macOS Atomic Tests by ATT&CK Tactic & Technique

privilege-escalation

T1546.004 .bash_profile and .bashrc
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
T1547 Boot or Logon Autostart Execution CONTRIBUTE A TEST
T1037 Boot or Logon Initialization Scripts CONTRIBUTE A TEST
T1543 Create or Modify System Process CONTRIBUTE A TEST
T1053.003 Cron
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
T1078.001 Default Accounts CONTRIBUTE A TEST
T1078.002 Domain Accounts CONTRIBUTE A TEST
T1574.004 Dylib Hijacking CONTRIBUTE A TEST
T1548.004 Elevated Execution with Prompt CONTRIBUTE A TEST
T1546.014 Emond
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
T1546 Event Triggered Execution CONTRIBUTE A TEST
T1068 Exploitation for Privilege Escalation CONTRIBUTE A TEST
T1574 Hijack Execution Flow CONTRIBUTE A TEST
T1547.006 Kernel Modules and Extensions CONTRIBUTE A TEST
T1546.006 LC_LOAD_DYLIB Addition CONTRIBUTE A TEST
T1543.001 Launch Agent
- Atomic Test #1: Launch Agent [macos]
T1543.004 Launch Daemon
- Atomic Test #1: Launch Daemon [macos]
T1053.004 Launchd
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
T1078.003 Local Accounts CONTRIBUTE A TEST
T1037.002 Logon Script (Mac)
- Atomic Test #1: Logon Scripts - Mac [macos]
T1547.011 Plist Modification
- Atomic Test #1: Plist Modification [macos]
T1055 Process Injection CONTRIBUTE A TEST
T1037.004 Rc.common
- Atomic Test #1: rc.common [macos]
T1547.007 Re-opened Applications
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
T1053 Scheduled Task/Job CONTRIBUTE A TEST
T1548.001 Setuid and Setgid
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
T1037.005 Startup Items
- Atomic Test #1: Add file to Local Library StartupItems [macos]
T1548.003 Sudo and Sudo Caching
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
T1546.005 Trap
- Atomic Test #1: Trap [macos, linux]
T1078 Valid Accounts CONTRIBUTE A TEST

persistence

T1546.004 .bash_profile and .bashrc
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
T1098 Account Manipulation CONTRIBUTE A TEST
T1547 Boot or Logon Autostart Execution CONTRIBUTE A TEST
T1037 Boot or Logon Initialization Scripts CONTRIBUTE A TEST
T1176 Browser Extensions
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
T1554 Compromise Client Software Binary CONTRIBUTE A TEST
T1136 Create Account CONTRIBUTE A TEST
T1543 Create or Modify System Process CONTRIBUTE A TEST
T1053.003 Cron
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
T1078.001 Default Accounts CONTRIBUTE A TEST
T1136.002 Domain Account CONTRIBUTE A TEST
T1078.002 Domain Accounts CONTRIBUTE A TEST
T1574.004 Dylib Hijacking CONTRIBUTE A TEST
T1546.014 Emond
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
T1546 Event Triggered Execution CONTRIBUTE A TEST
T1574 Hijack Execution Flow CONTRIBUTE A TEST
T1547.006 Kernel Modules and Extensions CONTRIBUTE A TEST
T1546.006 LC_LOAD_DYLIB Addition CONTRIBUTE A TEST
T1543.001 Launch Agent
- Atomic Test #1: Launch Agent [macos]
T1543.004 Launch Daemon
- Atomic Test #1: Launch Daemon [macos]
T1053.004 Launchd
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
T1136.001 Local Account
- Atomic Test #2: Create a user account on a MacOS system [macos]
T1078.003 Local Accounts CONTRIBUTE A TEST
T1037.002 Logon Script (Mac)
- Atomic Test #1: Logon Scripts - Mac [macos]
T1547.011 Plist Modification
- Atomic Test #1: Plist Modification [macos]
T1205.001 Port Knocking CONTRIBUTE A TEST
T1037.004 Rc.common
- Atomic Test #1: rc.common [macos]
T1547.007 Re-opened Applications
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
T1108 Redundant Access CONTRIBUTE A TEST
T1098.004 SSH Authorized Keys
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
T1053 Scheduled Task/Job CONTRIBUTE A TEST
T1505 Server Software Component CONTRIBUTE A TEST
T1037.005 Startup Items
- Atomic Test #1: Add file to Local Library StartupItems [macos]
T1205 Traffic Signaling CONTRIBUTE A TEST
T1546.005 Trap
- Atomic Test #1: Trap [macos, linux]
T1078 Valid Accounts CONTRIBUTE A TEST
T1505.003 Web Shell CONTRIBUTE A TEST

defense-evasion

T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
T1027.001 Binary Padding
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
T1070.003 Clear Command History
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
T1070.002 Clear Linux or Mac System Logs
- Atomic Test #1: rm -rf [macos, linux]
T1553.002 Code Signing CONTRIBUTE A TEST
T1027.004 Compile After Delivery CONTRIBUTE A TEST
T1078.001 Default Accounts CONTRIBUTE A TEST
T1140 Deobfuscate/Decode Files or Information CONTRIBUTE A TEST
T1562.004 Disable or Modify System Firewall CONTRIBUTE A TEST
T1562.001 Disable or Modify Tools
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Stop and unload Crowdstrike Falcon on macOS [macos]
T1078.002 Domain Accounts CONTRIBUTE A TEST
T1574.004 Dylib Hijacking CONTRIBUTE A TEST
T1548.004 Elevated Execution with Prompt CONTRIBUTE A TEST
T1480.001 Environmental Keying CONTRIBUTE A TEST
T1480 Execution Guardrails CONTRIBUTE A TEST
T1211 Exploitation for Defense Evasion CONTRIBUTE A TEST
T1070.004 File Deletion
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
T1222 File and Directory Permissions Modification CONTRIBUTE A TEST
T1553.001 Gatekeeper Bypass
- Atomic Test #1: Gatekeeper Bypass [macos]
T1562.003 HISTCONTROL
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
T1564.005 Hidden File System CONTRIBUTE A TEST
T1564.001 Hidden Files and Directories
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
T1564.002 Hidden Users
- Atomic Test #1: Hidden Users [macos]
T1564.003 Hidden Window CONTRIBUTE A TEST
T1564 Hide Artifacts CONTRIBUTE A TEST
T1574 Hijack Execution Flow CONTRIBUTE A TEST
T1562 Impair Defenses CONTRIBUTE A TEST
T1562.006 Indicator Blocking CONTRIBUTE A TEST
T1027.005 Indicator Removal from Tools CONTRIBUTE A TEST
T1070 Indicator Removal on Host CONTRIBUTE A TEST
T1553.004 Install Root Certificate
- Atomic Test #3: Install root CA on macOS [macos]
T1036.001 Invalid Code Signature CONTRIBUTE A TEST
T1149 LC_MAIN Hijacking CONTRIBUTE A TEST
T1222.002 Linux and Mac File and Directory Permissions Modification
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
T1078.003 Local Accounts CONTRIBUTE A TEST
T1036 Masquerading CONTRIBUTE A TEST
T1036.005 Match Legitimate Name or Location CONTRIBUTE A TEST
T1556 Modify Authentication Process CONTRIBUTE A TEST
T1027 Obfuscated Files or Information
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
T1556.003 Pluggable Authentication Modules CONTRIBUTE A TEST
T1205.001 Port Knocking CONTRIBUTE A TEST
T1055 Process Injection CONTRIBUTE A TEST
T1108 Redundant Access CONTRIBUTE A TEST
T1036.003 Rename System Utilities CONTRIBUTE A TEST
T1036.002 Right-to-Left Override CONTRIBUTE A TEST
T1014 Rootkit CONTRIBUTE A TEST
T1564.006 Run Virtual Instance CONTRIBUTE A TEST
T1064 Scripting CONTRIBUTE A TEST
T1548.001 Setuid and Setgid
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
T1027.002 Software Packing
- Atomic Test #3: Binary simply packed by UPX [macos]
- Atomic Test #4: Binary packed by UPX, with modified headers [macos]
T1036.006 Space after Filename
- Atomic Test #1: Space After Filename [macos]
T1027.003 Steganography CONTRIBUTE A TEST
T1553 Subvert Trust Controls CONTRIBUTE A TEST
T1548.003 Sudo and Sudo Caching
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
T1497.001 System Checks CONTRIBUTE A TEST
T1497.003 Time Based Evasion CONTRIBUTE A TEST
T1070.006 Timestomp
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
T1205 Traffic Signaling CONTRIBUTE A TEST
T1497.002 User Activity Based Checks CONTRIBUTE A TEST
T1078 Valid Accounts CONTRIBUTE A TEST
T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST

impact

T1531 Account Access Removal CONTRIBUTE A TEST
T1499.003 Application Exhaustion Flood CONTRIBUTE A TEST
T1499.004 Application or System Exploitation CONTRIBUTE A TEST
T1485 Data Destruction
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
T1486 Data Encrypted for Impact CONTRIBUTE A TEST
T1565 Data Manipulation CONTRIBUTE A TEST
T1491 Defacement CONTRIBUTE A TEST
T1498.001 Direct Network Flood CONTRIBUTE A TEST
T1561.001 Disk Content Wipe CONTRIBUTE A TEST
T1561.002 Disk Structure Wipe CONTRIBUTE A TEST
T1561 Disk Wipe CONTRIBUTE A TEST
T1499 Endpoint Denial of Service CONTRIBUTE A TEST
T1491.002 External Defacement CONTRIBUTE A TEST
T1495 Firmware Corruption CONTRIBUTE A TEST
T1490 Inhibit System Recovery CONTRIBUTE A TEST
T1491.001 Internal Defacement CONTRIBUTE A TEST
T1498 Network Denial of Service CONTRIBUTE A TEST
T1499.001 OS Exhaustion Flood CONTRIBUTE A TEST
T1498.002 Reflection Amplification CONTRIBUTE A TEST
T1496 Resource Hijacking
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
T1565.003 Runtime Data Manipulation CONTRIBUTE A TEST
T1499.002 Service Exhaustion Flood CONTRIBUTE A TEST
T1565.001 Stored Data Manipulation CONTRIBUTE A TEST
T1529 System Shutdown/Reboot
- Atomic Test #3: Restart System via shutdown - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via shutdown - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via reboot - macOS/Linux [macos, linux]
T1565.002 Transmitted Data Manipulation CONTRIBUTE A TEST

discovery

T1087 Account Discovery CONTRIBUTE A TEST
T1010 Application Window Discovery CONTRIBUTE A TEST
T1217 Browser Bookmark Discovery
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
T1087.002 Domain Account CONTRIBUTE A TEST
T1069.002 Domain Groups CONTRIBUTE A TEST
T1083 File and Directory Discovery
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
T1087.001 Local Account
- Atomic Test #1: Enumerate all accounts (Local) [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
T1069.001 Local Groups
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
T1046 Network Service Scanning
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
T1135 Network Share Discovery
- Atomic Test #1: Network Share Discovery [macos, linux]
T1040 Network Sniffing
- Atomic Test #2: Packet Capture macOS [macos]
T1201 Password Policy Discovery
- Atomic Test #7: Examine password policy - macOS [macos]
T1120 Peripheral Device Discovery CONTRIBUTE A TEST
T1069 Permission Groups Discovery CONTRIBUTE A TEST
T1057 Process Discovery
- Atomic Test #1: Process Discovery - ps [macos, linux]
T1018 Remote System Discovery
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
T1518.001 Security Software Discovery
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
T1518 Software Discovery
- Atomic Test #3: Find and Display Safari Browser Version [macos]
T1497.001 System Checks CONTRIBUTE A TEST
T1082 System Information Discovery
- Atomic Test #2: System Information Discovery [macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #7: Hostname Discovery [linux, macos]
T1016 System Network Configuration Discovery
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
T1049 System Network Connections Discovery
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
T1033 System Owner/User Discovery
- Atomic Test #2: System Owner/User Discovery [linux, macos]
T1497.003 Time Based Evasion CONTRIBUTE A TEST
T1497.002 User Activity Based Checks CONTRIBUTE A TEST
T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST

execution

T1059.002 AppleScript
- Atomic Test #1: AppleScript [macos]
T1059 Command and Scripting Interpreter CONTRIBUTE A TEST
T1053.003 Cron
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
T1203 Exploitation for Client Execution CONTRIBUTE A TEST
T1061 Graphical User Interface CONTRIBUTE A TEST
T1059.007 JavaScript/JScript CONTRIBUTE A TEST
T1569.001 Launchctl
- Atomic Test #1: Launchctl [macos]
T1053.004 Launchd
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
T1204.002 Malicious File CONTRIBUTE A TEST
T1204.001 Malicious Link CONTRIBUTE A TEST
T1106 Native API CONTRIBUTE A TEST
T1059.006 Python CONTRIBUTE A TEST
T1053 Scheduled Task/Job CONTRIBUTE A TEST
T1064 Scripting CONTRIBUTE A TEST
T1072 Software Deployment Tools CONTRIBUTE A TEST
T1153 Source CONTRIBUTE A TEST
T1569 System Services CONTRIBUTE A TEST
T1059.004 Unix Shell
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
T1204 User Execution CONTRIBUTE A TEST
T1059.005 Visual Basic CONTRIBUTE A TEST

command-and-control

T1071 Application Layer Protocol CONTRIBUTE A TEST
T1573.002 Asymmetric Cryptography CONTRIBUTE A TEST
T1102.002 Bidirectional Communication CONTRIBUTE A TEST
T1043 Commonly Used Port CONTRIBUTE A TEST
T1092 Communication Through Removable Media CONTRIBUTE A TEST
T1071.004 DNS CONTRIBUTE A TEST
T1568.003 DNS Calculation CONTRIBUTE A TEST
T1132 Data Encoding CONTRIBUTE A TEST
T1001 Data Obfuscation CONTRIBUTE A TEST
T1102.001 Dead Drop Resolver CONTRIBUTE A TEST
T1090.004 Domain Fronting CONTRIBUTE A TEST
T1568.002 Domain Generation Algorithms CONTRIBUTE A TEST
T1568 Dynamic Resolution CONTRIBUTE A TEST
T1573 Encrypted Channel CONTRIBUTE A TEST
T1090.002 External Proxy CONTRIBUTE A TEST
T1008 Fallback Channels CONTRIBUTE A TEST
T1568.001 Fast Flux DNS CONTRIBUTE A TEST
T1071.002 File Transfer Protocols CONTRIBUTE A TEST
T1105 Ingress Tool Transfer
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
T1090.001 Internal Proxy
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
T1001.001 Junk Data CONTRIBUTE A TEST
T1071.003 Mail Protocols CONTRIBUTE A TEST
T1104 Multi-Stage Channels CONTRIBUTE A TEST
T1090.003 Multi-hop Proxy CONTRIBUTE A TEST
T1026 Multiband Communication CONTRIBUTE A TEST
T1095 Non-Application Layer Protocol CONTRIBUTE A TEST
T1132.002 Non-Standard Encoding CONTRIBUTE A TEST
T1571 Non-Standard Port
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
T1102.003 One-Way Communication CONTRIBUTE A TEST
T1205.001 Port Knocking CONTRIBUTE A TEST
T1001.003 Protocol Impersonation CONTRIBUTE A TEST
T1572 Protocol Tunneling CONTRIBUTE A TEST
T1090 Proxy CONTRIBUTE A TEST
T1219 Remote Access Software CONTRIBUTE A TEST
T1132.001 Standard Encoding
- Atomic Test #1: Base64 Encoded data. [macos, linux]
T1001.002 Steganography CONTRIBUTE A TEST
T1573.001 Symmetric Cryptography CONTRIBUTE A TEST
T1205 Traffic Signaling CONTRIBUTE A TEST
T1071.001 Web Protocols
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
T1102 Web Service CONTRIBUTE A TEST

collection

T1560 Archive Collected Data CONTRIBUTE A TEST
T1560.003 Archive via Custom Method CONTRIBUTE A TEST
T1560.002 Archive via Library CONTRIBUTE A TEST
T1560.001 Archive via Utility
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
T1123 Audio Capture CONTRIBUTE A TEST
T1119 Automated Collection CONTRIBUTE A TEST
T1115 Clipboard Data
- Atomic Test #3: Execute commands from clipboard [macos]
T1074 Data Staged CONTRIBUTE A TEST
T1213 Data from Information Repositories CONTRIBUTE A TEST
T1005 Data from Local System CONTRIBUTE A TEST
T1039 Data from Network Shared Drive CONTRIBUTE A TEST
T1025 Data from Removable Media CONTRIBUTE A TEST
T1056.002 GUI Input Capture
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
T1056 Input Capture CONTRIBUTE A TEST
T1056.001 Keylogging CONTRIBUTE A TEST
T1074.001 Local Data Staging
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
T1557 Man-in-the-Middle CONTRIBUTE A TEST
T1074.002 Remote Data Staging CONTRIBUTE A TEST
T1113 Screen Capture
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
T1125 Video Capture CONTRIBUTE A TEST
T1056.003 Web Portal Capture CONTRIBUTE A TEST

exfiltration

T1020 Automated Exfiltration CONTRIBUTE A TEST
T1030 Data Transfer Size Limits
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
T1048 Exfiltration Over Alternative Protocol
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST
T1011.001 Exfiltration Over Bluetooth CONTRIBUTE A TEST
T1041 Exfiltration Over C2 Channel CONTRIBUTE A TEST
T1011 Exfiltration Over Other Network Medium CONTRIBUTE A TEST
T1052 Exfiltration Over Physical Medium CONTRIBUTE A TEST
T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
T1567 Exfiltration Over Web Service CONTRIBUTE A TEST
T1052.001 Exfiltration over USB CONTRIBUTE A TEST
T1567.002 Exfiltration to Cloud Storage CONTRIBUTE A TEST
T1567.001 Exfiltration to Code Repository CONTRIBUTE A TEST
T1029 Scheduled Transfer CONTRIBUTE A TEST

credential-access

T1552.003 Bash History
- Atomic Test #1: Search Through Bash History [linux, macos]
T1110 Brute Force CONTRIBUTE A TEST
T1110.004 Credential Stuffing CONTRIBUTE A TEST
T1552.001 Credentials In Files
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
T1555 Credentials from Password Stores CONTRIBUTE A TEST
T1555.003 Credentials from Web Browsers
- Atomic Test #2: Search macOS Safari Cookies [macos]
T1212 Exploitation for Credential Access CONTRIBUTE A TEST
T1056.002 GUI Input Capture
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
T1056 Input Capture CONTRIBUTE A TEST
T1555.001 Keychain
- Atomic Test #1: Keychain [macos]
T1056.001 Keylogging CONTRIBUTE A TEST
T1557 Man-in-the-Middle CONTRIBUTE A TEST
T1556 Modify Authentication Process CONTRIBUTE A TEST
T1040 Network Sniffing
- Atomic Test #2: Packet Capture macOS [macos]
T1003 OS Credential Dumping CONTRIBUTE A TEST
T1110.002 Password Cracking CONTRIBUTE A TEST
T1110.001 Password Guessing CONTRIBUTE A TEST
T1110.003 Password Spraying CONTRIBUTE A TEST
T1556.003 Pluggable Authentication Modules CONTRIBUTE A TEST
T1552.004 Private Keys
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
T1555.002 Securityd Memory CONTRIBUTE A TEST
T1539 Steal Web Session Cookie CONTRIBUTE A TEST
T1111 Two-Factor Authentication Interception CONTRIBUTE A TEST
T1552 Unsecured Credentials CONTRIBUTE A TEST
T1056.003 Web Portal Capture CONTRIBUTE A TEST

initial-access

T1195.003 Compromise Hardware Supply Chain CONTRIBUTE A TEST
T1195.001 Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST
T1195.002 Compromise Software Supply Chain CONTRIBUTE A TEST
T1078.001 Default Accounts CONTRIBUTE A TEST
T1078.002 Domain Accounts CONTRIBUTE A TEST
T1189 Drive-by Compromise CONTRIBUTE A TEST
T1190 Exploit Public-Facing Application CONTRIBUTE A TEST
T1200 Hardware Additions CONTRIBUTE A TEST
T1078.003 Local Accounts CONTRIBUTE A TEST
T1566 Phishing CONTRIBUTE A TEST
T1566.001 Spearphishing Attachment CONTRIBUTE A TEST
T1566.002 Spearphishing Link CONTRIBUTE A TEST
T1566.003 Spearphishing via Service CONTRIBUTE A TEST
T1195 Supply Chain Compromise CONTRIBUTE A TEST
T1199 Trusted Relationship CONTRIBUTE A TEST
T1078 Valid Accounts CONTRIBUTE A TEST

lateral-movement

T1210 Exploitation of Remote Services CONTRIBUTE A TEST
T1534 Internal Spearphishing CONTRIBUTE A TEST
T1570 Lateral Tool Transfer CONTRIBUTE A TEST
T1563 Remote Service Session Hijacking CONTRIBUTE A TEST
T1021 Remote Services CONTRIBUTE A TEST
T1021.004 SSH CONTRIBUTE A TEST
T1563.001 SSH Hijacking CONTRIBUTE A TEST
T1072 Software Deployment Tools CONTRIBUTE A TEST
T1021.005 VNC CONTRIBUTE A TEST

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

macos-index.md

macos-index.md

macOS Atomic Tests by ATT&CK Tactic & Technique

privilege-escalation

persistence

defense-evasion

impact

discovery

execution

command-and-control

collection

exfiltration

credential-access

initial-access

lateral-movement

Files

macos-index.md

Latest commit

History

macos-index.md

File metadata and controls

macOS Atomic Tests by ATT&CK Tactic & Technique

privilege-escalation

persistence

defense-evasion

impact

discovery

execution

command-and-control

collection

exfiltration

credential-access

initial-access

lateral-movement