Atomic Red Team doc generator
45 KiB
45 KiB
macOS Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| External Remote Services CONTRIBUTE A TEST | JavaScript CONTRIBUTE A TEST | Malicious Shell Modification CONTRIBUTE A TEST | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Indicator Removal from Tools CONTRIBUTE A TEST | Adversary-in-the-Middle CONTRIBUTE A TEST | System Owner/User Discovery | VNC CONTRIBUTE A TEST | Archive via Utility | Exfiltration Over Web Service CONTRIBUTE A TEST | Standard Encoding | Disk Structure Wipe CONTRIBUTE A TEST |
| Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | Malicious File CONTRIBUTE A TEST | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Plist Modification CONTRIBUTE A TEST | Hidden Window CONTRIBUTE A TEST | Pluggable Authentication Modules CONTRIBUTE A TEST | Internet Connection Discovery CONTRIBUTE A TEST | Taint Shared Content CONTRIBUTE A TEST | Screen Capture | Scheduled Transfer CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | Direct Network Flood CONTRIBUTE A TEST |
| Spearphishing Link CONTRIBUTE A TEST | Cron | LC_LOAD_DYLIB Addition CONTRIBUTE A TEST | File System Permissions Weakness CONTRIBUTE A TEST | Plist Modification CONTRIBUTE A TEST | Keylogging | Permission Groups Discovery CONTRIBUTE A TEST | SSH CONTRIBUTE A TEST | Adversary-in-the-Middle CONTRIBUTE A TEST | Exfiltration Over Other Network Medium CONTRIBUTE A TEST | DNS CONTRIBUTE A TEST | Stored Data Manipulation CONTRIBUTE A TEST |
| Spearphishing Link CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Plist Modification CONTRIBUTE A TEST | Elevated Execution with Prompt CONTRIBUTE A TEST | Pluggable Authentication Modules CONTRIBUTE A TEST | Password Guessing CONTRIBUTE A TEST | Domain Account CONTRIBUTE A TEST | Application Deployment Software CONTRIBUTE A TEST | Keylogging | Exfiltration Over Bluetooth CONTRIBUTE A TEST | Domain Fronting CONTRIBUTE A TEST | External Defacement CONTRIBUTE A TEST |
| Spearphishing Attachment CONTRIBUTE A TEST | AppleScript | Pluggable Authentication Modules CONTRIBUTE A TEST | Create or Modify System Process CONTRIBUTE A TEST | HISTCONTROL CONTRIBUTE A TEST | OS Credential Dumping CONTRIBUTE A TEST | Security Software Discovery CONTRIBUTE A TEST | SSH Hijacking CONTRIBUTE A TEST | Audio Capture CONTRIBUTE A TEST | Automated Exfiltration CONTRIBUTE A TEST | Symmetric Cryptography CONTRIBUTE A TEST | OS Exhaustion Flood CONTRIBUTE A TEST |
| Compromise Hardware Supply Chain CONTRIBUTE A TEST | Native API CONTRIBUTE A TEST | File System Permissions Weakness CONTRIBUTE A TEST | LC_LOAD_DYLIB Addition CONTRIBUTE A TEST | Linux and Mac File and Directory Permissions Modification | Steal Web Session Cookie CONTRIBUTE A TEST | Local Account | Remote Services CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Fast Flux DNS CONTRIBUTE A TEST | Application Exhaustion Flood CONTRIBUTE A TEST |
| Supply Chain Compromise CONTRIBUTE A TEST | Source CONTRIBUTE A TEST | Create or Modify System Process CONTRIBUTE A TEST | Sudo and Sudo Caching | Email Hiding Rules CONTRIBUTE A TEST | Securityd Memory CONTRIBUTE A TEST | System Checks | Remote Service Session Hijacking CONTRIBUTE A TEST | Email Collection CONTRIBUTE A TEST | Exfiltration to Code Repository CONTRIBUTE A TEST | Application Layer Protocol CONTRIBUTE A TEST | Disk Wipe CONTRIBUTE A TEST |
| Exploit Public-Facing Application CONTRIBUTE A TEST | Launchctl CONTRIBUTE A TEST | External Remote Services CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Rootkit CONTRIBUTE A TEST | Password Cracking CONTRIBUTE A TEST | Domain Groups CONTRIBUTE A TEST | Software Deployment Tools CONTRIBUTE A TEST | Data from Removable Media CONTRIBUTE A TEST | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Custom Cryptographic Protocol CONTRIBUTE A TEST | Stored Data Manipulation CONTRIBUTE A TEST |
| Default Accounts CONTRIBUTE A TEST | AppleScript CONTRIBUTE A TEST | LC_LOAD_DYLIB Addition CONTRIBUTE A TEST | Sudo Caching CONTRIBUTE A TEST | Timestomp CONTRIBUTE A TEST | Keychain | System Service Discovery CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | Local Data Staging | Exfiltration Over C2 Channel CONTRIBUTE A TEST | Remote Access Software CONTRIBUTE A TEST | Service Stop CONTRIBUTE A TEST |
| Spearphishing Attachment CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Rc.common CONTRIBUTE A TEST | Cron | Sudo and Sudo Caching | Securityd Memory CONTRIBUTE A TEST | Network Sniffing | Internal Spearphishing CONTRIBUTE A TEST | Automated Collection CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Multilayer Encryption CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST |
| Trusted Relationship CONTRIBUTE A TEST | Scripting CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Startup Items CONTRIBUTE A TEST | Code Signing CONTRIBUTE A TEST | Password Managers CONTRIBUTE A TEST | Network Share Discovery | Lateral Tool Transfer CONTRIBUTE A TEST | Clipboard Data | Exfiltration over USB CONTRIBUTE A TEST | Traffic Signaling CONTRIBUTE A TEST | Disk Structure Wipe CONTRIBUTE A TEST |
| Phishing CONTRIBUTE A TEST | Launchctl | Cron | Scheduled Task/Job CONTRIBUTE A TEST | Match Legitimate Name or Location | Network Sniffing | Peripheral Device Discovery CONTRIBUTE A TEST | SSH Hijacking CONTRIBUTE A TEST | Remote Data Staging CONTRIBUTE A TEST | Data Compressed CONTRIBUTE A TEST | Standard Cryptographic Protocol CONTRIBUTE A TEST | Runtime Data Manipulation CONTRIBUTE A TEST |
| Valid Accounts CONTRIBUTE A TEST | XPC Services CONTRIBUTE A TEST | Startup Items CONTRIBUTE A TEST | Login Hook | Hide Artifacts CONTRIBUTE A TEST | Steal or Forge Kerberos Tickets CONTRIBUTE A TEST | System Information Discovery | Data from Local System CONTRIBUTE A TEST | Exfiltration to Cloud Storage CONTRIBUTE A TEST | Protocol Tunneling CONTRIBUTE A TEST | Reflection Amplification CONTRIBUTE A TEST | |
| Compromise Software Supply Chain CONTRIBUTE A TEST | User Execution CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Process Injection CONTRIBUTE A TEST | System Checks | Credentials from Password Stores CONTRIBUTE A TEST | Application Window Discovery CONTRIBUTE A TEST | Archive via Library CONTRIBUTE A TEST | Data Transfer Size Limits | Domain Generation Algorithms CONTRIBUTE A TEST | Service Exhaustion Flood CONTRIBUTE A TEST | |
| Domain Accounts CONTRIBUTE A TEST | Launchd CONTRIBUTE A TEST | Login Item CONTRIBUTE A TEST | Launch Daemon | Clear Linux or Mac System Logs | Unsecured Credentials CONTRIBUTE A TEST | Time Based Evasion CONTRIBUTE A TEST | Archive Collected Data CONTRIBUTE A TEST | Data Encrypted CONTRIBUTE A TEST | Mail Protocols CONTRIBUTE A TEST | Defacement CONTRIBUTE A TEST | |
| Spearphishing via Service CONTRIBUTE A TEST | Software Deployment Tools CONTRIBUTE A TEST | Browser Extensions | Default Accounts CONTRIBUTE A TEST | Disabling Security Tools CONTRIBUTE A TEST | Bash History CONTRIBUTE A TEST | Browser Bookmark Discovery | DHCP Spoofing CONTRIBUTE A TEST | Exfiltration Over Physical Medium CONTRIBUTE A TEST | Communication Through Removable Media CONTRIBUTE A TEST | Internal Defacement CONTRIBUTE A TEST | |
| Hardware Additions CONTRIBUTE A TEST | Graphical User Interface CONTRIBUTE A TEST | Login Hook | Trap | Gatekeeper Bypass | Credentials from Web Browsers CONTRIBUTE A TEST | System Network Configuration Discovery | Web Portal Capture CONTRIBUTE A TEST | Exfiltration Over Unencrypted Non-C2 Protocol | External Proxy CONTRIBUTE A TEST | Data Manipulation CONTRIBUTE A TEST | |
| Drive-by Compromise CONTRIBUTE A TEST | Unix Shell | Traffic Signaling CONTRIBUTE A TEST | Dynamic Linker Hijacking | Code Signing CONTRIBUTE A TEST | Private Keys CONTRIBUTE A TEST | Account Discovery CONTRIBUTE A TEST | Video Capture CONTRIBUTE A TEST | Proxy CONTRIBUTE A TEST | Account Access Removal CONTRIBUTE A TEST | ||
| Spearphishing via Service CONTRIBUTE A TEST | Inter-Process Communication CONTRIBUTE A TEST | Launchctl CONTRIBUTE A TEST | Plist Modification CONTRIBUTE A TEST | Clear Command History | Credentials from Web Browsers | File and Directory Discovery | Email Forwarding Rule CONTRIBUTE A TEST | Dynamic Resolution CONTRIBUTE A TEST | Data Encrypted for Impact CONTRIBUTE A TEST | ||
| Local Accounts | Trap CONTRIBUTE A TEST | Launch Daemon | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | Deobfuscate/Decode Files or Information | DHCP Spoofing CONTRIBUTE A TEST | System Network Connections Discovery | Data Staged CONTRIBUTE A TEST | Multi-hop Proxy CONTRIBUTE A TEST | Disk Content Wipe CONTRIBUTE A TEST | ||
| Exploitation for Client Execution CONTRIBUTE A TEST | Web Shell CONTRIBUTE A TEST | Setuid and Setgid | Impair Defenses CONTRIBUTE A TEST | Private Keys | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | GUI Input Capture | Web Service CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST | |||
| Local Job Scheduling CONTRIBUTE A TEST | Default Accounts CONTRIBUTE A TEST | Login Items CONTRIBUTE A TEST | Masquerading CONTRIBUTE A TEST | Password Spraying CONTRIBUTE A TEST | Process Discovery | Data from Network Shared Drive CONTRIBUTE A TEST | DNS Calculation CONTRIBUTE A TEST | Runtime Data Manipulation CONTRIBUTE A TEST | |||
| Python CONTRIBUTE A TEST | Trap | Launchd CONTRIBUTE A TEST | Process Injection CONTRIBUTE A TEST | Web Portal Capture CONTRIBUTE A TEST | User Activity Based Checks CONTRIBUTE A TEST | Input Capture CONTRIBUTE A TEST | Multi-Stage Channels CONTRIBUTE A TEST | Transmitted Data Manipulation CONTRIBUTE A TEST | |||
| System Services CONTRIBUTE A TEST | Dynamic Linker Hijacking | Emond | Traffic Signaling CONTRIBUTE A TEST | Bash History | Local Groups | ARP Cache Poisoning CONTRIBUTE A TEST | Port Knocking CONTRIBUTE A TEST | Resource Hijacking | |||
| Visual Basic CONTRIBUTE A TEST | Local Account | Sudo CONTRIBUTE A TEST | System Binary Proxy Execution CONTRIBUTE A TEST | Credentials In Files | Password Policy Discovery | Data from Information Repositories CONTRIBUTE A TEST | Multiband Communication CONTRIBUTE A TEST | Transmitted Data Manipulation CONTRIBUTE A TEST | |||
| Space after Filename CONTRIBUTE A TEST | Plist Modification CONTRIBUTE A TEST | Kernel Modules and Extensions CONTRIBUTE A TEST | Timestomp | Web Cookies CONTRIBUTE A TEST | System Language Discovery CONTRIBUTE A TEST | File Transfer Protocols CONTRIBUTE A TEST | Data Destruction | ||||
| Malicious Link CONTRIBUTE A TEST | Re-opened Applications CONTRIBUTE A TEST | Dylib Hijacking CONTRIBUTE A TEST | Reflective Code Loading CONTRIBUTE A TEST | Input Prompt CONTRIBUTE A TEST | System Location Discovery CONTRIBUTE A TEST | One-Way Communication CONTRIBUTE A TEST | Network Denial of Service CONTRIBUTE A TEST | ||||
| At CONTRIBUTE A TEST | Redundant Access CONTRIBUTE A TEST | Hijack Execution Flow CONTRIBUTE A TEST | Time Based Evasion CONTRIBUTE A TEST | Forge Web Credentials CONTRIBUTE A TEST | Security Software Discovery | Multi-hop Proxy | Firmware Corruption CONTRIBUTE A TEST | ||||
| SSH Authorized Keys | Valid Accounts CONTRIBUTE A TEST | Binary Padding CONTRIBUTE A TEST | Multi-Factor Authentication Request Generation CONTRIBUTE A TEST | Remote System Discovery | Data Obfuscation CONTRIBUTE A TEST | Inhibit System Recovery CONTRIBUTE A TEST | |||||
| Kernel Modules and Extensions CONTRIBUTE A TEST | Exploitation for Privilege Escalation CONTRIBUTE A TEST | Disable or Modify System Firewall CONTRIBUTE A TEST | Exploitation for Credential Access CONTRIBUTE A TEST | Network Service Discovery | Non-Standard Port | Disk Content Wipe CONTRIBUTE A TEST | |||||
| Domain Account CONTRIBUTE A TEST | Event Triggered Execution CONTRIBUTE A TEST | Launchctl CONTRIBUTE A TEST | Keychain CONTRIBUTE A TEST | Software Discovery | Encrypted Channel CONTRIBUTE A TEST | System Shutdown/Reboot | |||||
| Component Firmware CONTRIBUTE A TEST | Unix Shell Configuration Modification | Code Signing Policy Modification CONTRIBUTE A TEST | GUI Input Capture | Debugger Evasion CONTRIBUTE A TEST | Bidirectional Communication CONTRIBUTE A TEST | ||||||
| Pre-OS Boot CONTRIBUTE A TEST | Elevated Execution with Prompt CONTRIBUTE A TEST | File Deletion CONTRIBUTE A TEST | Brute Force CONTRIBUTE A TEST | Asymmetric Cryptography CONTRIBUTE A TEST | |||||||
| Login Items CONTRIBUTE A TEST | Setuid and Setgid CONTRIBUTE A TEST | Binary Padding | Credential Stuffing | Non-Application Layer Protocol CONTRIBUTE A TEST | |||||||
| Port Knocking CONTRIBUTE A TEST | Startup Items | Default Accounts CONTRIBUTE A TEST | Credentials in Files CONTRIBUTE A TEST | Protocol Impersonation CONTRIBUTE A TEST | |||||||
| Launchd CONTRIBUTE A TEST | Web Shell CONTRIBUTE A TEST | Dynamic Linker Hijacking | Input Capture CONTRIBUTE A TEST | Uncommonly Used Port CONTRIBUTE A TEST | |||||||
| Compromise Client Software Binary CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | File and Directory Permissions Modification CONTRIBUTE A TEST | ARP Cache Poisoning CONTRIBUTE A TEST | Domain Fronting CONTRIBUTE A TEST | |||||||
| Emond | Launch Agent | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | Multi-Factor Authentication Interception CONTRIBUTE A TEST | Data Encoding CONTRIBUTE A TEST | |||||||
| Account Manipulation CONTRIBUTE A TEST | Emond CONTRIBUTE A TEST | Setuid and Setgid | Modify Authentication Process CONTRIBUTE A TEST | Non-Standard Encoding CONTRIBUTE A TEST | |||||||
| Kernel Modules and Extensions CONTRIBUTE A TEST | RC Scripts | Redundant Access CONTRIBUTE A TEST | Web Protocols | ||||||||
| Dylib Hijacking CONTRIBUTE A TEST | Re-opened Applications | Gatekeeper Bypass CONTRIBUTE A TEST | Ingress Tool Transfer | ||||||||
| Hijack Execution Flow CONTRIBUTE A TEST | Launch Daemon CONTRIBUTE A TEST | Software Packing CONTRIBUTE A TEST | Steganography CONTRIBUTE A TEST | ||||||||
| Valid Accounts CONTRIBUTE A TEST | At CONTRIBUTE A TEST | Indicator Blocking CONTRIBUTE A TEST | Fallback Channels CONTRIBUTE A TEST | ||||||||
| Trap CONTRIBUTE A TEST | Dylib Hijacking CONTRIBUTE A TEST | Right-to-Left Override CONTRIBUTE A TEST | Internal Proxy | ||||||||
| Event Triggered Execution CONTRIBUTE A TEST | Local Accounts | Component Firmware CONTRIBUTE A TEST | Custom Command and Control Protocol CONTRIBUTE A TEST | ||||||||
| Unix Shell Configuration Modification | Indicator Removal on Host CONTRIBUTE A TEST | Dead Drop Resolver CONTRIBUTE A TEST | |||||||||
| Local Job Scheduling CONTRIBUTE A TEST | Masquerade Task or Service CONTRIBUTE A TEST | Junk Data CONTRIBUTE A TEST | |||||||||
| Setuid and Setgid CONTRIBUTE A TEST | Plist File Modification | Commonly Used Port CONTRIBUTE A TEST | |||||||||
| Startup Items | Pre-OS Boot CONTRIBUTE A TEST | ||||||||||
| Web Shell CONTRIBUTE A TEST | Scripting CONTRIBUTE A TEST | ||||||||||
| Domain Accounts CONTRIBUTE A TEST | Downgrade Attack CONTRIBUTE A TEST | ||||||||||
| Launch Agent | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | ||||||||||
| Emond CONTRIBUTE A TEST | Execution Guardrails CONTRIBUTE A TEST | ||||||||||
| Server Software Component CONTRIBUTE A TEST | Port Knocking CONTRIBUTE A TEST | ||||||||||
| Hidden Files and Directories CONTRIBUTE A TEST | Hidden Users | ||||||||||
| RC Scripts | Impair Command History Logging | ||||||||||
| Launch Agent CONTRIBUTE A TEST | User Activity Based Checks CONTRIBUTE A TEST | ||||||||||
| Create Account CONTRIBUTE A TEST | LC_MAIN Hijacking CONTRIBUTE A TEST | ||||||||||
| Re-opened Applications | Disable or Modify Tools | ||||||||||
| Launch Daemon CONTRIBUTE A TEST | Hijack Execution Flow CONTRIBUTE A TEST | ||||||||||
| At CONTRIBUTE A TEST | Indicator Removal from Tools CONTRIBUTE A TEST | ||||||||||
| Modify Authentication Process CONTRIBUTE A TEST | Valid Accounts CONTRIBUTE A TEST | ||||||||||
| Dylib Hijacking CONTRIBUTE A TEST | Resource Forking CONTRIBUTE A TEST | ||||||||||
| Local Accounts | Obfuscated Files or Information | ||||||||||
| Invalid Code Signature CONTRIBUTE A TEST | |||||||||||
| Run Virtual Instance CONTRIBUTE A TEST | |||||||||||
| Subvert Trust Controls CONTRIBUTE A TEST | |||||||||||
| Elevated Execution with Prompt CONTRIBUTE A TEST | |||||||||||
| Rename System Utilities CONTRIBUTE A TEST | |||||||||||
| Steganography CONTRIBUTE A TEST | |||||||||||
| Domain Accounts CONTRIBUTE A TEST | |||||||||||
| Install Root Certificate | |||||||||||
| Compile After Delivery | |||||||||||
| VBA Stomping CONTRIBUTE A TEST | |||||||||||
| Hidden Window CONTRIBUTE A TEST | |||||||||||
| Hidden Users CONTRIBUTE A TEST | |||||||||||
| Compile After Delivery CONTRIBUTE A TEST | |||||||||||
| Clear Command History CONTRIBUTE A TEST | |||||||||||
| HTML Smuggling CONTRIBUTE A TEST | |||||||||||
| Install Root Certificate CONTRIBUTE A TEST | |||||||||||
| File Deletion | |||||||||||
| Hidden Files and Directories CONTRIBUTE A TEST | |||||||||||
| Software Packing | |||||||||||
| Hidden File System CONTRIBUTE A TEST | |||||||||||
| Space after Filename CONTRIBUTE A TEST | |||||||||||
| Debugger Evasion CONTRIBUTE A TEST | |||||||||||
| Space after Filename | |||||||||||
| Hidden Files and Directories | |||||||||||
| Environmental Keying CONTRIBUTE A TEST | |||||||||||
| Modify Authentication Process CONTRIBUTE A TEST | |||||||||||
| Dylib Hijacking CONTRIBUTE A TEST | |||||||||||
| Local Accounts | |||||||||||
| Exploitation for Defense Evasion CONTRIBUTE A TEST |