macOS Red Team Tradecraft
macOS Red Team Tradecraft, mapped to the offensive lifecycle
The course is built for authorized macOS operators who need more than disconnected tricks. Each phase follows real red-team workflow, maps to ATT&CK tactics and techniques, and teaches the macOS internals needed to understand why the behavior works, where it fails, and what evidence it creates.
15Phases
109Modules
185TTPs mapped
00
6 modulesOperator Foundations for macOS Tradecraft
No.ModuleAccessTacticATT&CK
0.1Engagement Workflow, Lab Boundaries, Evidence Handling, and CleanupLockedMultiplesupporting methodology
0.2Trust Boundaries an Operator Must Understand Before Touching a TargetFree previewMultiplesupporting foundation for T1553, T1548.006, T1685, T1686, T1078
0.3Process Identity, User Context, and Session Authority for OperatorsLockedDiscovery, Privilege EscalationT1033, T1087.001, T1069.001, T1057
0.4File Artifacts That Affect Delivery, Execution, and OPSECLockedStealth, Defense Impairment, ExecutionT1553.001, T1564.009, T1564.014, T1204
0.5App Bundle and Mach-O Triage Before Weaponizing a TechniqueLockedExecution, Stealth, Defense ImpairmentT1129, T1553.002, T1036.001, T1204.005
0.6Baseline Telemetry: What macOS Records Before the Operation StartsLockedDiscovery, Stealth, Defense ImpairmentT1070, T1685, T1685.006, T1686, T1654
01
8 modulesInitial Access and Payload Delivery Tradecraft
No.ModuleAccessTacticATT&CK
1.1Designing an Authorized macOS Initial Access ChainLockedInitial AccessT1204, T1566.001, T1189
1.2Payload Delivery Formats: App Bundle, Script, PKG, DMG, ZIP, and DocumentLockedInitial Access, ExecutionT1204.001, T1204.002, T1204.004, T1204.005, T1546.016
1.3Getting to First Run: Gatekeeper, Quarantine, Notarization, and User DecisionsLockedInitial Access, Defense ImpairmentT1553.001, T1553.002, T1204.002
1.4Installer-Based Execution: Preinstall, Postinstall, Receipts, and Privileged ContextFree previewExecution, Persistence, Privilege EscalationT1546.016, T1059.004, T1548.004
1.5User-Mediated Execution Through URL Schemes and Document HandlersLockedInitial Access, ExecutionT1204.001, T1204.002, T1559, T1106
1.6Poisoning the Well: macOS Supply Chain Initial Access Through Xcode, Homebrew, and Developer ToolsLockedInitial Access, ExecutionT1195.001, T1195.002, T1204
1.7Targeting Common macOS Entry Points: Browser, Electron, Office-Like, and Developer ToolsLockedInitial Access, ExecutionT1189, T1659, T1218.015, T1176.001
1.8Initial Access Chain Validation: Proof, Weak Assumptions, and ReportingLockedInitial Access, ReportingT1204, T1553.001, T1546.016, T1176.001, T1195.001
02
9 modulesPost-Access Command and User-Session Execution
No.ModuleAccessTacticATT&CK
2.1Reliable Shell Execution After AccessLockedExecutionT1059.004, T1027.010
2.2Living off macOS: Native Utilities, Admin Tools, and Noisy MistakesLockedExecution, DiscoveryT1059.004, T1106, T1218
2.3AppleEvents and GUI Automation for User-Session OperationsLockedExecution, Collection, Credential AccessT1059.002, T1056.002, T1115, T1113
2.4JXA Tradecraft and Native Automation BridgesLockedExecutionT1059.007, T1106
2.5Interpreter-Based Execution When the Target Environment Is UncertainLockedExecutionT1059.006, T1059.011
2.6Surviving Rosetta 2: Cross-Architecture Execution, Translation Blind Spots, and ARM64-Aware PayloadsLockedExecution, StealthT1059, T1106, T1027
2.7Native Swift and Objective-C Execution Without Shell ArtifactsLockedExecutionT1106, T1059, T1569
2.8Accessibility, Input Injection, and Session-Bound Execution ClassesLockedExecution, CollectionT1674, T1056.002
2.9Choosing an Execution Path Under Defensive MonitoringLockedExecution, Stealth, DetectionT1059.002, T1059.004, T1059.007
03
13 modulesLoader, Runtime, IPC, and Process Abuse Tradecraft
No.ModuleAccessTacticATT&CK
3.1Shaping Process Launch: Parentage, Environment, NSTask, and posix_spawnLockedExecution, StealthT1106, T1036.009, T1059.004
3.2Abusing and Testing dyld Controls in Restricted ContextsLockedExecution, StealthT1574.006, T1129
3.3Run-Path Hijack Surface: @rpath, @loader_path, and @executable_pathLockedExecution, StealthT1574.006, T1129
3.4Dylib Hijacking: Target Discovery, Constructor Execution, and ProofLockedExecution, StealthT1574.004, T1574.006
3.5Dylib Proxying for Stable Execution Inside a Target AppLockedExecution, StealthT1574.004, T1129
3.6DYLD Interposition and API Hooking in Owned ProcessesLockedExecution, Credential AccessT1056.004, T1574.006
3.7XPC and Mach Service Recon for Privilege Boundary MappingLockedExecution, DiscoveryT1559.003, T1007
3.8Exploiting Lab XPC Trust Failures: Audit Tokens, Entitlements, and Client IdentityLockedPrivilege Escalation, ExecutionT1559.003, T1068
3.9Apple Silicon Offensive Tradecraft: 16KB Pages, W^X, PAC, and ARM64 Execution ConstraintsLockedExecution, StealthT1055, T1620, T1027, T1106
3.10Mach Port Rights as Capabilities for IPC and Process ControlLockedExecution, Privilege EscalationT1559, T1055
3.11Process Injection Constraints: task_for_pid, Hardened Runtime, SIP, and AMFILockedStealth, Privilege EscalationT1055, T1620
3.12Runtime Manipulation of Objective-C and Swift AppsLockedStealth, ExecutionT1565.003, T1055, T1027.004
3.13Runtime Tradecraft Review: Loader Abuse, IPC Abuse, Apple Silicon, and Detection PressureLockedExecution, Stealth, DetectionT1574.004, T1574.006, T1055, T1559.003, T1620
04
8 modulesPost-Compromise Discovery and Target Triage
No.ModuleAccessTacticATT&CK
4.1Host Profiling to Choose the Next Operator MoveLockedDiscoveryT1082, T1614, T1497.001
4.2User, Group, Session, and Privilege Enumeration After AccessLockedDiscoveryT1033, T1087.001, T1069.001
4.3Enterprise Footprints: MDM, SSO, Domain, VPN, and Management CluesLockedDiscoveryT1087.002, T1069.002, T1016, T1078
4.4Process, launchd, Login Item, and Background Execution ReconLockedDiscoveryT1057, T1007, T1518, T1518.001
4.5High-Value Application, Browser, Developer, Backup, and Local Data ReconLockedDiscovery, CollectionT1083, T1217, T1654, T1518.002
4.6Network Positioning: Wi-Fi, DNS, Proxy, VPN, Services, and Neighbor HostsLockedDiscoveryT1016, T1016.001, T1016.002, T1049, T1046, T1135
4.7Security Product Discovery: Identifying EDR, Santa, osquery, and Defensive Tooling Without Burning the OperationLockedDiscovery, StealthT1518.001, T1497, T1622
4.8Discovery OPSEC: What to Query, What to Skip, and How to Justify ItLockedDiscovery, ReportingT1057, T1082, T1016, T1518.001
05
6 modulesCredential Access and Identity Abuse on macOS
No.ModuleAccessTacticATT&CK
5.1Keychain Access Tradecraft: ACLs, Prompts, securityd, and Operator LimitsLockedCredential AccessT1555.001
5.2Browser Credential and Session Material Collection with Synthetic DataLockedCredential Access, CollectionT1555.003, T1539, T1606.001
5.3Developer Workstation Secret Hunting: Dotfiles, SSH Keys, Tokens, CLIs, and HistoryLockedCredential Access, DiscoveryT1552.001, T1552.003, T1552.004
5.4Enterprise Identity Material: Kerberos, Platform SSO, Enterprise SSO, and ccacheLockedCredential Access, Lateral MovementT1558.005, T1078
5.5Prompt Abuse Concepts: MFA Requests, Consent Boundaries, and User-Session RiskLockedCredential AccessT1056.002, T1111, T1621
5.6Credential Access Chain Review: Scope Control, Evidence, and Detection PressureLockedCredential Access, DetectionT1555.001, T1555.003, T1552.004, T1056.002
06
7 modulesPrivilege Escalation and macOS Boundary Abuse
No.ModuleAccessTacticATT&CK
6.1Elevation Through sudo, askpass, Authorization Prompts, and Cached WindowsLockedPrivilege EscalationT1548.003, T1548.004
6.2Abusing Unsafe Ownership, ACLs, Writable Paths, setuid, and setgidLockedPrivilege Escalation, Defense ImpairmentT1548.001, T1222.002
6.3Privileged Helper Abuse: SMJobBless, Authorization Services, and Helper TrustLockedPrivilege Escalation, PersistenceT1068, T1543.004
6.4LaunchDaemon Root Execution and Privileged Service Install PathsLockedPersistence, Privilege EscalationT1543.004
6.5TCC as an Escalation Boundary: Privacy Grants, Proxying, and Historical AbuseLockedPrivilege Escalation, Defense ImpairmentT1548.006
6.6Privilege Escalation Bug Classes: XPC Auth, Race, Symlink, Helper, and IOKitLockedPrivilege EscalationT1068
6.7Elevation Chain Review: Proof of Impact, Guardrails, Telemetry, and ReportingLockedPrivilege Escalation, DetectionT1548, T1068, T1543.004
07
12 modulesPersistence and Durable Access Tradecraft
No.ModuleAccessTacticATT&CK
7.1LaunchAgent and LaunchDaemon Persistence with Execution ProofLockedPersistence, Privilege EscalationT1543.001, T1543.004
7.2Scheduled and Event-Triggered Persistence with launchd, cron, and atLockedPersistence, ExecutionT1053.002, T1053.003
7.3Login Item and Background Task Management PersistenceLockedPersistenceT1547.015, T1547.007
7.4Shell, Trap, Interpreter, and Developer Workflow PersistenceLockedPersistence, Privilege EscalationT1546.004, T1546.005, T1546.018
7.5Shared Library and Mach-O Load Command PersistenceLockedPersistence, ExecutionT1546.006, T1129
7.6Legacy and Low-Frequency Persistence for Mature EnvironmentsLockedPersistence, Privilege EscalationT1546.014, T1037.002, T1037.004, T1037.005
7.7Host-Application Persistence Through Browser, IDE, and Office-Like ExtensionsLockedPersistence, CollectionT1176.001, T1176.002
7.8Package Script and Installer Receipt Re-Entry PathsLockedPersistence, Privilege EscalationT1546.016
7.9Account-Backed Persistence with SSH Keys, Remote Login, Users, and GroupsLockedPersistence, Privilege EscalationT1098.004, T1098.007, T1136.001
7.10Managed Persistence: Configuration Profiles, Login Items, PPPC, and MDM PolicyLockedPersistence, Defense ImpairmentT1098, T1547.015
7.11Network-Triggered Persistence: Port Knocking, Socket Filters, and Local SignalsLockedPersistence, Command and ControlT1205.001, T1205.002
7.12Persistence Chain Review: Validation, Forensics, Cleanup, and Client EvidenceLockedPersistence, StealthT1070.009, T1543, T1546, T1547
08
6 modulesOPSEC, Masquerading, and Artifact Discipline
No.ModuleAccessTacticATT&CK
8.1Masquerading Tradecraft: Names, Paths, Bundle IDs, Labels, Icons, and TrustLockedStealthT1036.003, T1036.004, T1036.005, T1036.008
8.2Hiding and Blending Artifacts: Finder Flags, xattrs, Resource Forks, and dotfilesLockedStealthT1564.001, T1564.003, T1564.009, T1564.014
8.3Cleanup and Anti-Forensics Tradeoffs: History, Deletion, Timestamps, Receipts, and CachesLockedStealthT1070.003, T1070.004, T1070.006
8.4Payload Appearance Management: Strings, Symbols, Encoding, and Static TriageLockedStealthT1027, T1027.008, T1027.010, T1027.013, T1027.015
8.5Guardrails and Environmental Keying for Lab PayloadsLockedStealth, DiscoveryT1480, T1480.001, T1480.002, T1497, T1622
8.6OPSEC Review: What Reduced Signal, What Became More Suspicious, and WhyLockedStealth, DetectionT1036, T1070, T1564, T1027
09
7 modulesDefense Evasion Pressure and Trust Control Abuse Classes
No.ModuleAccessTacticATT&CK
9.1Gatekeeper, Quarantine, Notarization, and Trust Control Abuse ClassesLockedDefense ImpairmentT1553.001, T1553.002
9.2Code Signing Abuse Classes: Identity, Ad Hoc Signing, Invalid Signatures, and Policy GapsLockedDefense Impairment, StealthT1553.002, T1553.006, T1036.001
9.3Trust Store Abuse Classes: Root Certificates, TLS Inspection, and Proxy VisibilityLockedDefense Impairment, Credential AccessT1553.004
9.4Host Control Tampering: Firewall, Network Filters, DNS, Proxy, and PlistsLockedDefense ImpairmentT1686, T1647
9.5Beating macOS EDR: Endpoint Security Framework Internals, Event Blind Spots, and Evasion MethodologyLockedDefense Impairment, StealthT1685, T1562.001, T1562.006, T1027
9.6Log Tampering, Tool Modification, Sensor Blind Spots, and Defensive TripwiresLockedDefense Impairment, StealthT1685.003, T1685.006
9.7Defense Evasion Review: What Breaks, What Alerts, and What Must Be ReportedLockedDefense Impairment, DetectionT1553, T1685, T1686, T1647
10
6 modulesCollection and Staging Tradecraft
No.ModuleAccessTacticATT&CK
10.1Targeted File and App Data Collection from macOS State StoresLockedCollectionT1005, T1213.006
10.2TCC-Gated Collection: Browser, Mail, Clipboard, Screenshot, Audio, and CameraLockedCollection, Credential AccessT1113, T1114, T1115, T1123, T1125, T1555.003
10.3Collection from Shares, Removable Media, Cloud-Sync, and Collaboration StoresLockedCollectionT1039, T1025, T1213
10.4Staging Tradecraft: Compression, Encryption Concepts, Hashing, Naming, and LimitsLockedCollectionT1074.001, T1074.002, T1560.001, T1560.002, T1560.003
10.5Apple AI Attack Surface: CoreML, Vision, AVFoundation, and Model ArtifactsLockedCollection, Stealth, ExecutionT1005, T1027.009, T1204, T1106
10.6Collection Chain Review: Overcollection Risk, AI Surfaces, Telemetry, and Evidence HandlingLockedCollection, DetectionT1005, T1113, T1115, T1560, T1027.009
11
4 modulesCommand and Control and Operator Channel Design
No.ModuleAccessTacticATT&CK
11.1Building a Lab macOS Agent: Tasking, State, Results, Safety, and Kill SwitchesLockedCommand and ControlT1105, T1102, T1071.001
11.2C2 Traffic Shaping: Jitter, Sleep, Encoding, and EvasionLockedCommand and Control, StealthT1001.003, T1132, T1008
11.3C2 Under Enterprise Constraints: Proxy, Tool Transfer, and DetectionLockedCommand and ControlT1090.002, T1105
11.4C2 Chain Review: Beacon Evidence, Endpoint Correlation, and Network Detection LogicLockedCommand and Control, DetectionT1071, T1090, T1105, T1132
12
6 modulesLateral Movement and Remote macOS Operations
No.ModuleAccessTacticATT&CK
12.1Moving with Valid Accounts: Remote Login, Remote Management, and Access ScopeLockedLateral Movement, Initial Access, PersistenceT1078, T1021
12.2SSH Lateral Movement: Authorized Keys, Agent Forwarding, TTY Artifacts, and HygieneLockedLateral Movement, PersistenceT1021.004, T1098.004, T1563.001
12.3GUI-Based Lateral Movement: Screen Sharing, VNC, ARD Concepts, and Session ControlLockedLateral Movement, CollectionT1021.005, T1219.002
12.4Lateral Tool Transfer, Shared Content Tainting, Quarantine Propagation, and Execution ProofLockedLateral Movement, ExecutionT1570, T1080
12.5Admin Tool and Deployment-System Abuse Concepts for macOS FleetsLockedLateral Movement, ExecutionT1072
12.6Lateral Movement Chain Review: Source Host, Destination Host, and Network EvidenceLockedLateral Movement, DetectionT1021.004, T1021.005, T1570, T1072
13
5 modulesImpact Simulation and Business-Risk Demonstration
No.ModuleAccessTacticATT&CK
13.1Simulated Data Destruction and File Encryption Against Disposable DataLockedImpactT1485, T1486
13.2Service Interruption, Recovery Inhibition Concepts, and launchd Job ControlLockedImpactT1489, T1490, T1529
13.3Stored Data Manipulation and Defacement in the Training AppLockedImpactT1491.001, T1565.001, T1565.003
13.4Resource Abuse, Bandwidth Pressure, and Safe Availability TestingLockedImpactT1496, T1496.001, T1496.002
13.5Impact Simulation Review: Recovery Evidence, Business Framing, and Safety BoundariesLockedImpact, DetectionT1485, T1486, T1489, T1565
14
6 modulesFull Red-Team Engagement Capstones
No.ModuleAccessTacticATT&CK
14.1Build the macOS Target Range: Training App, Synthetic Data, and Two-Mac NetworkLockedMultiplesupport module
14.2Initial Access to Execution Chain: Delivery, User Action, Trust Decision, Payload RunLockedInitial Access, ExecutionT1204, T1059, T1106, T1574
14.3Discovery to Credential Access Chain: Recon, Scoped Secrets, Keychain, TCC BoundariesLockedDiscovery, Credential AccessT1082, T1057, T1555, T1552
14.4Persistence and OPSEC Chain: Durable Access, Masquerading, Artifact Review, CleanupLockedPersistence, StealthT1543, T1546, T1547, T1036, T1564
14.5C2 to Objective Chain: Collection, Staging, and Two-Mac Movement via CoreML C2LockedCommand and Control, Collection, Lateral MovementT1071, T1105, T1005, T1021.004
14.6Final Red-Team Report: ATT&CK Map, Evidence Pack, Detections, and RemediationLockedDetection, Reportingall covered techniques