MITRE ATT&CK Coverage Matrix

ATT&CK Coverage • Key Features • Compatibility • Quick Start • License

The Matrix contains information for the macOS platform
The number of possible procedures per technique is vast. These statistics use conservative estimates for coverage calculations.

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command And Control	Exfiltration	Impact
External Remote Services	Shared Modules	Socket Filters	Boot or Logon Initialization Scripts	Socket Filters	Adversary-in-the-Middle	System Owner/User Discovery	VNC	Archive via Utility	Socket Filters	Exfiltration Over Web Service	Disk Structure Wipe
Compromise Software Dependencies and Development Tools	JavaScript	Boot or Logon Initialization Scripts	Path Interception by PATH Environment Variable	Embedded Payloads	Pluggable Authentication Modules	Internet Connection Discovery	Taint Shared Content	Screen Capture	Standard Encoding	Exfiltration Over Webhook	Direct Network Flood
Spearphishing Link	Malicious File	Pluggable Authentication Modules	Create or Modify System Process	Pluggable Authentication Modules	Keylogging	Permission Groups Discovery	SSH	Adversary-in-the-Middle	Domain Generation Algorithms	Scheduled Transfer	External Defacement
Spearphishing Attachment	Cron	Path Interception by PATH Environment Variable	LC_LOAD_DYLIB Addition	File/Path Exclusions	Password Guessing	Device Driver Discovery	SSH Hijacking	Keylogging	DNS	Exfiltration Over Other Network Medium	OS Exhaustion Flood
Compromise Hardware Supply Chain	Scheduled Task/Job	Create or Modify System Process	Sudo and Sudo Caching	Linux and Mac File and Directory Permissions Modification	OS Credential Dumping	Domain Account	Remote Services	Audio Capture	Symmetric Cryptography	Exfiltration Over Bluetooth	Application Exhaustion Flood
Supply Chain Compromise	AppleScript	External Remote Services	Boot or Logon Autostart Execution	Path Interception by PATH Environment Variable	Steal Web Session Cookie	Local Account	Remote Service Session Hijacking	Archive via Custom Method	Fast Flux DNS	Automated Exfiltration	Disk Wipe
Exploit Public-Facing Application	Native API	LC_LOAD_DYLIB Addition	Cron	Email Hiding Rules	Securityd Memory	System Checks	Software Deployment Tools	Email Collection	Application Layer Protocol	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Stored Data Manipulation
Content Injection	Command and Scripting Interpreter	Boot or Logon Autostart Execution	Scheduled Task/Job	Encrypted/Encoded File	Password Cracking	Domain Groups	Exploitation of Remote Services	Data from Removable Media	Remote Access Software	Exfiltration to Code Repository	Service Stop
Default Accounts	Launchctl	Cron	Login Hook	Rootkit	Keychain	System Service Discovery	Internal Spearphishing	Local Data Staging	Content Injection	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Application or System Exploitation
Trusted Relationship	XPC Services	Scheduled Task/Job	Process Injection	Sudo and Sudo Caching	Password Managers	Network Sniffing	Lateral Tool Transfer	Automated Collection	Traffic Signaling	Exfiltration Over C2 Channel	Runtime Data Manipulation
Phishing	User Execution	Browser Extensions	Launch Daemon	Match Legitimate Name or Location	Network Sniffing	Network Share Discovery		Clipboard Data	Protocol Tunneling	Exfiltration Over Alternative Protocol	Reflection Amplification
Valid Accounts	Software Deployment Tools	Login Hook	Default Accounts	Masquerade File Type	Steal or Forge Kerberos Tickets	Peripheral Device Discovery		Remote Data Staging	Mail Protocols	Exfiltration over USB	Service Exhaustion Flood
Spearphishing Voice	Unix Shell	Traffic Signaling	Trap	Hide Artifacts	Credentials from Password Stores	System Information Discovery		Data from Local System	Communication Through Removable Media	Exfiltration to Text Storage Sites	Defacement
Compromise Software Supply Chain	Inter-Process Communication	Launch Daemon	Dynamic Linker Hijacking	System Checks	Unsecured Credentials	Wi-Fi Discovery		Archive via Library	External Proxy	Exfiltration to Cloud Storage	Financial Theft
Domain Accounts	Exploitation for Client Execution	Web Shell	Abuse Elevation Control Mechanism	Clear Linux or Mac System Logs	Credentials from Web Browsers	Application Window Discovery		Archive Collected Data	Proxy	Data Transfer Size Limits	Internal Defacement
Hardware Additions	Python	Default Accounts	Setuid and Setgid	Stripped Payloads	DHCP Spoofing	Time Based Evasion		DHCP Spoofing	Dynamic Resolution	Exfiltration Over Physical Medium	Data Manipulation
Drive-by Compromise	System Services	Trap	SSH Authorized Keys	Gatekeeper Bypass	Private Keys	Browser Information Discovery		Web Portal Capture	Web Service	Exfiltration Over Unencrypted Non-C2 Protocol	Account Access Removal
Spearphishing via Service	Visual Basic	Dynamic Linker Hijacking	Login Items	Code Signing	Password Spraying	System Network Configuration Discovery		Video Capture	DNS Calculation		Data Encrypted for Impact
Local Accounts	Malicious Link	Local Account	Emond	Break Process Trees	Web Portal Capture	Account Discovery		Email Forwarding Rule	Multi-Stage Channels		Endpoint Denial of Service
	At	SSH Authorized Keys	Account Manipulation	Clear Network Connection History and Configurations	Steal or Forge Authentication Certificates	File and Directory Discovery		Data Staged	Port Knocking		Resource Hijacking
		Domain Account	Kernel Modules and Extensions	Clear Command History	Bash History	System Network Connections Discovery		GUI Input Capture	File Transfer Protocols		Transmitted Data Manipulation
		Component Firmware	Hijack Execution Flow	Deobfuscate/Decode Files or Information	Credentials In Files	Virtualization/Sandbox Evasion		Data from Network Shared Drive	One-Way Communication		Data Destruction
		Pre-OS Boot	Valid Accounts	Impair Defenses	Web Cookies	Log Enumeration		Input Capture	Multi-hop Proxy		Network Denial of Service
		Login Items	Exploitation for Privilege Escalation	Masquerading	Forge Web Credentials	Process Discovery		ARP Cache Poisoning	Data Obfuscation		Firmware Corruption
		Port Knocking	Event Triggered Execution	Clear Mailbox Data	Multi-Factor Authentication Request Generation	User Activity Based Checks		Data from Information Repositories	Non-Standard Port		Inhibit System Recovery
		Compromise Host Software Binary	Unix Shell Configuration Modification	Process Injection	Exploitation for Credential Access	Local Groups			Encrypted Channel		Disk Content Wipe
		Emond	Elevated Execution with Prompt	Traffic Signaling	GUI Input Capture	Password Policy Discovery			Bidirectional Communication		System Shutdown/Reboot
		Account Manipulation	Startup Items	System Binary Proxy Execution	Brute Force	System Language Discovery			Asymmetric Cryptography
		Kernel Modules and Extensions	Domain Accounts	Timestomp	Credential Stuffing	System Location Discovery			Non-Application Layer Protocol
		Hijack Execution Flow	Launch Agent	Reflective Code Loading	Multi-Factor Authentication	Security Software Discovery			Protocol Impersonation
		Valid Accounts	Installer Packages	Ignore Process Interrupts	Input Capture	Remote System Discovery			Domain Fronting
		Multi-Factor Authentication	RC Scripts	Time Based Evasion	ARP Cache Poisoning	Network Service Discovery			Data Encoding
		Event Triggered Execution	Re-opened Applications	Disable or Modify System Firewall	Multi-Factor Authentication Interception	Software Discovery			Non-Standard Encoding
		Unix Shell Configuration Modification	TCC Manipulation	Electron Applications	Modify Authentication Process	Debugger Evasion			Web Protocols
		Startup Items	At	Code Signing Policy Modification		System Time Discovery			Ingress Tool Transfer
		Domain Accounts	Dylib Hijacking	Binary Padding					Hide Infrastructure
		Launch Agent	Local Accounts	Default Accounts					Steganography
		Server Software Component		Dynamic Linker Hijacking					Fallback Channels
		Installer Packages		File and Directory Permissions Modification					Internal Proxy
		RC Scripts		Abuse Elevation Control Mechanism					Dead Drop Resolver
		Create Account		Setuid and Setgid					Junk Data
		Re-opened Applications		Indicator Blocking
		Power Settings		Right-to-Left Override
		At		Component Firmware
		Modify Authentication Process		Indicator Removal
		Dylib Hijacking		Masquerade Task or Service
		Local Accounts		Plist File Modification
				Pre-OS Boot
				Downgrade Attack
				Virtualization/Sandbox Evasion
				Execution Guardrails
				Port Knocking
				Hidden Users
				Impair Command History Logging
				User Activity Based Checks
				Disable or Modify Tools
				Hijack Execution Flow
				Indicator Removal from Tools
				Valid Accounts
				Resource Forking
				Obfuscated Files or Information
				Multi-Factor Authentication
				Invalid Code Signature
				Run Virtual Instance
				Subvert Trust Controls
				Elevated Execution with Prompt
				Rename System Utilities
				Spoof Security Alerting
				Steganography
				Domain Accounts
				Install Root Certificate
				Compile After Delivery
				VBA Stomping
				Impersonation
				Hidden Window
				Clear Persistence
				HTML Smuggling
				Command Obfuscation
				File Deletion
				Software Packing
				Hidden File System
				Debugger Evasion
				Space after Filename
				TCC Manipulation
				Hidden Files and Directories
				Environmental Keying
				Modify Authentication Process
				Dylib Hijacking
				Local Accounts
				Exploitation for Defense Evasion

Overview

Attack-macOS is a library of scripts mapped to MITRE ATT&CK. Security teams can use Attack-macOS to execute techniques and discover new detection opportunities in macOS environments.

Problem	Challenge	Solution
• Limited opensource security tools • Technique procedures primarily focused on tier I/II (advanced) Tool Index • Most commercial tools primarily focused on hardening and MDM	• Insufficient capabilities to evaluate macOS defenses • Inadequate detection exposes systems to potential risks • Limited tooling hinders proactive security measures	Build a library of macOS specific attack scripts dedicated to help identify better detection opportunities in macOS specific endpoint security solutions.

Objective

This project aims to simplify the execution of Living Off The Land (LOTL) techniques via standalone, modular, flexible, interaperable, and easy-to-maintain scripts.

Dependencies

All Attack-macOS scripts use native macOS binaries, interpreters, playlists, libraries, tools, and utilities. If third-party tools are installed (brew, slack,jamf), techniques that leverage third-party apps can be executed.

Key Features

Feature	Description
Template	Includes a YAML template for creating new scripts and dynamically generating scripts.
Modular Design	Self-contained scripts that can be used independently or combined, easily integrating with existing frameworks.
Customizable	Easily modifiable and extendable, with centralized execution control via global variables and flags.
macOS Native	Uses native tools and languages to emulate adversary techniques without external dependencies.
MITRE ATT&CK Mapped	All scripts and arguments directly mapped to the MITRE ATT&CK framework.
Logging	Consistent built-in logging capability across all scripts for output analysis.
Encoding and Encryption	Multiple data encoding options and integrated encryption functions.
Exfiltration	Simulates data exfiltration via HTTP or DNS protocols.
Integration	Seamlessly integrates with existing security tools, automation pipelines, and CI/CD workflows.

Compatibility

Quick Start

Install Options:

git clone https://github.com/armadoinc/attack-macos

Fetch and Execute:

TBD

Remote Execution:

TBD

Documentation

• Documentation
• Script Blueprint

License

This project is licensed under the Apache License 2.0. See the LICENSE file for more details.

Credits and References

In short, every macOS focused opensoruce security project, blog post, CTI, Apple Dev Docs, especially the archived docs, and MITRE ATT&CK. -- Full list hhere: --> Acknoledgements