Mac/README.md

## MITRE ATT&CK Matrix - Mac

| Initial Access	| Execution	| Persistence	| Privilege Escalation	| Defense Evasion	| Credential Access	| Discovery	| Lateral Movement	| Collection	| Exfiltration	| Command and Control|
|-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| Drive-by Compromise	| [AppleScript](Execution/AppleScript.md)	| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md)	| Dylib Hijacking	| Binary Padding	| [Bash History](Credential_Access/Bash_History.md) 	| [Account Discovery](Discovery/Account_Discovery.md) 	| [AppleScript](Execution/AppleScript.md)	| Audio Capture	| Automated Exfiltration	| Commonly Used Port| 
| Exploit Public-Facing Application	| Command-Line Interface	| [Browser Extensions](Persistence/Browser_Extensions.md) 	| Exploitation for Privilege Escalation	| Clear Command History	| Brute Force	| Application Window Discovery	| Application Deployment Software	| Automated Collection	| Data Compressed	| Communication Through Removable Media| 
| Hardware Additions	| Exploitation for Client Execution	| [Create Account](Persistence/Create_Account.md) 	| [Launch Daemon](Persistence/Launch_Daemon.md) 	|Code Signing	| [Credentials in Files](Credential_Access/Credentials_in_Files.md)  	| Browser Bookmark Discovery	| Exploitation of Remote Services	| Clipboard Data	| Data Encrypted	| Connection Proxy| 
| Spearphishing Attachment	| Graphical User Interface	| Dylib Hijacking	| Plist Modification	| [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md)	| Exploitation for Credential Access	| [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md)	|  [Logon Scripts](Persistence/Logon_Scripts.md) 	| Data Staged	 | Data Transfer Size Limits	| [Custom Command and Control Protocol](Command_and_Control/Custom_Command_and_Control_Protocol.md)l| 
| Spearphishing Link	| [Launchctl](Defense_Evasion/Launchctl.md)	| [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories)	| Process Injection	| Exploitation for Defense Evasion	| Input Capture	|  [Network Service Scanning](Discovery/Network_Service_Scanning.md)	| Remote File Copy	| Data from Information Repositories	| [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) 	| Custom Cryptographic Protocol| 
| Spearphishing via Service	| 	[Local Job Scheduling](Persistence/Local_Job_Scheduling.md)	| Kernel Modules and Extensions	| [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md)	| File Deletion	|  [Input Prompt](Credential_Access/Input_Prompt.md) 	| [Network Share Discovery](Discovery/Network_Share_Discovery.md)	| Remote Services	| Data from Local System	| Exfiltration Over Command and Control Channel	| Data Encoding| 
| Supply Chain Compromise	| Scripting	| LC_LOAD_DYLIB Addition	| [Startup Items](Persistence/Startup_Items.md)	| [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) 	| [Keychain](Credential_Access/Keychain.md)	| Password Policy Discovery	| SSH Hijacking	| Data from Network Shared Drive	| Exfiltration Over Other Network Medium	| Data Obfuscation| 
| Trusted Relationship	| Source	| [Launch Agent](Persistence/Launch_Agent.md) 	| Sudo	| [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) 	| Network Sniffing	|[Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md)	| Third-party Software	| Data from Removable Media	| Exfiltration Over Physical Medium	| Domain Fronting| 
| Valid Accounts	| [Space after Filename](Execution/Space_After_Filename.md)	| [Launch Daemon](Persistence/Launch_Daemon.md) 	| Sudo Caching	| [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories)	|Private Keys	| [Process Discovery](Discovery/Process_Discovery.md) | 		| Input Capture	| Scheduled Transfer	| Fallback Channels| 
| 		| Third-party Software	| [Launchctl](Defense_Evasion/Launchctl.md)	| Valid Accounts	| [Hidden Users](Defense_Evasion/Hidden_Users.md)	| Securityd Memory	| [Remote System Discovery](Discovery/Remote_System_Discovery.md) 		| 		| [Screen Capture](Collection/Screen_Capture.md)		| 			| Multi-Stage Channels| 
| 		| Trap	| [Local Job Scheduling](Persistence/Local_Job_Scheduling.md)	| Web Shell	| Hidden Window	| Two-Factor Authentication Interception	| [Security Software Discovery](Discovery/Security_Software_Discovery.md) 		|		|  Video Capture		| 		| Multi-hop Proxy| 
| 		| User Execution	| Login Item		| 		| Indicator Removal from Tools		| 		| [System Information Discovery](Discovery/System_Information_Discovery.md)				| 		| 		| 		| Multiband Communication| 
| 		| 		|  [Logon Scripts](Persistence/Logon_Scripts.md) 		| 			| [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) 		| 			| [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md)				| 		| 		| 		| Multilayer Encryption| 
| 		| 		| [Plist Modification](Persistence/Plist_Modification.md)		| 		| Install Root Certificate		| 		| System Network Connections Discovery				| 		| 		| 		| Port Knocking| 
|  		| 		| Port Knocking		| 		| LC_MAIN Hijacking		| 			| [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md) 				| 		| 		| 		| Remote Access Tools| 
|  		| 		| [Rc.common](Persistence/Rc.common.md)		| 		| [Launchctl](Defense_Evasion/Launchctl.md)						| 		| 		| 		| 		| 		| Remote File Copy| 
|  		| 		| [Re-opened Applications](Persistence/Re-opened_Applications.md) 		| 	| Masquerading			| 		| 		| 		| 		| 		| Standard Application Layer Protocol| 
|  		| 		| Redundant Access		| 	| Obfuscated Files or Information		| 		| 		| 		| 		| 		| Standard Cryptographic Protocol| 
|  		| 		| [Startup Items](Persistence/Startup_Items.md)		| 	| [Plist Modification](Persistence/Plist_Modification.md)						| 		| 		| 		| 		| 		| Standard Non-Application Layer Protocol| 
|  		| 		| Trap		| 	| Port Knocking								| 		| 		| 		| 		| 		| Uncommonly Used Port| 
|  		| 		| Valid Accounts		| 		| Process Injection						| 		| 		| 		| 		| 		| Web Service| 
|  		| 		| Web Shell		| 	| Redundant Access			 	| 	| 	| 	| 	| 	| 	| 		
| 	| 	| 	| 	| Rootkit					| 	 	| 	| 	| 	| 	| 	| 			
| 	| 	| 	| 	|  Scripting				| 		| 	| 	| 	| 	| 	| 	 
| 	| 	| 	| 	|  [Space after Filename](Execution/Space_After_Filename.md)		| 		| 	| 	| 	| 	| 	| 	 		
| 	| 	| 	| 	|  Valid Accounts			| 		| 	| 	| 	| 	| 	| 	 	
| 	| 	| 	| 	|  Web Service				| 	 	| 	| 	| 	| 	| 	|
Initial Commit 2017-10-11 10:35:17 -07:00			`## MITRE ATT&CK Matrix - Mac`

update April TTP 2018-04-16 16:55:02 +08:00			`\| Initial Access \| Execution \| Persistence \| Privilege Escalation \| Defense Evasion \| Credential Access \| Discovery \| Lateral Movement \| Collection \| Exfiltration \| Command and Control\|`
			`\|-------------------------------------------------------\|----------------------------------------\|-----------------------------------------\|----------------------------------------\|----------------------------------------\|-------------------------------------\|------------------------------------\|--------------------------------\|--------------------------------\|-----------------------------------------------\|-----------------------------------------\|`
updated link for Mitre April update 2018-04-16 17:21:05 +08:00			`\| Drive-by Compromise \| [AppleScript](Execution/AppleScript.md) \| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) \| Dylib Hijacking \| Binary Padding \| [Bash History](Credential_Access/Bash_History.md) \| [Account Discovery](Discovery/Account_Discovery.md) \| [AppleScript](Execution/AppleScript.md) \| Audio Capture \| Automated Exfiltration \| Commonly Used Port\|`
			`\| Exploit Public-Facing Application \| Command-Line Interface \| [Browser Extensions](Persistence/Browser_Extensions.md) \| Exploitation for Privilege Escalation \| Clear Command History \| Brute Force \| Application Window Discovery \| Application Deployment Software \| Automated Collection \| Data Compressed \| Communication Through Removable Media\|`
			`\| Hardware Additions \| Exploitation for Client Execution \| [Create Account](Persistence/Create_Account.md) \| [Launch Daemon](Persistence/Launch_Daemon.md) \|Code Signing \| [Credentials in Files](Credential_Access/Credentials_in_Files.md) \| Browser Bookmark Discovery \| Exploitation of Remote Services \| Clipboard Data \| Data Encrypted \| Connection Proxy\|`
			`\| Spearphishing Attachment \| Graphical User Interface \| Dylib Hijacking \| Plist Modification \| [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) \| Exploitation for Credential Access \| [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) \| [Logon Scripts](Persistence/Logon_Scripts.md) \| Data Staged \| Data Transfer Size Limits \| [Custom Command and Control Protocol](Command_and_Control/Custom_Command_and_Control_Protocol.md)l\|`
			`\| Spearphishing Link \| [Launchctl](Defense_Evasion/Launchctl.md) \| [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories) \| Process Injection \| Exploitation for Defense Evasion \| Input Capture \| [Network Service Scanning](Discovery/Network_Service_Scanning.md) \| Remote File Copy \| Data from Information Repositories \| [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) \| Custom Cryptographic Protocol\|`
			`\| Spearphishing via Service \| [Local Job Scheduling](Persistence/Local_Job_Scheduling.md) \| Kernel Modules and Extensions \| [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) \| File Deletion \| [Input Prompt](Credential_Access/Input_Prompt.md) \| [Network Share Discovery](Discovery/Network_Share_Discovery.md) \| Remote Services \| Data from Local System \| Exfiltration Over Command and Control Channel \| Data Encoding\|`
			`\| Supply Chain Compromise \| Scripting \| LC_LOAD_DYLIB Addition \| [Startup Items](Persistence/Startup_Items.md) \| [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) \| [Keychain](Credential_Access/Keychain.md) \| Password Policy Discovery \| SSH Hijacking \| Data from Network Shared Drive \| Exfiltration Over Other Network Medium \| Data Obfuscation\|`
			`\| Trusted Relationship \| Source \| [Launch Agent](Persistence/Launch_Agent.md) \| Sudo \| [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) \| Network Sniffing \|[Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) \| Third-party Software \| Data from Removable Media \| Exfiltration Over Physical Medium \| Domain Fronting\|`
			`\| Valid Accounts \| [Space after Filename](Execution/Space_After_Filename.md) \| [Launch Daemon](Persistence/Launch_Daemon.md) \| Sudo Caching \| [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories) \|Private Keys \| [Process Discovery](Discovery/Process_Discovery.md) \| \| Input Capture \| Scheduled Transfer \| Fallback Channels\|`
			`\| \| Third-party Software \| [Launchctl](Defense_Evasion/Launchctl.md) \| Valid Accounts \| [Hidden Users](Defense_Evasion/Hidden_Users.md) \| Securityd Memory \| [Remote System Discovery](Discovery/Remote_System_Discovery.md) \| \| [Screen Capture](Collection/Screen_Capture.md) \| \| Multi-Stage Channels\|`
			`\| \| Trap \| [Local Job Scheduling](Persistence/Local_Job_Scheduling.md) \| Web Shell \| Hidden Window \| Two-Factor Authentication Interception \| [Security Software Discovery](Discovery/Security_Software_Discovery.md) \| \| Video Capture \| \| Multi-hop Proxy\|`
			`\| \| User Execution \| Login Item \| \| Indicator Removal from Tools \| \| [System Information Discovery](Discovery/System_Information_Discovery.md) \| \| \| \| Multiband Communication\|`
			`\| \| \| [Logon Scripts](Persistence/Logon_Scripts.md) \| \| [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) \| \| [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) \| \| \| \| Multilayer Encryption\|`
			`\| \| \| [Plist Modification](Persistence/Plist_Modification.md) \| \| Install Root Certificate \| \| System Network Connections Discovery \| \| \| \| Port Knocking\|`
			`\| \| \| Port Knocking \| \| LC_MAIN Hijacking \| \| [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md) \| \| \| \| Remote Access Tools\|`
			`\| \| \| [Rc.common](Persistence/Rc.common.md) \| \| [Launchctl](Defense_Evasion/Launchctl.md) \| \| \| \| \| \| Remote File Copy\|`
			`\| \| \| [Re-opened Applications](Persistence/Re-opened_Applications.md) \| \| Masquerading \| \| \| \| \| \| Standard Application Layer Protocol\|`
update April TTP 2018-04-16 16:55:02 +08:00			`\| \| \| Redundant Access \| \| Obfuscated Files or Information \| \| \| \| \| \| Standard Cryptographic Protocol\|`
updated link for Mitre April update 2018-04-16 17:21:05 +08:00			`\| \| \| [Startup Items](Persistence/Startup_Items.md) \| \| [Plist Modification](Persistence/Plist_Modification.md) \| \| \| \| \| \| Standard Non-Application Layer Protocol\|`
update April TTP 2018-04-16 16:55:02 +08:00			`\| \| \| Trap \| \| Port Knocking \| \| \| \| \| \| Uncommonly Used Port\|`
			`\| \| \| Valid Accounts \| \| Process Injection \| \| \| \| \| \| Web Service\|`
			`\| \| \| Web Shell \| \| Redundant Access \| \| \| \| \| \| \|`
			`\| \| \| \| \| Rootkit \| \| \| \| \| \| \|`
			`\| \| \| \| \| Scripting \| \| \| \| \| \| \|`
updated link for Mitre April update 2018-04-16 17:21:05 +08:00			`\| \| \| \| \| [Space after Filename](Execution/Space_After_Filename.md) \| \| \| \| \| \| \|`
update April TTP 2018-04-16 16:55:02 +08:00			`\| \| \| \| \| Valid Accounts \| \| \| \| \| \| \|`
			`\| \| \| \| \| Web Service \| \| \| \| \| \| \|`