Permalink
0d9f652 Dec 4, 2018
4 contributors

Users who have contributed to this file

@ForensicITGuy @caseysmithrc @MHaggis @brianebeyer
32 lines (31 sloc) 10 KB

macOS Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control
Drive-by Compromise CONTRIBUTE A TEST AppleScript .bash_profile and .bashrc Dylib Hijacking CONTRIBUTE A TEST Binary Padding Bash History Account Discovery AppleScript Audio Capture Automated Exfiltration CONTRIBUTE A TEST Commonly Used Port CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Command-Line Interface Browser Extensions Exploitation for Privilege Escalation CONTRIBUTE A TEST Clear Command History Brute Force Application Window Discovery CONTRIBUTE A TEST Application Deployment Software CONTRIBUTE A TEST Automated Collection Data Compressed Communication Through Removable Media CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST Create Account Launch Daemon Code Signing CONTRIBUTE A TEST Credential Dumping Browser Bookmark Discovery Exploitation of Remote Services CONTRIBUTE A TEST Clipboard Data Data Encrypted Custom Command and Control Protocol CONTRIBUTE A TEST
Spearphishing Attachment Graphical User Interface CONTRIBUTE A TEST Dylib Hijacking CONTRIBUTE A TEST Plist Modification Disabling Security Tools Credentials in Files File and Directory Discovery Logon Scripts Data Staged Data Transfer Size Limits Custom Cryptographic Protocol CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Launchctl Hidden Files and Directories Process Injection Exploitation for Defense Evasion CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Network Service Scanning Remote File Copy Data from Information Repositories CONTRIBUTE A TEST Exfiltration Over Alternative Protocol Data Encoding
Spearphishing via Service CONTRIBUTE A TEST Local Job Scheduling Kernel Modules and Extensions CONTRIBUTE A TEST Setuid and Setgid File Deletion Input Capture Network Share Discovery Remote Services CONTRIBUTE A TEST Data from Local System CONTRIBUTE A TEST Exfiltration Over Command and Control Channel CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST Scripting LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Startup Items File Permissions Modification Input Prompt Network Sniffing SSH Hijacking CONTRIBUTE A TEST Data from Network Shared Drive CONTRIBUTE A TEST Exfiltration Over Other Network Medium CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST Source Launch Agent Sudo Gatekeeper Bypass Keychain Password Policy Discovery Third-party Software CONTRIBUTE A TEST Data from Removable Media CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Space after Filename Launch Daemon Sudo Caching HISTCONTROL Network Sniffing Permission Groups Discovery Input Capture Scheduled Transfer CONTRIBUTE A TEST Multi-Stage Channels CONTRIBUTE A TEST
Third-party Software CONTRIBUTE A TEST Launchctl Valid Accounts CONTRIBUTE A TEST Hidden Files and Directories Private Keys Process Discovery Screen Capture Multi-hop Proxy CONTRIBUTE A TEST
Trap Local Job Scheduling Web Shell CONTRIBUTE A TEST Hidden Users Securityd Memory CONTRIBUTE A TEST Remote System Discovery Video Capture CONTRIBUTE A TEST Multiband Communication CONTRIBUTE A TEST
User Execution CONTRIBUTE A TEST Login Item CONTRIBUTE A TEST Hidden Window CONTRIBUTE A TEST Two-Factor Authentication Interception CONTRIBUTE A TEST Security Software Discovery Multilayer Encryption CONTRIBUTE A TEST
Logon Scripts Indicator Removal from Tools CONTRIBUTE A TEST System Information Discovery Port Knocking CONTRIBUTE A TEST
Plist Modification Indicator Removal on Host System Network Configuration Discovery Remote Access Tools CONTRIBUTE A TEST
Port Knocking CONTRIBUTE A TEST Install Root Certificate System Network Connections Discovery Remote File Copy
Rc.common LC_MAIN Hijacking CONTRIBUTE A TEST System Owner/User Discovery Standard Application Layer Protocol CONTRIBUTE A TEST
Re-opened Applications Launchctl Standard Cryptographic Protocol CONTRIBUTE A TEST
Redundant Access CONTRIBUTE A TEST Masquerading Standard Non-Application Layer Protocol CONTRIBUTE A TEST
Setuid and Setgid Obfuscated Files or Information Uncommonly Used Port
Startup Items Plist Modification Web Service CONTRIBUTE A TEST
Trap Port Knocking CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Process Injection
Web Shell CONTRIBUTE A TEST Redundant Access CONTRIBUTE A TEST
Rootkit
Scripting
Space after Filename
Valid Accounts CONTRIBUTE A TEST
Web Service CONTRIBUTE A TEST