CircleCI Atomic Red Team doc generator
26 KiB
26 KiB
macOS Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Compromise Hardware Supply Chain CONTRIBUTE A TEST | AppleScript | Account Manipulation CONTRIBUTE A TEST | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | ARP Cache Poisoning CONTRIBUTE A TEST | Account Discovery CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | ARP Cache Poisoning CONTRIBUTE A TEST | Automated Exfiltration CONTRIBUTE A TEST | Application Layer Protocol CONTRIBUTE A TEST | Account Access Removal CONTRIBUTE A TEST |
| Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Binary Padding | Bash History | Application Window Discovery CONTRIBUTE A TEST | Internal Spearphishing CONTRIBUTE A TEST | Archive Collected Data CONTRIBUTE A TEST | Data Transfer Size Limits | Asymmetric Cryptography CONTRIBUTE A TEST | Application Exhaustion Flood CONTRIBUTE A TEST |
| Compromise Software Supply Chain CONTRIBUTE A TEST | Cron | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Clear Command History | Brute Force CONTRIBUTE A TEST | Browser Bookmark Discovery | Lateral Tool Transfer CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST |
| Default Accounts CONTRIBUTE A TEST | Exploitation for Client Execution CONTRIBUTE A TEST | Browser Extensions | Create or Modify System Process CONTRIBUTE A TEST | Clear Linux or Mac System Logs | Credential Stuffing | Domain Account CONTRIBUTE A TEST | Remote Service Session Hijacking CONTRIBUTE A TEST | Archive via Library CONTRIBUTE A TEST | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Commonly Used Port CONTRIBUTE A TEST | Data Destruction |
| Domain Accounts CONTRIBUTE A TEST | Graphical User Interface CONTRIBUTE A TEST | Compromise Client Software Binary CONTRIBUTE A TEST | Cron | Code Signing CONTRIBUTE A TEST | Credentials In Files | Domain Groups CONTRIBUTE A TEST | Remote Services CONTRIBUTE A TEST | Archive via Utility | Exfiltration Over Bluetooth CONTRIBUTE A TEST | Communication Through Removable Media CONTRIBUTE A TEST | Data Encrypted for Impact CONTRIBUTE A TEST |
| Drive-by Compromise CONTRIBUTE A TEST | JavaScript CONTRIBUTE A TEST | Create Account CONTRIBUTE A TEST | Default Accounts CONTRIBUTE A TEST | Code Signing Policy Modification CONTRIBUTE A TEST | Credentials from Password Stores CONTRIBUTE A TEST | File and Directory Discovery | SSH CONTRIBUTE A TEST | Audio Capture CONTRIBUTE A TEST | Exfiltration Over C2 Channel CONTRIBUTE A TEST | DNS CONTRIBUTE A TEST | Data Manipulation CONTRIBUTE A TEST |
| Exploit Public-Facing Application CONTRIBUTE A TEST | Launchctl | Create or Modify System Process CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | Compile After Delivery CONTRIBUTE A TEST | Credentials from Web Browsers | Internet Connection Discovery CONTRIBUTE A TEST | SSH Hijacking CONTRIBUTE A TEST | Automated Collection CONTRIBUTE A TEST | Exfiltration Over Other Network Medium CONTRIBUTE A TEST | DNS Calculation CONTRIBUTE A TEST | Defacement CONTRIBUTE A TEST |
| Hardware Additions CONTRIBUTE A TEST | Launchd | Cron | Dylib Hijacking CONTRIBUTE A TEST | Default Accounts CONTRIBUTE A TEST | Exploitation for Credential Access CONTRIBUTE A TEST | Local Account | Software Deployment Tools CONTRIBUTE A TEST | Clipboard Data | Exfiltration Over Physical Medium CONTRIBUTE A TEST | Data Encoding CONTRIBUTE A TEST | Direct Network Flood CONTRIBUTE A TEST |
| Local Accounts CONTRIBUTE A TEST | Malicious File CONTRIBUTE A TEST | Default Accounts CONTRIBUTE A TEST | Dynamic Linker Hijacking CONTRIBUTE A TEST | Deobfuscate/Decode Files or Information CONTRIBUTE A TEST | Forge Web Credentials CONTRIBUTE A TEST | Local Groups | VNC CONTRIBUTE A TEST | Data Staged CONTRIBUTE A TEST | Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Data Obfuscation CONTRIBUTE A TEST | Disk Content Wipe CONTRIBUTE A TEST |
| Phishing CONTRIBUTE A TEST | Malicious Link CONTRIBUTE A TEST | Domain Account CONTRIBUTE A TEST | Elevated Execution with Prompt CONTRIBUTE A TEST | Disable or Modify System Firewall CONTRIBUTE A TEST | GUI Input Capture | Network Service Scanning | Data from Information Repositories CONTRIBUTE A TEST | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | Dead Drop Resolver CONTRIBUTE A TEST | Disk Structure Wipe CONTRIBUTE A TEST | |
| Spearphishing Attachment CONTRIBUTE A TEST | Native API CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | Emond | Disable or Modify Tools | Input Capture CONTRIBUTE A TEST | Network Share Discovery | Data from Local System CONTRIBUTE A TEST | Exfiltration Over Web Service CONTRIBUTE A TEST | Domain Fronting CONTRIBUTE A TEST | Disk Wipe CONTRIBUTE A TEST | |
| Spearphishing Link CONTRIBUTE A TEST | Python CONTRIBUTE A TEST | Dylib Hijacking CONTRIBUTE A TEST | Event Triggered Execution CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | Keychain | Network Sniffing | Data from Network Shared Drive CONTRIBUTE A TEST | Exfiltration over USB CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST | |
| Spearphishing via Service CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Dynamic Linker Hijacking CONTRIBUTE A TEST | Exploitation for Privilege Escalation CONTRIBUTE A TEST | Dylib Hijacking CONTRIBUTE A TEST | Keylogging CONTRIBUTE A TEST | Password Policy Discovery | Data from Removable Media CONTRIBUTE A TEST | Exfiltration to Cloud Storage CONTRIBUTE A TEST | Dynamic Resolution CONTRIBUTE A TEST | External Defacement CONTRIBUTE A TEST | |
| Supply Chain Compromise CONTRIBUTE A TEST | Scripting CONTRIBUTE A TEST | Emond | Hijack Execution Flow CONTRIBUTE A TEST | Dynamic Linker Hijacking CONTRIBUTE A TEST | Man-in-the-Middle CONTRIBUTE A TEST | Peripheral Device Discovery CONTRIBUTE A TEST | GUI Input Capture | Exfiltration to Code Repository CONTRIBUTE A TEST | Encrypted Channel CONTRIBUTE A TEST | Firmware Corruption CONTRIBUTE A TEST | |
| Trusted Relationship CONTRIBUTE A TEST | Software Deployment Tools CONTRIBUTE A TEST | Event Triggered Execution CONTRIBUTE A TEST | Kernel Modules and Extensions CONTRIBUTE A TEST | Elevated Execution with Prompt CONTRIBUTE A TEST | Modify Authentication Process CONTRIBUTE A TEST | Permission Groups Discovery CONTRIBUTE A TEST | Input Capture CONTRIBUTE A TEST | Scheduled Transfer CONTRIBUTE A TEST | External Proxy CONTRIBUTE A TEST | Inhibit System Recovery CONTRIBUTE A TEST | |
| Valid Accounts CONTRIBUTE A TEST | Source CONTRIBUTE A TEST | Hijack Execution Flow CONTRIBUTE A TEST | LC_LOAD_DYLIB Addition CONTRIBUTE A TEST | Environmental Keying CONTRIBUTE A TEST | Network Sniffing | Process Discovery | Keylogging CONTRIBUTE A TEST | Fallback Channels CONTRIBUTE A TEST | Internal Defacement CONTRIBUTE A TEST | ||
| System Services CONTRIBUTE A TEST | Kernel Modules and Extensions CONTRIBUTE A TEST | Launch Agent | Execution Guardrails CONTRIBUTE A TEST | OS Credential Dumping CONTRIBUTE A TEST | Remote System Discovery | Local Data Staging | Fast Flux DNS CONTRIBUTE A TEST | Network Denial of Service CONTRIBUTE A TEST | |||
| Unix Shell | LC_LOAD_DYLIB Addition CONTRIBUTE A TEST | Launch Daemon | Exploitation for Defense Evasion CONTRIBUTE A TEST | Password Cracking CONTRIBUTE A TEST | Security Software Discovery | Man-in-the-Middle CONTRIBUTE A TEST | File Transfer Protocols CONTRIBUTE A TEST | OS Exhaustion Flood CONTRIBUTE A TEST | |||
| User Execution CONTRIBUTE A TEST | Launch Agent | Launchd | File Deletion | Password Guessing CONTRIBUTE A TEST | Software Discovery | Remote Data Staging CONTRIBUTE A TEST | Ingress Tool Transfer | Reflection Amplification CONTRIBUTE A TEST | |||
| Visual Basic CONTRIBUTE A TEST | Launch Daemon | Local Accounts CONTRIBUTE A TEST | File and Directory Permissions Modification CONTRIBUTE A TEST | Password Managers CONTRIBUTE A TEST | System Checks | Screen Capture | Internal Proxy | Resource Hijacking | |||
| Launchd | Logon Script (Mac) | Gatekeeper Bypass | Password Spraying CONTRIBUTE A TEST | System Information Discovery | Video Capture CONTRIBUTE A TEST | Junk Data CONTRIBUTE A TEST | Runtime Data Manipulation CONTRIBUTE A TEST | ||||
| Local Account | Plist Modification | Hidden File System CONTRIBUTE A TEST | Pluggable Authentication Modules CONTRIBUTE A TEST | System Location Discovery CONTRIBUTE A TEST | Web Portal Capture CONTRIBUTE A TEST | Mail Protocols CONTRIBUTE A TEST | Service Exhaustion Flood CONTRIBUTE A TEST | ||||
| Local Accounts CONTRIBUTE A TEST | Process Injection CONTRIBUTE A TEST | Hidden Files and Directories | Private Keys | System Network Configuration Discovery | Multi-Stage Channels CONTRIBUTE A TEST | Service Stop CONTRIBUTE A TEST | |||||
| Logon Script (Mac) | RC Scripts | Hidden Users | Securityd Memory CONTRIBUTE A TEST | System Network Connections Discovery | Multi-hop Proxy CONTRIBUTE A TEST | Stored Data Manipulation CONTRIBUTE A TEST | |||||
| Modify Authentication Process CONTRIBUTE A TEST | Re-opened Applications | Hidden Window CONTRIBUTE A TEST | Steal Web Session Cookie CONTRIBUTE A TEST | System Owner/User Discovery | Multiband Communication CONTRIBUTE A TEST | System Shutdown/Reboot | |||||
| Plist Modification | Scheduled Task/Job CONTRIBUTE A TEST | Hide Artifacts CONTRIBUTE A TEST | Two-Factor Authentication Interception CONTRIBUTE A TEST | Time Based Evasion CONTRIBUTE A TEST | Non-Application Layer Protocol CONTRIBUTE A TEST | Transmitted Data Manipulation CONTRIBUTE A TEST | |||||
| Pluggable Authentication Modules CONTRIBUTE A TEST | Setuid and Setgid | Hijack Execution Flow CONTRIBUTE A TEST | Unsecured Credentials CONTRIBUTE A TEST | User Activity Based Checks CONTRIBUTE A TEST | Non-Standard Encoding CONTRIBUTE A TEST | ||||||
| Port Knocking CONTRIBUTE A TEST | Startup Items | Impair Command History Logging | Web Cookies CONTRIBUTE A TEST | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | Non-Standard Port | ||||||
| RC Scripts | Sudo and Sudo Caching | Impair Defenses CONTRIBUTE A TEST | Web Portal Capture CONTRIBUTE A TEST | One-Way Communication CONTRIBUTE A TEST | |||||||
| Re-opened Applications | Trap | Indicator Blocking CONTRIBUTE A TEST | Port Knocking CONTRIBUTE A TEST | ||||||||
| Redundant Access CONTRIBUTE A TEST | Unix Shell Configuration Modification | Indicator Removal from Tools CONTRIBUTE A TEST | Protocol Impersonation CONTRIBUTE A TEST | ||||||||
| SSH Authorized Keys | Valid Accounts CONTRIBUTE A TEST | Indicator Removal on Host CONTRIBUTE A TEST | Protocol Tunneling CONTRIBUTE A TEST | ||||||||
| Scheduled Task/Job CONTRIBUTE A TEST | Install Root Certificate | Proxy CONTRIBUTE A TEST | |||||||||
| Server Software Component CONTRIBUTE A TEST | Invalid Code Signature CONTRIBUTE A TEST | Remote Access Software CONTRIBUTE A TEST | |||||||||
| Startup Items | LC_MAIN Hijacking CONTRIBUTE A TEST | Standard Encoding | |||||||||
| Traffic Signaling CONTRIBUTE A TEST | Linux and Mac File and Directory Permissions Modification | Steganography CONTRIBUTE A TEST | |||||||||
| Trap | Local Accounts CONTRIBUTE A TEST | Symmetric Cryptography CONTRIBUTE A TEST | |||||||||
| Unix Shell Configuration Modification | Masquerading CONTRIBUTE A TEST | Traffic Signaling CONTRIBUTE A TEST | |||||||||
| Valid Accounts CONTRIBUTE A TEST | Match Legitimate Name or Location | Web Protocols | |||||||||
| Web Shell CONTRIBUTE A TEST | Modify Authentication Process CONTRIBUTE A TEST | Web Service CONTRIBUTE A TEST | |||||||||
| Obfuscated Files or Information | |||||||||||
| Pluggable Authentication Modules CONTRIBUTE A TEST | |||||||||||
| Port Knocking CONTRIBUTE A TEST | |||||||||||
| Process Injection CONTRIBUTE A TEST | |||||||||||
| Redundant Access CONTRIBUTE A TEST | |||||||||||
| Rename System Utilities CONTRIBUTE A TEST | |||||||||||
| Right-to-Left Override CONTRIBUTE A TEST | |||||||||||
| Rootkit CONTRIBUTE A TEST | |||||||||||
| Run Virtual Instance CONTRIBUTE A TEST | |||||||||||
| Scripting CONTRIBUTE A TEST | |||||||||||
| Setuid and Setgid | |||||||||||
| Software Packing | |||||||||||
| Space after Filename | |||||||||||
| Steganography CONTRIBUTE A TEST | |||||||||||
| Subvert Trust Controls CONTRIBUTE A TEST | |||||||||||
| Sudo and Sudo Caching | |||||||||||
| System Checks | |||||||||||
| Time Based Evasion CONTRIBUTE A TEST | |||||||||||
| Timestomp | |||||||||||
| Traffic Signaling CONTRIBUTE A TEST | |||||||||||
| User Activity Based Checks CONTRIBUTE A TEST | |||||||||||
| VBA Stomping CONTRIBUTE A TEST | |||||||||||
| Valid Accounts CONTRIBUTE A TEST | |||||||||||
| Virtualization/Sandbox Evasion CONTRIBUTE A TEST |