Enterprise Matrix - macOS

The matrix below includes techniques spanning the macOS platform. The full Enterprise ATT&CK matrix along with the matrices for Windows and Linux are also available for navigation.

Last Modified: 2019-04-25 20:53:07.719000

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Drive-by Compromise	AppleScript	.bash_profile and .bashrc	Dylib Hijacking	Binary Padding	Bash History	Account Discovery	AppleScript	Audio Capture	Commonly Used Port	Automated Exfiltration	Data Destruction
Exploit Public-Facing Application	Command-Line Interface	Browser Extensions	Exploitation for Privilege Escalation	Clear Command History	Brute Force	Application Window Discovery	Application Deployment Software	Automated Collection	Communication Through Removable Media	Data Compressed	Data Encrypted for Impact
Hardware Additions	Exploitation for Client Execution	Create Account	Launch Daemon	Code Signing	Credential Dumping	Browser Bookmark Discovery	Exploitation of Remote Services	Clipboard Data	Connection Proxy	Data Encrypted	Defacement
Spearphishing Attachment	Graphical User Interface	Dylib Hijacking	Plist Modification	Compile After Delivery	Credentials in Files	File and Directory Discovery	Logon Scripts	Data Staged	Custom Command and Control Protocol	Data Transfer Size Limits	Disk Content Wipe
Spearphishing Link	Launchctl	Hidden Files and Directories	Process Injection	Disabling Security Tools	Exploitation for Credential Access	Network Service Scanning	Remote File Copy	Data from Information Repositories	Custom Cryptographic Protocol	Exfiltration Over Alternative Protocol	Disk Structure Wipe
Spearphishing via Service	Local Job Scheduling	Kernel Modules and Extensions	Setuid and Setgid	Execution Guardrails	Input Capture	Network Share Discovery	Remote Services	Data from Local System	Data Encoding	Exfiltration Over Command and Control Channel	Endpoint Denial of Service
Supply Chain Compromise	Scripting	LC_LOAD_DYLIB Addition	Startup Items	Exploitation for Defense Evasion	Input Prompt	Network Sniffing	SSH Hijacking	Data from Network Shared Drive	Data Obfuscation	Exfiltration Over Other Network Medium	Firmware Corruption
Trusted Relationship	Source	Launch Agent	Sudo Caching	File Deletion	Keychain	Password Policy Discovery	Third-party Software	Data from Removable Media	Domain Fronting	Exfiltration Over Physical Medium	Inhibit System Recovery
Valid Accounts	Space after Filename	Launch Daemon	Sudo	File Permissions Modification	Network Sniffing	Permission Groups Discovery		Input Capture	Domain Generation Algorithms	Scheduled Transfer	Network Denial of Service
	Third-party Software	Launchctl	Valid Accounts	Gatekeeper Bypass	Private Keys	Process Discovery		Screen Capture	Fallback Channels		Resource Hijacking
	Trap	Local Job Scheduling	Web Shell	HISTCONTROL	Securityd Memory	Remote System Discovery		Video Capture	Multi-Stage Channels		Runtime Data Manipulation
	User Execution	Login Item		Hidden Files and Directories	Two-Factor Authentication Interception	Security Software Discovery			Multi-hop Proxy		Stored Data Manipulation
		Logon Scripts		Hidden Users		System Information Discovery			Multiband Communication		Transmitted Data Manipulation
		Plist Modification		Hidden Window		System Network Configuration Discovery			Multilayer Encryption
		Port Knocking		Indicator Removal from Tools		System Network Connections Discovery			Port Knocking
		Rc.common		Indicator Removal on Host		System Owner/User Discovery			Remote Access Tools
		Re-opened Applications		Install Root Certificate					Remote File Copy
		Redundant Access		LC_MAIN Hijacking					Standard Application Layer Protocol
		Setuid and Setgid		Launchctl					Standard Cryptographic Protocol
		Startup Items		Masquerading					Standard Non-Application Layer Protocol
		Trap		Obfuscated Files or Information					Uncommonly Used Port
		Valid Accounts		Plist Modification					Web Service
		Web Shell		Port Knocking
				Process Injection
				Redundant Access
				Rootkit
				Scripting
				Space after Filename
				Valid Accounts
				Web Service