Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Impact
Drive-by Compromise AppleScript

.bash_profile and .bashrc

Exploitation for Privilege Escalation Binary Padding Bash History

Account Discovery

Application Deployment Software Audio Capture Automated Exfiltration Commonly Used Port Data Destruction
Exploit Public-Facing Application Command-Line Interface

Browser Extensions

Setuid and Setgid Clear Command History Brute Force Application Window Discovery Exploitation of Remote Services Automated Collection Data Compressed Communication Through Removable Media Data Encrypted for Impact
Hardware Additions Exploitation for Client Execution Create Account Sudo Code Signing Credential Dumping Browser Bookmark Discovery Logon Scripts

Clipboard Data

Data Encrypted Connection Proxy Defacement
Spearphishing Attachment Graphical User Interface Dylib Hijacking Sudo Caching Compile After Delivery

Credentials in Files

File and Directory Discovery

Remote Services

Data Staged

Data Transfer Size Limits Custom Command and Control Protocol Disk Content Wipe
Spearphishing Link Source

Kernel Modules and Extensions

  Disabling Security Tools Exploitation for Credential Access

Network Service Scanning

SSH Hijacking Data from Information Repositories Exfiltration Over Alternative Protocol Custom Cryptographic Protocol Disk Structure Wipe
Spearphishing via Service Third-party Software LC_LOAD_DYLIB Addition   Execution Guardrails Input Prompt Network Share Discovery   Data from Local System Exfiltration Over Command and Control Channel Data Encoding Endpoint Denial of Service
Supply Chain Compromise


Launch Agent

  Exploitation for Defense Evasion Keychain Password Policy Discovery   Data from Network Shared Drive Exfiltration Over Other Network Medium Data Obfuscation Firmware Corruption
Trusted Relationship User Execution

Launch Daemon

  File Deletion Network Sniffing

Permission Groups Discovery

  Data from Removable Media Exfiltration Over Physical Medium Domain Fronting Inhibit System Recovery

Local Job Scheduling

  File Permissions Modification Private Keys

Process Discovery

  Input Capture Scheduled Transfer Domain Generation Algorithms Network Denial of Service
    Login Item  

Gatekeeper Bypass

Securityd Memory Remote System Discovery   Screen Capture   Fallback Channels Resource Hijacking


  HISTCONTROL Two-Factor Authentication Interception

Security Software Discovery

  Video Capture   Multi-Stage Channels Runtime Data Manipulation

Re-opened Applications

  Hidden Files and Directories   System Information Discovery       Multi-hop Proxy Stored Data Manipulation
    Startup Items   Hidden Users  

System Network Configuration Discovery

      Multiband Communication Transmitted Data Manipulation
    Web Shell   Hidden Window  

System Network Connections Discovery

      Multilayer Encryption  
        Indicator Removal from Tools   System Owner/User Discovery       Remote Access Tools  
        Indicator Removal on Host           Remote File Copy  
        Install Root Certificate           Standard Application Layer Protocol  
        LC_MAIN Hijacking           Standard Cryptographic Protocol  
        Launchctl           Standard Non-Application Layer Protocol  
        Masquerading           Uncommonly Used Port  
        Obfuscated Files or Information           Web Service  

Plist Modification

        Port Knocking              
        Process Injection              
        Redundant Access              

Space after Filename

        Valid Accounts