[](_DOCS/Procedures/Procedure%20Matrix.md)
[](https://x.com/attackmacos)
# **MITRE ATT&CK Coverage Matrix**
ATT&CK Coverage •
Key Features •
Compatibility •
Quick Start •
License
The Matrix contains information for the macOS platformThe number of possible procedures per technique is vast. These statistics use conservative estimates for coverage calculations.
-grey?style=for-the-badge)
-grey?style=for-the-badge)
##
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command And Control | Exfiltration | Impact |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| External Remote Services | Shared Modules | Socket Filters | Boot or Logon Initialization Scripts | Socket Filters | Adversary-in-the-Middle | System Owner/User Discovery | VNC | Archive via Utility | Socket Filters | Exfiltration Over Web Service | Disk Structure Wipe |
| Compromise Software Dependencies and Development Tools | JavaScript | Boot or Logon Initialization Scripts | Path Interception by PATH Environment Variable | Embedded Payloads | Pluggable Authentication Modules | Internet Connection Discovery | Taint Shared Content | Screen Capture | Standard Encoding | Exfiltration Over Webhook | Direct Network Flood |
| Spearphishing Link | Malicious File | Pluggable Authentication Modules | Create or Modify System Process | Pluggable Authentication Modules | Keylogging | Permission Groups Discovery | SSH | Adversary-in-the-Middle | Domain Generation Algorithms | Scheduled Transfer | External Defacement |
| Spearphishing Attachment | Cron | Path Interception by PATH Environment Variable | LC_LOAD_DYLIB Addition | File/Path Exclusions | Password Guessing | Device Driver Discovery | SSH Hijacking | Keylogging | DNS | Exfiltration Over Other Network Medium | OS Exhaustion Flood |
| Compromise Hardware Supply Chain | Scheduled Task/Job | Create or Modify System Process | Sudo and Sudo Caching | Linux and Mac File and Directory Permissions Modification | OS Credential Dumping | Domain Account | Remote Services | Audio Capture | Symmetric Cryptography | Exfiltration Over Bluetooth | Application Exhaustion Flood |
| Supply Chain Compromise | AppleScript | External Remote Services | Boot or Logon Autostart Execution | Path Interception by PATH Environment Variable | Steal Web Session Cookie | ](https://img.shields.io/badge/T1087.001-lightgrey?style=for-the-badge&label=%2012%20&labelColor=3bc05a&color=494949)Local Account | Remote Service Session Hijacking | Archive via Custom Method | Fast Flux DNS | Automated Exfiltration | Disk Wipe |
| Exploit Public-Facing Application | Native API | LC_LOAD_DYLIB Addition | Cron | Email Hiding Rules | Securityd Memory | System Checks | Software Deployment Tools | Email Collection | Application Layer Protocol | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Stored Data Manipulation |
| Content Injection | Command and Scripting Interpreter | Boot or Logon Autostart Execution | Scheduled Task/Job | Encrypted/Encoded File | Password Cracking | Domain Groups | Exploitation of Remote Services | Data from Removable Media | Remote Access Software | Exfiltration to Code Repository | Service Stop |
| Default Accounts | Launchctl | Cron | Login Hook | Rootkit | ](https://img.shields.io/badge/T1555.001-lightgrey?style=for-the-badge&label=%209%20&labelColor=3bc05a&color=494949)Keychain | System Service Discovery | Internal Spearphishing | Local Data Staging | Content Injection | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Application or System Exploitation |
| Trusted Relationship | XPC Services | Scheduled Task/Job | Process Injection | Sudo and Sudo Caching | Password Managers | Network Sniffing | Lateral Tool Transfer | Automated Collection | Traffic Signaling | ](https://img.shields.io/badge/T1041-lightgrey?style=for-the-badge&label=%202%20&labelColor=3bc05a&color=494949)Exfiltration Over C2 Channel | Runtime Data Manipulation |
| Phishing | User Execution | Browser Extensions | Launch Daemon | Match Legitimate Name or Location | Network Sniffing | Network Share Discovery | | Clipboard Data | Protocol Tunneling | Exfiltration Over Alternative Protocol | Reflection Amplification |
| ](https://img.shields.io/badge/T1078-lightgrey?style=for-the-badge&label=%202%20&labelColor=3bc05a&color=494949)Valid Accounts | Software Deployment Tools | Login Hook | Default Accounts | Masquerade File Type | Steal or Forge Kerberos Tickets | Peripheral Device Discovery | | Remote Data Staging | Mail Protocols | Exfiltration over USB | Service Exhaustion Flood |
| Spearphishing Voice | Unix Shell | Traffic Signaling | Trap | Hide Artifacts | Credentials from Password Stores | System Information Discovery | | Data from Local System | Communication Through Removable Media | Exfiltration to Text Storage Sites | Defacement |
| Compromise Software Supply Chain | Inter-Process Communication | Launch Daemon | Dynamic Linker Hijacking | System Checks | Unsecured Credentials | Wi-Fi Discovery | | Archive via Library | External Proxy | Exfiltration to Cloud Storage | Financial Theft |
| Domain Accounts | Exploitation for Client Execution | Web Shell | Abuse Elevation Control Mechanism | Clear Linux or Mac System Logs | Credentials from Web Browsers | Application Window Discovery | | Archive Collected Data | Proxy | Data Transfer Size Limits | Internal Defacement |
| Hardware Additions | ](https://img.shields.io/badge/T1059.006-lightgrey?style=for-the-badge&label=%201%20&labelColor=3bc05a&color=494949)Python | Default Accounts | Setuid and Setgid | Stripped Payloads | DHCP Spoofing | Time Based Evasion | | DHCP Spoofing | Dynamic Resolution | Exfiltration Over Physical Medium | Data Manipulation |
| Drive-by Compromise | System Services | Trap | SSH Authorized Keys | Gatekeeper Bypass | Private Keys | ](https://img.shields.io/badge/T1217-lightgrey?style=for-the-badge&label=%204%20&labelColor=3bc05a&color=494949)Browser Information Discovery | | Web Portal Capture | Web Service | Exfiltration Over Unencrypted Non-C2 Protocol | Account Access Removal |
| Spearphishing via Service | Visual Basic | Dynamic Linker Hijacking | Login Items | Code Signing | Password Spraying | System Network Configuration Discovery | | Video Capture | DNS Calculation | | Data Encrypted for Impact |
| Local Accounts | Malicious Link | Local Account | Emond | Break Process Trees | Web Portal Capture | Account Discovery | | Email Forwarding Rule | Multi-Stage Channels | | Endpoint Denial of Service |
| | At | SSH Authorized Keys | Account Manipulation | Clear Network Connection History and Configurations | Steal or Forge Authentication Certificates | File and Directory Discovery | | Data Staged | Port Knocking | | Resource Hijacking |
| | | Domain Account | Kernel Modules and Extensions | Clear Command History | Bash History | System Network Connections Discovery | | GUI Input Capture | File Transfer Protocols | | Transmitted Data Manipulation |
| | | Component Firmware | Hijack Execution Flow | ](https://img.shields.io/badge/T1140-lightgrey?style=for-the-badge&label=%201%20&labelColor=3bc05a&color=494949)Deobfuscate/Decode Files or Information | Credentials In Files | Virtualization/Sandbox Evasion | | Data from Network Shared Drive | One-Way Communication | | Data Destruction |
| | | Pre-OS Boot | ](https://img.shields.io/badge/T1078-lightgrey?style=for-the-badge&label=%202%20&labelColor=3bc05a&color=494949)Valid Accounts | Impair Defenses | Web Cookies | Log Enumeration | | Input Capture | Multi-hop Proxy | | Network Denial of Service |
| | | Login Items | Exploitation for Privilege Escalation | Masquerading | Forge Web Credentials | Process Discovery | | ARP Cache Poisoning | Data Obfuscation | | Firmware Corruption |
| | | Port Knocking | Event Triggered Execution | Clear Mailbox Data | Multi-Factor Authentication Request Generation | User Activity Based Checks | | Data from Information Repositories | Non-Standard Port | | Inhibit System Recovery |
| | | Compromise Host Software Binary | Unix Shell Configuration Modification | Process Injection | Exploitation for Credential Access | Local Groups | | | Encrypted Channel | | Disk Content Wipe |
| | | Emond | Elevated Execution with Prompt | Traffic Signaling | GUI Input Capture | Password Policy Discovery | | | Bidirectional Communication | | System Shutdown/Reboot |
| | | Account Manipulation | Startup Items | System Binary Proxy Execution | Brute Force | System Language Discovery | | | Asymmetric Cryptography | | |
| | | Kernel Modules and Extensions | Domain Accounts | Timestomp | Credential Stuffing | System Location Discovery | | | Non-Application Layer Protocol | | |
| | | Hijack Execution Flow | Launch Agent | Reflective Code Loading | Multi-Factor Authentication | ](https://img.shields.io/badge/T1518.001-lightgrey?style=for-the-badge&label=%2010%20&labelColor=3bc05a&color=494949)Security Software Discovery | | | Protocol Impersonation | | |
| | | ](https://img.shields.io/badge/T1078-lightgrey?style=for-the-badge&label=%202%20&labelColor=3bc05a&color=494949)Valid Accounts | Installer Packages | Ignore Process Interrupts | Input Capture | Remote System Discovery | | | Domain Fronting | | |
| | | Multi-Factor Authentication | RC Scripts | Time Based Evasion | ARP Cache Poisoning | Network Service Discovery | | | Data Encoding | | |
| | | Event Triggered Execution | Re-opened Applications | Disable or Modify System Firewall | Multi-Factor Authentication Interception | Software Discovery | | | Non-Standard Encoding | | |
| | | Unix Shell Configuration Modification | TCC Manipulation | Electron Applications | Modify Authentication Process | Debugger Evasion | | | Web Protocols | | |
| | | Startup Items | At | Code Signing Policy Modification | | System Time Discovery | | | Ingress Tool Transfer | | |
| | | Domain Accounts | Dylib Hijacking | ](https://img.shields.io/badge/T1027.001-lightgrey?style=for-the-badge&label=%201%20&labelColor=3bc05a&color=494949)Binary Padding | | | | | Hide Infrastructure | | |
| | | Launch Agent | Local Accounts | Default Accounts | | | | | Steganography | | |
| | | Server Software Component | | Dynamic Linker Hijacking | | | | | Fallback Channels | | |
| | | Installer Packages | | File and Directory Permissions Modification | | | | | Internal Proxy | | |
| | | RC Scripts | | Abuse Elevation Control Mechanism | | | | | Dead Drop Resolver | | |
| | | Create Account | | Setuid and Setgid | | | | | Junk Data | | |
| | | Re-opened Applications | | Indicator Blocking | | | | | | | |
| | | Power Settings | | Right-to-Left Override | | | | | | | |
| | | At | | Component Firmware | | | | | | | |
| | | Modify Authentication Process | | Indicator Removal | | | | | | | |
| | | Dylib Hijacking | | Masquerade Task or Service | | | | | | | |
| | | Local Accounts | | Plist File Modification | | | | | | | |
| | | | | Pre-OS Boot | | | | | | | |
| | | | | Downgrade Attack | | | | | | | |
| | | | | Virtualization/Sandbox Evasion | | | | | | | |
| | | | | Execution Guardrails | | | | | | | |
| | | | | Port Knocking | | | | | | | |
| | | | | Hidden Users | | | | | | | |
| | | | | Impair Command History Logging | | | | | | | |
| | | | | User Activity Based Checks | | | | | | | |
| | | | | Disable or Modify Tools | | | | | | | |
| | | | | Hijack Execution Flow | | | | | | | |
| | | | | Indicator Removal from Tools | | | | | | | |
| | | | | ](https://img.shields.io/badge/T1078-lightgrey?style=for-the-badge&label=%202%20&labelColor=3bc05a&color=494949)Valid Accounts | | | | | | | |
| | | | | Resource Forking | | | | | | | |
| | | | | ](https://img.shields.io/badge/T1027-lightgrey?style=for-the-badge&label=%202%20&labelColor=3bc05a&color=494949)Obfuscated Files or Information | | | | | | | |
| | | | | Multi-Factor Authentication | | | | | | | |
| | | | | Invalid Code Signature | | | | | | | |
| | | | | Run Virtual Instance | | | | | | | |
| | | | | Subvert Trust Controls | | | | | | | |
| | | | | Elevated Execution with Prompt | | | | | | | |
| | | | | Rename System Utilities | | | | | | | |
| | | | | Spoof Security Alerting | | | | | | | |
| | | | | ](https://img.shields.io/badge/T1027.003-lightgrey?style=for-the-badge&label=%201%20&labelColor=3bc05a&color=494949)Steganography | | | | | | | |
| | | | | Domain Accounts | | | | | | | |
| | | | | Install Root Certificate | | | | | | | |
| | | | | Compile After Delivery | | | | | | | |
| | | | | VBA Stomping | | | | | | | |
| | | | | Impersonation | | | | | | | |
| | | | | Hidden Window | | | | | | | |
| | | | | Clear Persistence | | | | | | | |
| | | | | HTML Smuggling | | | | | | | |
| | | | | Command Obfuscation | | | | | | | |
| | | | | File Deletion | | | | | | | |
| | | | | Software Packing | | | | | | | |
| | | | | Hidden File System | | | | | | | |
| | | | | Debugger Evasion | | | | | | | |
| | | | | Space after Filename | | | | | | | |
| | | | | TCC Manipulation | | | | | | | |
| | | | | Hidden Files and Directories | | | | | | | |
| | | | | Environmental Keying | | | | | | | |
| | | | | Modify Authentication Process | | | | | | | |
| | | | | Dylib Hijacking | | | | | | | |
| | | | | Local Accounts | | | | | | | |
| | | | | Exploitation for Defense Evasion | | | | | | | |
Overview
Attack-macOS is a library of scripts mapped to MITRE ATT&CK. Security teams can use Attack-macOS to execute techniques and discover new detection opportunities in macOS environments.
| Problem |
Challenge |
Solution |
• Limited opensource security tools
• Technique procedures primarily focused on tier I/II (advanced) Tool Index
• Most commercial tools primarily focused on hardening and MDM |
• Insufficient capabilities to evaluate macOS defenses
• Inadequate detection exposes systems to potential risks
• Limited tooling hinders proactive security measures |
Build a library of macOS specific attack scripts dedicated to help identify better detection opportunities in macOS specific endpoint security solutions. |
Objective
This project aims to simplify the execution of Living Off The Land (LOTL) techniques via standalone, modular, flexible, interaperable, and easy-to-maintain scripts.
Dependencies
All Attack-macOS scripts use native macOS binaries, interpreters, playlists, libraries, tools, and utilities. If third-party tools are installed (brew, slack,jamf), techniques that leverage third-party apps can be executed.
Key Features
| Feature |
Description |
| Template |
Includes a YAML template for creating new scripts and dynamically generating scripts. |
| Modular Design |
Self-contained scripts that can be used independently or combined, easily integrating with existing frameworks. |
| Customizable |
Easily modifiable and extendable, with centralized execution control via global variables and flags. |
| macOS Native |
Uses native tools and languages to emulate adversary techniques without external dependencies. |
| MITRE ATT&CK Mapped |
All scripts and arguments directly mapped to the MITRE ATT&CK framework. |
| Logging |
Consistent built-in logging capability across all scripts for output analysis. |
| Encoding and Encryption |
Multiple data encoding options and integrated encryption functions. |
| Exfiltration |
Simulates data exfiltration via HTTP or DNS protocols. |
| Integration |
Seamlessly integrates with existing security tools, automation pipelines, and CI/CD workflows. |
Compatibility
Quick Start
Install Options:
git clone https://github.com/armadoinc/attack-macos
Fetch and Execute:
TBD
Remote Execution:
TBD
Documentation
License
This project is licensed under the Apache License 2.0. See the LICENSE file for more details.
Credits and References
In short, every macOS focused opensoruce security project, blog post, CTI, Apple Dev Docs, especially the archived docs, and MITRE ATT&CK.
-- Full list hhere: --> Acknoledgements