security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/Mac/README.md
T
Ye Yint @ Rolan 0c20cf6541 updated link for Mitre April update
2018-04-16 17:21:05 +08:00

32 lines
6.6 KiB
Markdown
Raw Blame History

## MITRE ATT&CK Matrix - Mac
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control|
|-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| Drive-by Compromise | [AppleScript](Execution/AppleScript.md) | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | [AppleScript](Execution/AppleScript.md) | Audio Capture | Automated Exfiltration | Commonly Used Port|
| Exploit Public-Facing Application | Command-Line Interface | [Browser Extensions](Persistence/Browser_Extensions.md) | Exploitation for Privilege Escalation | Clear Command History | Brute Force | Application Window Discovery | Application Deployment Software | Automated Collection | Data Compressed | Communication Through Removable Media|
| Hardware Additions | Exploitation for Client Execution | [Create Account](Persistence/Create_Account.md) | [Launch Daemon](Persistence/Launch_Daemon.md) |Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Browser Bookmark Discovery | Exploitation of Remote Services | Clipboard Data | Data Encrypted | Connection Proxy|
| Spearphishing Attachment | Graphical User Interface | Dylib Hijacking | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Exploitation for Credential Access | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | [Logon Scripts](Persistence/Logon_Scripts.md) | Data Staged | Data Transfer Size Limits | [Custom Command and Control Protocol](Command_and_Control/Custom_Command_and_Control_Protocol.md)l|
| Spearphishing Link | [Launchctl](Defense_Evasion/Launchctl.md) | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories) | Process Injection | Exploitation for Defense Evasion | Input Capture | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Data from Information Repositories | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol|
| Spearphishing via Service | [Local Job Scheduling](Persistence/Local_Job_Scheduling.md) | Kernel Modules and Extensions | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | File Deletion | [Input Prompt](Credential_Access/Input_Prompt.md) | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Remote Services | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding|
| Supply Chain Compromise | Scripting | LC_LOAD_DYLIB Addition | [Startup Items](Persistence/Startup_Items.md) | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Keychain](Credential_Access/Keychain.md) | Password Policy Discovery | SSH Hijacking | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation|
| Trusted Relationship | Source | [Launch Agent](Persistence/Launch_Agent.md) | Sudo | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Network Sniffing |[Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) | Third-party Software | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting|
| Valid Accounts | [Space after Filename](Execution/Space_After_Filename.md) | [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo Caching | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories) |Private Keys | [Process Discovery](Discovery/Process_Discovery.md) | | Input Capture | Scheduled Transfer | Fallback Channels|
| | Third-party Software | [Launchctl](Defense_Evasion/Launchctl.md) | Valid Accounts | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Securityd Memory | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | [Screen Capture](Collection/Screen_Capture.md) | | Multi-Stage Channels|
| | Trap | [Local Job Scheduling](Persistence/Local_Job_Scheduling.md) | Web Shell | Hidden Window | Two-Factor Authentication Interception | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | | Video Capture | | Multi-hop Proxy|
| | User Execution | Login Item | | Indicator Removal from Tools | | [System Information Discovery](Discovery/System_Information_Discovery.md) | | | | Multiband Communication|
| | | [Logon Scripts](Persistence/Logon_Scripts.md) | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | | Multilayer Encryption|
| | | [Plist Modification](Persistence/Plist_Modification.md) | | Install Root Certificate | | System Network Connections Discovery | | | | Port Knocking|
| | | Port Knocking | | LC_MAIN Hijacking | | [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md) | | | | Remote Access Tools|
| | | [Rc.common](Persistence/Rc.common.md) | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | Remote File Copy|
| | | [Re-opened Applications](Persistence/Re-opened_Applications.md) | | Masquerading | | | | | | Standard Application Layer Protocol|
| | | Redundant Access | | Obfuscated Files or Information | | | | | | Standard Cryptographic Protocol|
| | | [Startup Items](Persistence/Startup_Items.md) | | [Plist Modification](Persistence/Plist_Modification.md) | | | | | | Standard Non-Application Layer Protocol|
| | | Trap | | Port Knocking | | | | | | Uncommonly Used Port|
| | | Valid Accounts | | Process Injection | | | | | | Web Service|
| | | Web Shell | | Redundant Access | | | | | | |
| | | | | Rootkit | | | | | | |
| | | | | Scripting | | | | | | |
| | | | | [Space after Filename](Execution/Space_After_Filename.md) | | | | | | |
| | | | | Valid Accounts | | | | | | |
| | | | | Web Service | | | | | | |
Reference in New Issue View Git Blame Copy Permalink