macos-matrix.md

macOS Atomic Tests by ATT&CK Tactic & Technique

initial-access	execution	persistence	privilege-escalation	defense-evasion	credential-access	discovery	lateral-movement	collection	exfiltration	command-and-control	impact
Compromise Hardware Supply Chain CONTRIBUTE A TEST	AppleScript	.bash_profile and .bashrc	.bash_profile and .bashrc	Abuse Elevation Control Mechanism CONTRIBUTE A TEST	Bash History	Account Discovery CONTRIBUTE A TEST	Exploitation of Remote Services CONTRIBUTE A TEST	Archive Collected Data CONTRIBUTE A TEST	Automated Exfiltration CONTRIBUTE A TEST	Application Layer Protocol CONTRIBUTE A TEST	Account Access Removal CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST	Command and Scripting Interpreter CONTRIBUTE A TEST	Account Manipulation CONTRIBUTE A TEST	Abuse Elevation Control Mechanism CONTRIBUTE A TEST	Binary Padding	Brute Force CONTRIBUTE A TEST	Application Window Discovery CONTRIBUTE A TEST	Internal Spearphishing CONTRIBUTE A TEST	Archive via Custom Method CONTRIBUTE A TEST	Data Transfer Size Limits	Asymmetric Cryptography CONTRIBUTE A TEST	Application Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST	Cron	Boot or Logon Autostart Execution CONTRIBUTE A TEST	Boot or Logon Autostart Execution CONTRIBUTE A TEST	Clear Command History	Credential Stuffing CONTRIBUTE A TEST	Browser Bookmark Discovery	Lateral Tool Transfer CONTRIBUTE A TEST	Archive via Library CONTRIBUTE A TEST	Exfiltration Over Alternative Protocol	Bidirectional Communication CONTRIBUTE A TEST	Application or System Exploitation CONTRIBUTE A TEST
Default Accounts CONTRIBUTE A TEST	Exploitation for Client Execution CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Clear Linux or Mac System Logs	Credentials In Files	Domain Account CONTRIBUTE A TEST	Remote Service Session Hijacking CONTRIBUTE A TEST	Archive via Utility	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST	Commonly Used Port CONTRIBUTE A TEST	Data Destruction
Domain Accounts CONTRIBUTE A TEST	Graphical User Interface CONTRIBUTE A TEST	Browser Extensions	Create or Modify System Process CONTRIBUTE A TEST	Code Signing CONTRIBUTE A TEST	Credentials from Password Stores CONTRIBUTE A TEST	Domain Groups CONTRIBUTE A TEST	Remote Services CONTRIBUTE A TEST	Audio Capture CONTRIBUTE A TEST	Exfiltration Over Bluetooth CONTRIBUTE A TEST	Communication Through Removable Media CONTRIBUTE A TEST	Data Encrypted for Impact CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST	JavaScript/JScript CONTRIBUTE A TEST	Compromise Client Software Binary CONTRIBUTE A TEST	Cron	Compile After Delivery CONTRIBUTE A TEST	Credentials from Web Browsers	File and Directory Discovery	SSH CONTRIBUTE A TEST	Automated Collection CONTRIBUTE A TEST	Exfiltration Over C2 Channel CONTRIBUTE A TEST	DNS CONTRIBUTE A TEST	Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST	Launchctl	Create Account CONTRIBUTE A TEST	Default Accounts CONTRIBUTE A TEST	Default Accounts CONTRIBUTE A TEST	Exploitation for Credential Access CONTRIBUTE A TEST	Local Account	SSH Hijacking CONTRIBUTE A TEST	Clipboard Data	Exfiltration Over Other Network Medium CONTRIBUTE A TEST	DNS Calculation CONTRIBUTE A TEST	Defacement CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST	Launchd	Create or Modify System Process CONTRIBUTE A TEST	Domain Accounts CONTRIBUTE A TEST	Deobfuscate/Decode Files or Information CONTRIBUTE A TEST	GUI Input Capture	Local Groups	Software Deployment Tools CONTRIBUTE A TEST	Data Staged CONTRIBUTE A TEST	Exfiltration Over Physical Medium CONTRIBUTE A TEST	Data Encoding CONTRIBUTE A TEST	Direct Network Flood CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST	Malicious File CONTRIBUTE A TEST	Cron	Dylib Hijacking CONTRIBUTE A TEST	Disable or Modify System Firewall CONTRIBUTE A TEST	Input Capture CONTRIBUTE A TEST	Network Service Scanning	VNC CONTRIBUTE A TEST	Data from Information Repositories CONTRIBUTE A TEST	Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST	Data Obfuscation CONTRIBUTE A TEST	Disk Content Wipe CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST	Malicious Link CONTRIBUTE A TEST	Default Accounts CONTRIBUTE A TEST	Elevated Execution with Prompt CONTRIBUTE A TEST	Disable or Modify Tools	Keychain	Network Share Discovery		Data from Local System CONTRIBUTE A TEST	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Dead Drop Resolver CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Spearphishing Attachment CONTRIBUTE A TEST	Native API CONTRIBUTE A TEST	Domain Account CONTRIBUTE A TEST	Emond	Domain Accounts CONTRIBUTE A TEST	Keylogging CONTRIBUTE A TEST	Network Sniffing		Data from Network Shared Drive CONTRIBUTE A TEST	Exfiltration Over Web Service CONTRIBUTE A TEST	Domain Fronting CONTRIBUTE A TEST	Disk Wipe CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Python CONTRIBUTE A TEST	Domain Accounts CONTRIBUTE A TEST	Event Triggered Execution CONTRIBUTE A TEST	Dylib Hijacking CONTRIBUTE A TEST	Man-in-the-Middle CONTRIBUTE A TEST	Password Policy Discovery		Data from Removable Media CONTRIBUTE A TEST	Exfiltration over USB CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	Endpoint Denial of Service CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	Dylib Hijacking CONTRIBUTE A TEST	Exploitation for Privilege Escalation CONTRIBUTE A TEST	Elevated Execution with Prompt CONTRIBUTE A TEST	Modify Authentication Process CONTRIBUTE A TEST	Peripheral Device Discovery CONTRIBUTE A TEST		GUI Input Capture	Exfiltration to Cloud Storage CONTRIBUTE A TEST	Dynamic Resolution CONTRIBUTE A TEST	External Defacement CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST	Scripting CONTRIBUTE A TEST	Emond	Hijack Execution Flow CONTRIBUTE A TEST	Environmental Keying CONTRIBUTE A TEST	Network Sniffing	Permission Groups Discovery CONTRIBUTE A TEST		Input Capture CONTRIBUTE A TEST	Exfiltration to Code Repository CONTRIBUTE A TEST	Encrypted Channel CONTRIBUTE A TEST	Firmware Corruption CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST	Software Deployment Tools CONTRIBUTE A TEST	Event Triggered Execution CONTRIBUTE A TEST	Kernel Modules and Extensions CONTRIBUTE A TEST	Execution Guardrails CONTRIBUTE A TEST	OS Credential Dumping CONTRIBUTE A TEST	Process Discovery		Keylogging CONTRIBUTE A TEST	Scheduled Transfer CONTRIBUTE A TEST	External Proxy CONTRIBUTE A TEST	Inhibit System Recovery CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST	Source CONTRIBUTE A TEST	Hijack Execution Flow CONTRIBUTE A TEST	LC_LOAD_DYLIB Addition CONTRIBUTE A TEST	Exploitation for Defense Evasion CONTRIBUTE A TEST	Password Cracking CONTRIBUTE A TEST	Remote System Discovery		Local Data Staging		Fallback Channels CONTRIBUTE A TEST	Internal Defacement CONTRIBUTE A TEST
	System Services CONTRIBUTE A TEST	Kernel Modules and Extensions CONTRIBUTE A TEST	Launch Agent	File Deletion	Password Guessing CONTRIBUTE A TEST	Security Software Discovery		Man-in-the-Middle CONTRIBUTE A TEST		Fast Flux DNS CONTRIBUTE A TEST	Network Denial of Service CONTRIBUTE A TEST
	Unix Shell	LC_LOAD_DYLIB Addition CONTRIBUTE A TEST	Launch Daemon	File and Directory Permissions Modification CONTRIBUTE A TEST	Password Spraying CONTRIBUTE A TEST	Software Discovery		Remote Data Staging CONTRIBUTE A TEST		File Transfer Protocols CONTRIBUTE A TEST	OS Exhaustion Flood CONTRIBUTE A TEST
	User Execution CONTRIBUTE A TEST	Launch Agent	Launchd	Gatekeeper Bypass	Pluggable Authentication Modules CONTRIBUTE A TEST	System Checks CONTRIBUTE A TEST		Screen Capture		Ingress Tool Transfer	Reflection Amplification CONTRIBUTE A TEST
	Visual Basic CONTRIBUTE A TEST	Launch Daemon	Local Accounts CONTRIBUTE A TEST	HISTCONTROL	Private Keys	System Information Discovery		Video Capture CONTRIBUTE A TEST		Internal Proxy	Resource Hijacking
		Launchd	Logon Script (Mac)	Hidden File System CONTRIBUTE A TEST	Securityd Memory CONTRIBUTE A TEST	System Network Configuration Discovery		Web Portal Capture CONTRIBUTE A TEST		Junk Data CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
		Local Account	Plist Modification	Hidden Files and Directories	Steal Web Session Cookie CONTRIBUTE A TEST	System Network Connections Discovery				Mail Protocols CONTRIBUTE A TEST	Service Exhaustion Flood CONTRIBUTE A TEST
		Local Accounts CONTRIBUTE A TEST	Process Injection CONTRIBUTE A TEST	Hidden Users	Two-Factor Authentication Interception CONTRIBUTE A TEST	System Owner/User Discovery				Multi-Stage Channels CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
		Logon Script (Mac)	Rc.common	Hidden Window CONTRIBUTE A TEST	Unsecured Credentials CONTRIBUTE A TEST	Time Based Evasion CONTRIBUTE A TEST				Multi-hop Proxy CONTRIBUTE A TEST	System Shutdown/Reboot
		Plist Modification	Re-opened Applications	Hide Artifacts CONTRIBUTE A TEST	Web Portal Capture CONTRIBUTE A TEST	User Activity Based Checks CONTRIBUTE A TEST				Multiband Communication CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
		Port Knocking CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	Hijack Execution Flow CONTRIBUTE A TEST		Virtualization/Sandbox Evasion CONTRIBUTE A TEST				Non-Application Layer Protocol CONTRIBUTE A TEST
		Rc.common	Setuid and Setgid	Impair Defenses CONTRIBUTE A TEST						Non-Standard Encoding CONTRIBUTE A TEST
		Re-opened Applications	Startup Items	Indicator Blocking CONTRIBUTE A TEST						Non-Standard Port
		Redundant Access CONTRIBUTE A TEST	Sudo and Sudo Caching	Indicator Removal from Tools CONTRIBUTE A TEST						One-Way Communication CONTRIBUTE A TEST
		SSH Authorized Keys	Trap	Indicator Removal on Host CONTRIBUTE A TEST						Port Knocking CONTRIBUTE A TEST
		Scheduled Task/Job CONTRIBUTE A TEST	Valid Accounts CONTRIBUTE A TEST	Install Root Certificate						Protocol Impersonation CONTRIBUTE A TEST
		Server Software Component CONTRIBUTE A TEST		Invalid Code Signature CONTRIBUTE A TEST						Protocol Tunneling CONTRIBUTE A TEST
		Startup Items		LC_MAIN Hijacking CONTRIBUTE A TEST						Proxy CONTRIBUTE A TEST
		Traffic Signaling CONTRIBUTE A TEST		Linux and Mac File and Directory Permissions Modification						Remote Access Software CONTRIBUTE A TEST
		Trap		Local Accounts CONTRIBUTE A TEST						Standard Encoding
		Valid Accounts CONTRIBUTE A TEST		Masquerading CONTRIBUTE A TEST						Steganography CONTRIBUTE A TEST
		Web Shell CONTRIBUTE A TEST		Match Legitimate Name or Location CONTRIBUTE A TEST						Symmetric Cryptography CONTRIBUTE A TEST
				Modify Authentication Process CONTRIBUTE A TEST						Traffic Signaling CONTRIBUTE A TEST
				Obfuscated Files or Information						Web Protocols
				Pluggable Authentication Modules CONTRIBUTE A TEST						Web Service CONTRIBUTE A TEST
				Port Knocking CONTRIBUTE A TEST
				Process Injection CONTRIBUTE A TEST
				Redundant Access CONTRIBUTE A TEST
				Rename System Utilities CONTRIBUTE A TEST
				Right-to-Left Override CONTRIBUTE A TEST
				Rootkit CONTRIBUTE A TEST
				Run Virtual Instance CONTRIBUTE A TEST
				Scripting CONTRIBUTE A TEST
				Setuid and Setgid
				Software Packing
				Space after Filename
				Steganography CONTRIBUTE A TEST
				Subvert Trust Controls CONTRIBUTE A TEST
				Sudo and Sudo Caching
				System Checks CONTRIBUTE A TEST
				Time Based Evasion CONTRIBUTE A TEST
				Timestomp
				Traffic Signaling CONTRIBUTE A TEST
				User Activity Based Checks CONTRIBUTE A TEST
				Valid Accounts CONTRIBUTE A TEST
				Virtualization/Sandbox Evasion CONTRIBUTE A TEST