2017-10-11 10:35:17 -07:00
## MITRE ATT&CK Matrix - Mac
2018-02-21 12:03:35 -06:00
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
2018-01-16 11:00:21 -07:00
|------------------------------|-------------------------------|---------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| [.bash_profile and .bashrc ](Persistence/bash_profile_and_bashrc.md ) | Dylib Hijacking | Binary Padding | [Bash History ](Credential_Access/Bash_History.md ) | [Account Discovery ](Discovery/Account_Discovery.md ) | [AppleScript ](Execution/AppleScript.md ) | [AppleScript ](Execution/AppleScript.md ) | Audio Capture | Automated Exfiltration | Commonly Used Port |
2018-02-27 14:04:13 +11:00
| [Browser Extensions ](Persistence/Browser_Extensions.md ) | Exploitation of Vulnerability | [Clear Command History ](Defense_Evasion/Clear_Command_History.md ) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
2018-03-06 09:05:52 +11:00
| [Create Account ](Persistence/Create_Account.md ) | Launch Daemon | Code Signing | [Credentials in Files ](Credential_Access/Credentials_in_Files.md ) | [File and Directory Discovery ](Discovery/File_and_Directory_Discovery.md ) | Exploitation of Vulnerability | Graphical User Interface | Browser Extensions | Data Encrypted | Connection Proxy |
2018-02-26 09:49:23 +11:00
| Dylib Hijacking | Plist Modification | [Disabling Security Tools ](Defense_Evasion/Disabling_Security_Tools.md ) | Exploitation of Vulnerability | [Network Service Scanning ](Discovery/Network_Service_Scanning.md ) | [Logon Scripts ](Persistence/Logon_Scripts.md ) | Launchctl | Clipboard Data | Data Transfer Size Limits | [Custom Command and Control Protocol ](Command_and_Control/Custom_Command_and_Control_Protocol.md ) |
2018-02-08 17:05:23 +11:00
| Hidden Files and Directories | Process Injection | Exploitation of Vulnerability | Input Capture | [Network Share Discovery ](Discovery/Network_Share_Discovery.md ) | Remote File Copy | Local Job Scheduling | Data Staged | [Exfiltration Over Alternative Protocol ](Exfiltration/Exfiltration_Over_Alternative_Protocol.md ) | Custom Cryptographic Protocol |
2018-02-19 14:29:52 +11:00
| LC_LOAD_DYLIB Addition | [Setuid and Setgid ](Privilege_Escalation/Setuid_and_Setgid.md ) | File Deletion | [Input Prompt ](Credential_Access/Input_Prompt.md ) | [Permission Groups Discovery ](Discovery/Permissions_Groups_Discovery.md ) | Remote Services | Scripting | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
2018-01-16 11:00:21 -07:00
| [Launch Agent ](Persistence/Launch_Agent.md ) | Startup Items | [Gatekeeper Bypass ](Defense_Evasion/Gatekeeper_Bypass.md ) | [Keychain ](Credential_Access/Keychain.md ) | [Process Discovery ](Discovery/Process_Discovery.md ) | SSH Hijacking | Source | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
2018-02-19 10:31:08 +11:00
| [Launch Daemon ](Persistence/Launch_Daemon.md ) | Sudo | [HISTCONTROL ](Defense_Evasion/HISTCONTROL.md ) | Network Sniffing | [Remote System Discovery ](Discovery/Remote_System_Discovery.md ) | Third-party Software | [Space after Filename ](Execution/Space_After_Filename.md ) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting |
2018-03-01 16:11:28 -06:00
| Launchctl | Valid Accounts | [Hidden Files and Directories ](Defense_Evasion/Hidden_Files_and_Directories ) | Private Keys | [Security Software Discovery ](Discovery/Security_Software_Discovery.md ) | | Third-party Software | Input Capture | Scheduled Transfer | Fallback Channels |
2018-02-28 11:30:41 -06:00
| [Local Job Scheduling ](Persistence/Local_Job_Scheduling.md ) | Web Shell | [Hidden Users ](Defense_Evasion/Hidden_Users.md ) | Securityd Memory | [System Information Discovery ](Discovery/System_Information_Discovery.md ) | | Trap | [Screen Capture ](Collection/Screen_Capture.md ) | | Multi-Stage Channels |
| Login Item | | Hidden Window | Two-Factor Authentication Interception | [System Network Configuration Discovery ](Discovery/System_Network_Configuration_Discovery.md ) | | | | | Multi-hop Proxy |
2018-02-21 12:03:35 -06:00
| [Logon Scripts ](Persistence/Logon_Scripts.md ) | | Indicator Removal from Tools | | System Network Connections Discovery | | | | | Multiband Communication |
2018-01-16 11:00:21 -07:00
| [Plist Modification ](Persistence/Plist_Modification.md ) | | [Indicator Removal on Host ](Defense_Evasion/Indicator_Removal_On_Host.md ) | | [System Owner/User Discovery ](Discovery/System_Owner_User_Discovery.md ) | | | | | Multilayer Encryption |
2018-03-01 00:57:54 -08:00
| [Rc.common ](Persistence/Rc.common.md ) | | LC_MAIN Hijacking | | | | | | | Remote File Copy |
2018-01-16 11:00:21 -07:00
| [Re-opened Applications ](Persistence/Re-opened_Applications.md ) | | [Launchctl ](Defense_Evasion/Launchctl.md ) | | | | | | | Standard Application Layer Protocol |
| Redundant Access | | Masquerading | | | | | | | Standard Cryptographic Protocol |
| [Startup Items ](Persistence/Startup_Items.md ) | | Obfuscated Files or Information | | | | | | | Standard Non-Application Layer Protocol |
| Trap | | Plist Modification | | | | | | | Uncommonly Used Port |
| Valid Accounts | | Process Injection | | | | | | | Web Service |
| Web Shell | | Redundant Access | | | | | | | |
| | | Rootkit | | | | | | | |
| | | Scripting | | | | | | | |
2018-02-19 10:31:08 +11:00
| | | [Space after Filename ](Defense_Evasion/Space_After_Filename.md ) | | | | | | | |
2018-01-16 11:00:21 -07:00
| | | Valid Accounts | | | | | | | |
