macOS Atomic Tests by ATT&CK Tactic & Technique
defense-evasion
- T1205.002 Socket Filters CONTRIBUTE A TEST
- T1027.009 Embedded Payloads CONTRIBUTE A TEST
- T1556.003 Modify Authentication Process: Pluggable Authentication Modules CONTRIBUTE A TEST
- T1564.012 File/Path Exclusions CONTRIBUTE A TEST
- T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [linux, macos]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [linux, macos]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [linux, macos]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [linux, macos]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [linux, macos]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- Atomic Test #11: Chmod through c script [macos, linux]
- Atomic Test #13: Chown through c script [macos, linux]
- T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
- T1564.008 Hide Artifacts: Email Hiding Rules CONTRIBUTE A TEST
- T1027.013 Encrypted/Encoded File CONTRIBUTE A TEST
- T1014 Rootkit CONTRIBUTE A TEST
- T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
- T1036.005 Masquerading: Match Legitimate Name or Location
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- T1036.008 Masquerade File Type CONTRIBUTE A TEST
- T1564 Hide Artifacts CONTRIBUTE A TEST
- T1497.001 Virtualization/Sandbox Evasion: System Checks
- Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
- T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #3: Delete log files using built-in log utility [macos]
- Atomic Test #4: Truncate system log files via truncate utility [macos]
- Atomic Test #6: Delete log files via cat utility by appending /dev/null or /dev/zero [macos]
- Atomic Test #8: System log file deletion via find utility [macos]
- Atomic Test #9: Overwrite macOS system log via echo utility [macos]
- Atomic Test #11: Real-time system log clearance/deletion [macos]
- Atomic Test #12: Delete system log files via unlink utility [macos]
- Atomic Test #14: Delete system log files using shred utility [macos]
- Atomic Test #15: Delete system log files using srm utility [macos]
- Atomic Test #16: Delete system log files using OSAScript [macos]
- Atomic Test #17: Delete system log files using Applescript [macos]
- T1027.008 Stripped Payloads CONTRIBUTE A TEST
- T1553.001 Subvert Trust Controls: Gatekeeper Bypass
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1553.002 Code Signing CONTRIBUTE A TEST
- T1036.009 Break Process Trees CONTRIBUTE A TEST
- T1070.007 Clear Network Connection History and Configurations CONTRIBUTE A TEST
- T1070.003 Indicator Removal on Host: Clear Command History
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- T1140 Deobfuscate/Decode Files or Information
- Atomic Test #3: Base64 decoding with Python [linux, macos]
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
- Atomic Test #8: Hex decoding with shell utilities [linux, macos]
- Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
- Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
- T1562 Impair Defenses CONTRIBUTE A TEST
- T1036 Masquerading CONTRIBUTE A TEST
- T1070.008 Email Collection: Mailbox Manipulation
- Atomic Test #3: Copy and Delete Mailbox Data on macOS [macos]
- Atomic Test #6: Copy and Modify Mailbox Data on macOS [macos]
- T1055 Process Injection CONTRIBUTE A TEST
- T1205 Traffic Signaling CONTRIBUTE A TEST
- T1218 Signed Binary Proxy Execution CONTRIBUTE A TEST
- T1070.006 Indicator Removal on Host: Timestomp
- Atomic Test #1: Set a file’s access timestamp [linux, macos]
- Atomic Test #2: Set a file’s modification timestamp [linux, macos]
- Atomic Test #3: Set a file’s creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- Atomic Test #9: MacOS - Timestomp Date Modified [macos]
- T1620 Reflective Code Loading CONTRIBUTE A TEST
- T1564.011 Ignore Process Interrupts CONTRIBUTE A TEST
- T1497.003 Time Based Evasion
- Atomic Test #1: Delay execution with ping [linux, macos]
- T1562.004 Impair Defenses: Disable or Modify System Firewall CONTRIBUTE A TEST
- T1218.015 Electron Applications CONTRIBUTE A TEST
- T1553.006 Subvert Trust Controls: Code Signing Policy Modification CONTRIBUTE A TEST
- T1027.001 Obfuscated Files or Information: Binary Padding
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos]
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos]
- T1078.001 Valid Accounts: Default Accounts
- Atomic Test #3: Enable Guest Account on macOS [macos]
- T1574.006 Hijack Execution Flow: LD_PRELOAD
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- T1222 File and Directory Permissions Modification CONTRIBUTE A TEST
- T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
- T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #3: Set a SetUID flag on file [macos, linux]
- Atomic Test #5: Set a SetGID flag on file [macos, linux]
- T1562.006 Impair Defenses: Indicator Blocking CONTRIBUTE A TEST
- T1036.002 Right-to-Left Override CONTRIBUTE A TEST
- T1542.002 Component Firmware CONTRIBUTE A TEST
- T1070 Indicator Removal on Host CONTRIBUTE A TEST
- T1036.004 Masquerading: Masquerade Task or Service CONTRIBUTE A TEST
- T1647 Plist File Modification
- Atomic Test #1: Plist Modification [macos]
- T1542 Pre-OS Boot CONTRIBUTE A TEST
- T1562.010 Impair Defenses: Downgrade Attack CONTRIBUTE A TEST
- T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
- T1480 Execution Guardrails CONTRIBUTE A TEST
- T1205.001 Port Knocking CONTRIBUTE A TEST
- T1564.002 Hide Artifacts: Hidden Users
- Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
- Atomic Test #2: Create Hidden User using IsHidden option [macos]
- T1562.003 Impair Defenses: Impair Command History Logging
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #3: Mac HISTCONTROL [macos, linux]
- T1497.002 User Activity Based Checks CONTRIBUTE A TEST
- T1562.001 Impair Defenses: Disable or Modify Tools
- Atomic Test #6: Disable Carbon Black Response [macos]
- Atomic Test #7: Disable LittleSnitch [macos]
- Atomic Test #8: Disable OpenDNS Umbrella [macos]
- Atomic Test #9: Disable macOS Gatekeeper [macos]
- Atomic Test #10: Stop and unload Crowdstrike Falcon on macOS [macos]
- Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
- T1574 Hijack Execution Flow CONTRIBUTE A TEST
- T1027.005 Indicator Removal from Tools CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1564.009 Resource Forking CONTRIBUTE A TEST
- T1027 Obfuscated Files or Information
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
- T1036.001 Invalid Code Signature CONTRIBUTE A TEST
- T1564.006 Run Virtual Instance CONTRIBUTE A TEST
- T1553 Subvert Trust Controls CONTRIBUTE A TEST
- T1548.004 Elevated Execution with Prompt CONTRIBUTE A TEST
- T1036.003 Masquerading: Rename System Utilities CONTRIBUTE A TEST
- T1562.011 Spoof Security Alerting CONTRIBUTE A TEST
- T1027.003 Steganography CONTRIBUTE A TEST
- T1078.002 Domain Accounts CONTRIBUTE A TEST
- T1553.004 Subvert Trust Controls: Install Root Certificate
- Atomic Test #4: Install root CA on macOS [macos]
- T1027.004 Obfuscated Files or Information: Compile After Delivery
- Atomic Test #3: C compile [linux, macos]
- Atomic Test #4: CC compile [linux, macos]
- Atomic Test #5: Go compile [linux, macos]
- T1564.007 VBA Stomping CONTRIBUTE A TEST
- T1656 Impersonation CONTRIBUTE A TEST
- T1564.003 Hide Artifacts: Hidden Window CONTRIBUTE A TEST
- T1070.009 Clear Persistence CONTRIBUTE A TEST
- T1027.006 HTML Smuggling CONTRIBUTE A TEST
- T1027.010 Command Obfuscation CONTRIBUTE A TEST
- T1070.004 Indicator Removal on Host: File Deletion
- Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos]
- T1027.002 Obfuscated Files or Information: Software Packing
- Atomic Test #3: Binary simply packed by UPX [macos]
- Atomic Test #4: Binary packed by UPX, with modified headers [macos]
- T1564.005 Hidden File System CONTRIBUTE A TEST
- T1622 Debugger Evasion CONTRIBUTE A TEST
- T1036.006 Masquerading: Space after Filename
- Atomic Test #1: Space After Filename (Manual) [macos]
- Atomic Test #2: Space After Filename [macos, linux]
- T1548.006 TCC Manipulation CONTRIBUTE A TEST
- T1564.001 Hide Artifacts: Hidden Files and Directories
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- T1480.001 Environmental Keying CONTRIBUTE A TEST
- T1556 Modify Authentication Process CONTRIBUTE A TEST
- T1574.004 Dylib Hijacking CONTRIBUTE A TEST
- T1078.003 Valid Accounts: Local Accounts
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
- Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
- T1211 Exploitation for Defense Evasion CONTRIBUTE A TEST
persistence
- T1205.002 Socket Filters CONTRIBUTE A TEST
- T1037 Boot or Logon Initialization Scripts CONTRIBUTE A TEST
- T1556.003 Modify Authentication Process: Pluggable Authentication Modules CONTRIBUTE A TEST
- T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
- T1543 Create or Modify System Process CONTRIBUTE A TEST
- T1133 External Remote Services CONTRIBUTE A TEST
- T1546.006 LC_LOAD_DYLIB Addition CONTRIBUTE A TEST
- T1547 Boot or Logon Autostart Execution CONTRIBUTE A TEST
- T1053.003 Scheduled Task/Job: Cron
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1053 Scheduled Task/Job CONTRIBUTE A TEST
- T1176 Browser Extensions
- Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1205 Traffic Signaling CONTRIBUTE A TEST
- T1543.004 Create or Modify System Process: Launch Daemon
- Atomic Test #1: Launch Daemon [macos]
- Atomic Test #2: Launch Daemon - Users Directory [macos]
- T1505.003 Server Software Component: Web Shell CONTRIBUTE A TEST
- T1078.001 Valid Accounts: Default Accounts
- Atomic Test #3: Enable Guest Account on macOS [macos]
- T1546.005 Event Triggered Execution: Trap
- Atomic Test #1: Trap EXIT [macos, linux]
- Atomic Test #3: Trap SIGINT [macos, linux]
- T1574.006 Hijack Execution Flow: LD_PRELOAD
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- T1136.001 Create Account: Local Account
- Atomic Test #3: Create a user account on a MacOS system [macos]
- T1098.004 SSH Authorized Keys
- Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
- T1136.002 Create Account: Domain Account CONTRIBUTE A TEST
- T1542.002 Component Firmware CONTRIBUTE A TEST
- T1542 Pre-OS Boot CONTRIBUTE A TEST
- T1547.015 Boot or Logon Autostart Execution: Login Items
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
- T1205.001 Port Knocking CONTRIBUTE A TEST
- T1554 Compromise Host Software Binary CONTRIBUTE A TEST
- T1546.014 Event Triggered Execution: Emond
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1098 Account Manipulation CONTRIBUTE A TEST
- T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions
- Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
- Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
- T1574 Hijack Execution Flow CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
- T1546 Event Triggered Execution CONTRIBUTE A TEST
- T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1037.005 Boot or Logon Initialization Scripts: Startup Items
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- Atomic Test #2: Add launch script to launch daemon [macos]
- Atomic Test #3: Add launch script to launch agent [macos]
- T1078.002 Domain Accounts CONTRIBUTE A TEST
- T1543.001 Create or Modify System Process: Launch Agent
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- Atomic Test #3: Launch Agent - Root Directory [macos]
- T1505 Server Software Component CONTRIBUTE A TEST
- T1546.016 Installer Packages CONTRIBUTE A TEST
- T1037.004 Boot or Logon Initialization Scripts: Rc.common
- Atomic Test #1: rc.common [macos]
- T1136 Create Account CONTRIBUTE A TEST
- T1547.007 Boot or Logon Autostart Execution: Re-opened Applications
- Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications using LoginHook [macos]
- Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
- T1653 Power Settings CONTRIBUTE A TEST
- T1053.002 Scheduled Task/Job: At CONTRIBUTE A TEST
- T1556 Modify Authentication Process CONTRIBUTE A TEST
- T1574.004 Dylib Hijacking CONTRIBUTE A TEST
- T1078.003 Valid Accounts: Local Accounts
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
- Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
command-and-control
- T1205.002 Socket Filters CONTRIBUTE A TEST
- T1132.001 Data Encoding: Standard Encoding
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1568.002 Domain Generation Algorithms CONTRIBUTE A TEST
- T1071.004 Application Layer Protocol: DNS CONTRIBUTE A TEST
- T1573.001 Symmetric Cryptography CONTRIBUTE A TEST
- T1568.001 Fast Flux DNS CONTRIBUTE A TEST
- T1071 Application Layer Protocol CONTRIBUTE A TEST
- T1219 Remote Access Software CONTRIBUTE A TEST
- T1659 Content Injection CONTRIBUTE A TEST
- T1205 Traffic Signaling CONTRIBUTE A TEST
- T1572 Protocol Tunneling CONTRIBUTE A TEST
- T1071.003 Mail Protocols CONTRIBUTE A TEST
- T1092 Communication Through Removable Media CONTRIBUTE A TEST
- T1090.002 External Proxy CONTRIBUTE A TEST
- T1090 Proxy CONTRIBUTE A TEST
- T1568 Dynamic Resolution CONTRIBUTE A TEST
- T1102 Web Service CONTRIBUTE A TEST
- T1568.003 DNS Calculation CONTRIBUTE A TEST
- T1104 Multi-Stage Channels CONTRIBUTE A TEST
- T1205.001 Port Knocking CONTRIBUTE A TEST
- T1071.002 File Transfer Protocols CONTRIBUTE A TEST
- T1102.003 One-Way Communication CONTRIBUTE A TEST
- T1090.003 Proxy: Multi-hop Proxy
- Atomic Test #4: Tor Proxy Usage - MacOS [macos]
- T1001 Data Obfuscation CONTRIBUTE A TEST
- T1571 Non-Standard Port
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1573 Encrypted Channel CONTRIBUTE A TEST
- T1102.002 Bidirectional Communication CONTRIBUTE A TEST
- T1573.002 Asymmetric Cryptography CONTRIBUTE A TEST
- T1095 Non-Application Layer Protocol CONTRIBUTE A TEST
- T1001.003 Protocol Impersonation CONTRIBUTE A TEST
- T1090.004 Domain Fronting CONTRIBUTE A TEST
- T1132 Data Encoding CONTRIBUTE A TEST
- T1132.002 Non-Standard Encoding CONTRIBUTE A TEST
- T1071.001 Application Layer Protocol: Web Protocols
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1105 Ingress Tool Transfer
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #14: whois file download [linux, macos]
- Atomic Test #31: File download via nscurl [macos]
- T1665 Hide Infrastructure CONTRIBUTE A TEST
- T1001.002 Data Obfuscation via Steganography CONTRIBUTE A TEST
- T1008 Fallback Channels CONTRIBUTE A TEST
- T1090.001 Proxy: Internal Proxy
- Atomic Test #1: Connection Proxy [linux, macos]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
- T1102.001 Dead Drop Resolver CONTRIBUTE A TEST
- T1001.001 Junk Data CONTRIBUTE A TEST
collection
lateral-movement
privilege-escalation
- T1037 Boot or Logon Initialization Scripts CONTRIBUTE A TEST
- T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
- T1543 Create or Modify System Process CONTRIBUTE A TEST
- T1546.006 LC_LOAD_DYLIB Addition CONTRIBUTE A TEST
- T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
- T1547 Boot or Logon Autostart Execution CONTRIBUTE A TEST
- T1053.003 Scheduled Task/Job: Cron
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1053 Scheduled Task/Job CONTRIBUTE A TEST
- T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1055 Process Injection CONTRIBUTE A TEST
- T1543.004 Create or Modify System Process: Launch Daemon
- Atomic Test #1: Launch Daemon [macos]
- Atomic Test #2: Launch Daemon - Users Directory [macos]
- T1078.001 Valid Accounts: Default Accounts
- Atomic Test #3: Enable Guest Account on macOS [macos]
- T1546.005 Event Triggered Execution: Trap
- Atomic Test #1: Trap EXIT [macos, linux]
- Atomic Test #3: Trap SIGINT [macos, linux]
- T1574.006 Hijack Execution Flow: LD_PRELOAD
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
- T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #3: Set a SetUID flag on file [macos, linux]
- Atomic Test #5: Set a SetGID flag on file [macos, linux]
- T1098.004 SSH Authorized Keys
- Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
- T1547.015 Boot or Logon Autostart Execution: Login Items
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
- T1546.014 Event Triggered Execution: Emond
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1098 Account Manipulation CONTRIBUTE A TEST
- T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions
- Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
- Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
- T1574 Hijack Execution Flow CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1068 Exploitation for Privilege Escalation CONTRIBUTE A TEST
- T1546 Event Triggered Execution CONTRIBUTE A TEST
- T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1548.004 Elevated Execution with Prompt CONTRIBUTE A TEST
- T1037.005 Boot or Logon Initialization Scripts: Startup Items
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- Atomic Test #2: Add launch script to launch daemon [macos]
- Atomic Test #3: Add launch script to launch agent [macos]
- T1078.002 Domain Accounts CONTRIBUTE A TEST
- T1543.001 Create or Modify System Process: Launch Agent
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- Atomic Test #3: Launch Agent - Root Directory [macos]
- T1546.016 Installer Packages CONTRIBUTE A TEST
- T1037.004 Boot or Logon Initialization Scripts: Rc.common
- Atomic Test #1: rc.common [macos]
- T1547.007 Boot or Logon Autostart Execution: Re-opened Applications
- Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications using LoginHook [macos]
- Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
- T1548.006 TCC Manipulation CONTRIBUTE A TEST
- T1053.002 Scheduled Task/Job: At CONTRIBUTE A TEST
- T1574.004 Dylib Hijacking CONTRIBUTE A TEST
- T1078.003 Valid Accounts: Local Accounts
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
- Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
credential-access
discovery
- T1033 System Owner/User Discovery
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- T1016.001 System Network Configuration Discovery: Internet Connection Discovery
- Atomic Test #2: Check internet connection using ping freebsd, linux or macos [macos, linux]
- T1069 Permission Groups Discovery CONTRIBUTE A TEST
- T1652 Device Driver Discovery CONTRIBUTE A TEST
- T1087.002 Account Discovery: Domain Account CONTRIBUTE A TEST
- T1087.001 Account Discovery: Local Account
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
- T1497.001 Virtualization/Sandbox Evasion: System Checks
- Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
- T1069.002 Permission Groups Discovery: Domain Groups CONTRIBUTE A TEST
- T1007 System Service Discovery CONTRIBUTE A TEST
- T1040 Network Sniffing
- Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos]
- Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #9: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
- T1135 Network Share Discovery
- Atomic Test #1: Network Share Discovery [macos]
- T1120 Peripheral Device Discovery CONTRIBUTE A TEST
- T1082 System Information Discovery
- Atomic Test #2: System Information Discovery [macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #8: Hostname Discovery [linux, macos]
- Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos]
- Atomic Test #13: Show System Integrity Protection status (MacOS) [macos]
- Atomic Test #33: sysctl to gather macOS hardware info [macos]
- T1016.002 System Network Configuration Discovery: Wi-Fi Discovery CONTRIBUTE A TEST
- T1010 Application Window Discovery CONTRIBUTE A TEST
- T1497.003 Time Based Evasion
- Atomic Test #1: Delay execution with ping [linux, macos]
- T1217 Browser Bookmark Discovery
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- Atomic Test #9: List Safari Bookmarks on MacOS [macos]
- T1016 System Network Configuration Discovery
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #8: List macOS Firewall Rules [macos]
- T1087 Account Discovery CONTRIBUTE A TEST
- T1083 File and Directory Discovery
- Atomic Test #3: Nix File and Directory Discovery [linux, macos]
- Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
- T1049 System Network Connections Discovery
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
- T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
- T1654 Log Enumeration CONTRIBUTE A TEST
- T1057 Process Discovery
- Atomic Test #1: Process Discovery - ps [linux, macos]
- T1497.002 User Activity Based Checks CONTRIBUTE A TEST
- T1069.001 Permission Groups Discovery: Local Groups
- Atomic Test #1: Permission Groups Discovery (Local) [linux, macos]
- T1201 Password Policy Discovery
- Atomic Test #8: Examine password policy - macOS [macos]
- T1614.001 System Location Discovery: System Language Discovery CONTRIBUTE A TEST
- T1614 System Location Discovery
- Atomic Test #2: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos [macos, linux]
- T1518.001 Software Discovery: Security Software Discovery
- Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
- T1018 Remote System Discovery
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- T1046 Network Service Discovery
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- T1518 Software Discovery
- Atomic Test #3: Find and Display Safari Browser Version [macos]
- T1622 Debugger Evasion CONTRIBUTE A TEST
- T1124 System Time Discovery
- Atomic Test #3: System Time Discovery in FreeBSD/macOS [linux, macos]
execution
impact
initial-access
exfiltration