MITRE ATT&CK

Technique-Level Coverage Across Windows and macOS

BallisKit tools map to specific ATT&CK technique IDs, enabling red teams to verify scenario accuracy against threat intelligence reports.

View Products Request Demo

What is MITRE ATT&CK

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It documents how threat actors operate, from initial compromise through data exfiltration, and provides a common taxonomy that offensive and defensive security teams use to communicate, plan, and validate.

ATT&CK serves as the shared language between threat intelligence providers, red teams, blue teams, and regulators. When a TI report documents that a threat actor uses specific techniques, the red team must reproduce those techniques, not substitute generic alternatives. ATT&CK IDs make that mapping explicit and verifiable.

Tactics - The adversary's tactical goal, the "why" behind an action (e.g., Initial Access, Persistence, Defense Evasion)
Techniques - The "how" - specific methods used to achieve a tactical goal (e.g., Phishing, Process Injection)
Sub-techniques - More granular variants of a technique (e.g., T1566.001 Spearphishing Attachment under T1566 Phishing)
Procedures - Specific implementations of techniques by real threat actors or tools

Why ATT&CK Matters for Red Teams

TIBER-EU Compliance

The Threat Intelligence Report specifies ATT&CK technique IDs the red team must reproduce. Tools must map directly to those IDs for the engagement to satisfy regulatory requirements.

Scenario Accuracy Verification

Regulators and white teams verify red team execution against documented techniques. Mapped coverage proves fidelity between the TI report and the actual attack simulation.

Consistent Reporting

ATT&CK IDs in engagement reports create auditable, comparable results across engagements and teams. Technique-level documentation removes ambiguity from deliverables.

Combined Technique Coverage by Tactic

All ATT&CK techniques covered by BallisKit tools, organized by adversary tactic. Each technique card shows the ATT&CK ID, implementation detail, and which product(s) provide coverage.

Initial Access

5 techniques

T1566

Phishing

HTML smuggling, Office lure delivery, DMG/PKG/.app delivery via phishing

MacroPackDarwinOpsShellcodePack

T1566.001

Spearphishing Attachment

Office document delivery (.docm, .xlsm, .pptm)

MacroPack

T1566.002

Spearphishing Link

URL file and HTML-based delivery

MacroPack

T1204.002

Malicious File

LNK, Office, ClickOnce, PDF, .app, DMG, PKG, VSIX execution

MacroPackDarwinOpsShellcodePack

T1105

Ingress Tool Transfer

ClickOnce, MSI, and dropper templates

MacroPack

Execution

15 techniques

T1059.001

PowerShell

LNK and script execution

MacroPack

T1059.003

Windows Command Shell

Multiple command line based attacks and formats

MacroPackShellcodePack

T1059.005

Visual Basic

VBS and VBA macro execution

MacroPack

T1059.006

Python

Python obfuscation and distribution

MacroPackShellcodePack

T1059.007

JavaScript

HTA, WSF, XSL script execution

MacroPack

T1059.002

AppleScript / JXA

JXA (JavaScript for Automation) execution and remote loading

DarwinOps

T1218.002

Control Panel

CPL format execution

ShellcodePack

T1218.005

Mshta

MSHTA proxy execution method

MacroPack

T1218.007

Msiexec

Msiexec lolbin several usage

MacroPack

T1218.010

Regsvr32

Regsvr32 / scrobj.dll proxy execution

MacroPack

T1218.011

Rundll32

Rundll32 DLL proxy execution

MacroPack

T1218.014

MMC

.msc generation and execution

MacroPack

T1106

Native API

Direct and indirect syscalls bypassing userland hooks

ShellcodePack

T1204.001

Malicious Link

Several formats with malicious URI

MacroPackDarwinOps

T1204.005

Malicious Library

Malicious NPM payloads

MacroPackDarwinOps

Persistence

7 techniques

T1543.001

Launch Agent

LaunchAgent plist-based persistence

DarwinOps

T1543.004

Launch Daemon

System-level persistence via LaunchDaemon

DarwinOps

T1647

Plist Modification

LaunchAgent and LaunchDaemon plist injection

DarwinOps

T1574.001

DLL Sideloading

Exploit DLL load order for code execution

ShellcodePack

T1574.004

Dylib Hijacking

Exploit dynamic library load order for code execution

DarwinOps

T1137

Office Application Startup

Exploit Excel and Word start folder

MacroPack

T1137.006

Office Add-ins

Generation of XLL payloads

ShellcodePack

Privilege Escalation

4 techniques

T1548.002

Bypass UAC

UAC bypass for privilege escalation

MacroPack

T1548.001

Setuid and Setgid

SUID/SGID binary abuse for privilege escalation

DarwinOps

T1548.004

Elevated Execution with Prompt

osascript-based fake system dialog for credential capture

DarwinOps

T1134.004

Parent PID Spoofing

PPID_SPOOF template - forge process ancestry

MacroPack

Defense Evasion

33 techniques

T1055.012

Process Hollowing

RunPE template - hollow legitimate process and inject shellcode

MacroPack

T1055

Process Injection

Threadless execution, process injection variants

ShellcodePack

T1027

Obfuscated Files or Information

Multi-layer encryption, polymorphic transformation

ShellcodePack

T1027.001

Binary Padding

Add padding to binary payloads

ShellcodePack

T1027.002

Software Packing

Multi-layer encryption stacking

ShellcodePackMacroPackDarwinOps

T1027.005

Indicator Removal from Tools

Removal/encoding/renaming or strings, code, and artifacts

MacroPackShellcodePackDarwinOps

T1027.006

HTML Smuggling

Embed payloads in HTML dropper container

ShellcodePackMacroPack

T1027.007

Dynamic API Resolution

Avoid direct calls to monitored APIs

ShellcodePackMacroPack

T1027.008

Stripped Payloads

Removal of symbols

ShellcodePackDarwinOps

T1027.009

Embedded Payloads

Embed and drop or run in memory templates

ShellcodePackMacroPackDarwinOps

T1027.010

Command Obfuscation

Dosfuscate cmd.exe obfuscation

MacroPack

T1027.012

LNK Icon Smuggling

Spoof icon for LNK payloads

MacroPack

T1027.013

Encrypted/Encoded File

Multi-layer encryption stacking

ShellcodePackMacroPackDarwinOps

T1027.015

Compression

Compression to hide/reduce payload size

ShellcodePackMacroPackDarwinOps

T1027.016

Junk Code Insertion

Insertion of dummy code to reduce Machine Learning detection

ShellcodePackMacroPackDarwinOps

T1027.017

SVG Smuggling

Insert payload in SVG dropper

ShellcodePackMacroPack

T1221

Template Injection

CVE-2022-30190 (Follina) MSDT template injection

MacroPack

T1553.005

Mark-of-the-Web Bypass

ISO/container delivery bypasses MoTW propagation, dll sideloading, etc

MacroPackShellcodePack

T1553.002

Code Signing

Sign payload with valid certificate

ShellcodePackDarwinOps

T1553.001

Gatekeeper Bypass

Payload generation compatible with Gatekeeper bypass techniques

DarwinOps

T1564.003

Hidden Window

--no-dock flag suppresses Dock appearance

ShellcodePackMacroPackDarwinOps

T1562.001

Disable or Modify Tools

AMSI bypass, DLL unhooking

MacroPackShellcodePack

T1562.002

Disable Windows Event Logging

ETW patching

MacroPackShellcodePack

T1574.001

DLL Side-Loading

DLL proxying and sideloading

MacroPackShellcodePack

T1036.001

Invalid Code Signature

Certificate spoofing on output binaries

ShellcodePack

T1036.006

Space after Filename

Usage of spaces to hide extensions

ShellcodePackMacroPackDarwinOps

T1036.007

Double File Extension

Extension doubling and spoofing

ShellcodePackMacroPackDarwinOps

T1036.011

Overwrite Process Arguments

In memory loading, ppid and argument spoofing

ShellcodePackMacroPack

T1620

Reflective Code Loading

Reflective DLL loading

ShellcodePack

T1622

Debugger Evasion

Anti debug tricks and sandbox evasion

ShellcodePackMacroPackDarwinOps

T1678

Delay Execution

Payload will run after N seconds

ShellcodePackMacroPackDarwinOps

T1127.001

MSBuild

Used as .NET loading lolbin

MacroPack

T1127.002

ClickOnce

Custom scenarion with multple options

MacroPack

Credential Access

1 technique

T1056.002

GUI Input Capture

Fake UI privilege prompts (osascript password capture)

DarwinOps

Product Technique Summary

MacroPack

Windows

43+

ATT&CK techniques covered

Initial Access
Execution
Privilege Escalation
Persistence
Defense Evasion

View MacroPack

ShellcodePack

Windows

32+

ATT&CK techniques covered

Initial Access
Execution
Persistence
Defense Evasion

View ShellcodePack

DarwinOps

macOS

26+

ATT&CK techniques covered

Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access

View DarwinOps

TIBER-EU

ATT&CK Coverage for TIBER-EU Engagements

TIBER-EU mandates that red teams reproduce specific threat actor techniques documented in the Threat Intelligence Report. BallisKit's mapped ATT&CK coverage across Windows and macOS enables red teams to demonstrate technique-level fidelity between the TI report and the executed adversary simulation.

Learn how BallisKit supports TIBER-EU

Evaluate BallisKit for Your Next Engagement

Professional email required. Response within 24 hours.

Request Demo View Products