diff --git a/Mac/Persistence/Hidden_Files_and_Directories.md b/Mac/Persistence/Hidden_Files_and_Directories.md
new file mode 100644
index 00000000..c2d572f5
--- /dev/null
+++ b/Mac/Persistence/Hidden_Files_and_Directories.md
@@ -0,0 +1,34 @@
+# Hidden Files and Directories
+
+MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158)
+
+### Hide files
+
+Input:
+
+ mv filename .filename
+
+
+Input:
+
+(Requires Apple Dev Tools)
+
+ setfile -a V filename
+
+### Hide Directories
+
+Input:
+
+ chflags hidden /secret/dir
+
+Unhide:
+
+ chflags nohidden
+
+
+
+### Show all Hidden
+
+Execute within terminal:
+
+ defaults write com.apple.finder AppleShowAllFiles YES
diff --git a/Mac/Persistence/Launch_Agent.md b/Mac/Persistence/Launch_Agent.md
new file mode 100644
index 00000000..4db473e3
--- /dev/null
+++ b/Mac/Persistence/Launch_Agent.md
@@ -0,0 +1,38 @@
+# Launch Agent
+
+MITRE ATT&CK Technique: [T1159](https://attack.mitre.org/wiki/Technique/T1159)
+
+Input:
+
+Filename: .client
+
+(Place within any directory, it will need to be referenced in the plist)
+
+ osascript -e 'tell app "Finder" to display dialog "Hello World"'
+
+
+Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist
+
+
+
+
+
+ KeepAlive
+
+ Label
+ com.client.client
+ ProgramArguments
+
+ /Users//.client
+
+ RunAtLoad
+
+ NSUIElement
+ 1
+
+
+
+
+Launch:
+
+ launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist
diff --git a/Mac/Persistence/Launch_Daemon.md b/Mac/Persistence/Launch_Daemon.md
new file mode 100644
index 00000000..83e82527
--- /dev/null
+++ b/Mac/Persistence/Launch_Daemon.md
@@ -0,0 +1,23 @@
+# Launch Daemon
+
+MITRE ATT&CK Technique: [T1160](https://attack.mitre.org/wiki/Technique/T1160)
+
+
+Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons
+
+
+
+
+
+
+ Label
+ com.example.hello
+ ProgramArguments
+
+ hello
+ world
+
+ KeepAlive
+
+
+
diff --git a/Mac/Persistence/Plist_Modification.md b/Mac/Persistence/Plist_Modification.md
new file mode 100644
index 00000000..d7d51de5
--- /dev/null
+++ b/Mac/Persistence/Plist_Modification.md
@@ -0,0 +1,13 @@
+# Plist Modification
+
+MITRE ATT&CK Technique: [T1150](https://attack.mitre.org/wiki/Technique/T1150)
+
+Modify a .plist in
+
+ /Library/Preferences
+
+or
+
+ ~/Library/Preferences
+
+Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)
diff --git a/Mac/Persistence/Re-opened_Applications.md b/Mac/Persistence/Re-opened_Applications.md
new file mode 100644
index 00000000..c22be04d
--- /dev/null
+++ b/Mac/Persistence/Re-opened_Applications.md
@@ -0,0 +1,26 @@
+# Re-Opened Applications
+
+MITRE ATT&CK Technique: [T1164](https://attack.mitre.org/wiki/Technique/T1164)
+
+### Plist method
+
+create a custom plist:
+
+ ~/Library/Preferences/com.apple.loginwindow.plist
+
+or
+
+ ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
+
+### Mac Defaults
+
+Create:
+
+ sudo defaults write com.apple.loginwindow LoginHook /path/to/script
+
+Delete:
+
+ sudo defaults delete com.apple.loginwindow LoginHook
+
+
+[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
diff --git a/Mac/Persistence/Startup_Items.md b/Mac/Persistence/Startup_Items.md
new file mode 100644
index 00000000..ab4230ab
--- /dev/null
+++ b/Mac/Persistence/Startup_Items.md
@@ -0,0 +1,10 @@
+# Startup Items
+
+MITRE ATT&CK Technique: [T1165](https://attack.mitre.org/wiki/Technique/T1165)
+
+Modify or create:
+
+ /Library/StartupItems/StartupParameters.plist
+
+
+[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
diff --git a/Mac/README.md b/Mac/README.md
index e1994483..d00667bd 100644
--- a/Mac/README.md
+++ b/Mac/README.md
@@ -5,19 +5,19 @@
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md ) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port |
| [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media |
-| Dylib Hijacking | Launch Daemon | Code Signing | Create Account | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
-| Hidden Files and Directories | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Credentials in Files | Network Share Discovery | Logon Scripts | [Launchctl](Defense_Evasion/Launchctl.md) | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
+| Dylib Hijacking | [Launch Daemon](Persistence/Launch_Daemon.md) | Code Signing | Create Account | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
+| [Hidden Files and Directories](/Persistence/Hidden_Files_and_Directories.md) | [Plist Modification](Persistence/Plist_Modification.md) | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Credentials in Files | Network Share Discovery | Logon Scripts | [Launchctl](Defense_Evasion/Launchctl.md) | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
-| Launch Agent | Startup Items | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
-| Launch Daemon | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
+| [Launch Agent](Persistence/Launch_Agent.md) | [Startup Items](Persistence/Startup_Items.md) | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
+| [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Launchctl](Defense_Evasion/Launchctl.md) | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels |
| Logon Scripts | | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication |
-| Plist Modification | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |
+| [Plist Modification](Persistence/Plist_Modification.md) | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |
| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | System Owner/User Discovery | | | | | Remote File Copy |
-| Re-opened Applications | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | | | | | | Standard Application Layer Protocol |
+| [Re-opened Applications](Persistence/Re-opened_Applications.md) | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | | | | | | Standard Application Layer Protocol |
| Redundant Access | | LC_MAIN Hijacking | | | | | | | Standard Cryptographic Protocol |
-| Startup Items | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | | Standard Non-Application Layer Protocol |
+| [Startup Items](Persistence/Startup_Items.md) | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | | Standard Non-Application Layer Protocol |
| Trap | | Masquerading | | | | | | | Uncommonly Used Port |
| Valid Accounts | | Plist Modification | | | | | | | Web Service |
| Web Shell | | Redundant Access | | | | | | | |