfiltration

Data Transfer Size Limits

=	Exfiltration Over Alternative Protocol ₍₃₎
	Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

=	Exfiltration Over Other Network Medium ₍₁₎
	Exfiltration Over Bluetooth

=	Exfiltration Over Physical Medium ₍₁₎
	Exfiltration over USB

=	Exfiltration Over Web Service ₍₄₎
	Exfiltration to Code Repository Exfiltration to Cloud Storage Exfiltration to Text Storage Sites Exfiltration Over Webhook

Scheduled Transfer

Account Access Removal

Data Destruction

Data Encrypted for Impact

=	Data Manipulation ₍₃₎
	Stored Data Manipulation Transmitted Data Manipulation Runtime Data Manipulation

=	Defacement ₍₂₎
	Internal Defacement External Defacement

=	Disk Wipe ₍₂₎
	Disk Content Wipe Disk Structure Wipe

Email Bombing

=	Endpoint Denial of Service ₍₄₎
	OS Exhaustion Flood Service Exhaustion Flood Application Exhaustion Flood Application or System Exploitation

Financial Theft

Firmware Corruption

Inhibit System Recovery

=	Network Denial of Service ₍₂₎
	Direct Network Flood Reflection Amplification

=	Resource Hijacking ₍₂₎
	Compute Hijacking Bandwidth Hijacking

Service Stop

System Shutdown/Reboot