A Practical Guide to Red Teaming in Mac Environments

Transcript

1. A Practical Guide to Red Teaming in Mac Environments Bharath

   & Akshay c0c0n 2025 A Practical Guide to Red Teaming in Mac Environments | 1 of 23

2. https://mrt-c0c0n.netlify.app Link to slides A Practical Guide to Red Teaming

   in Mac Environments | 2 of 23

3. Who are we? Bharath Some security guy Enjoys Linux but

   made to use MacOS Akshay Jain Another security guy Enjoys Web 2 Security A Practical Guide to Red Teaming in Mac Environments | 3 of 23

4. Why this talk? We wanted to speak at c0c0n MacOS

   has become the defacto device for engineering teams MacOS is under explored from a Red Team PoV Demystify red teaming in MacOS without 0 days A Practical Guide to Red Teaming in Mac Environments | 4 of 23

5. What will we cover? An brief intro to MacOS security

   mechanisms aka hurdles during red teaming A walk-through of red teaming techniques for Mac environments Some ideas for you to explore further A Practical Guide to Red Teaming in Mac Environments | 5 of 23

6. A Practical Guide to Red Teaming in Mac Environments |

   6 of 23

7. First line of defenses in MacOS (Redteam hurdles) A Practical

   Guide to Red Teaming in Mac Environments | 7 of 23

8. First line of defense in MacOS (Redteam hurdles) File Quarantine

   Gatekeeper Notorize Transparency Consent & Control (TCC) A Practical Guide to Red Teaming in Mac Environments | 8 of 23

9. File quarantine An opt-in security feature for applications like browsers

   etc that applies a quarantine extended attribute to files downloaded by users of those applications. # Get attributes xattr <file-location > # Get quarantine attributes xattr -p com.apple.quarantine /Applications/Firefox.app # Delete quarantine attributes xattr -d -r com.apple.quarantine <file-location > A Practical Guide to Red Teaming in Mac Environments | 9 of 23

10. Notarize Apple security process that scans apps for malware and

    code issues on macOS 10.15+ (Catalina and later) Typical process: Code sign the app, Upload it to Apple for scanning, Apple stamps it if is clean Helps Gatekeeper trust apps from the internet A Practical Guide to Red Teaming in Mac Environments | 10 of 23

11. Gatekeeper Gatekeeper verifies that the software is from an identified

    developer, is notarised by Apple to be free of known malicious content and hasn’t been altered. Gatekeeper also requests user approval before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file. A Practical Guide to Red Teaming in Mac Environments | 11 of 23

12. Transparency Consent and Control TCC is a framework developed by

    Apple to manage access to sensitive user data on macOS. The primary goal of TCC is to empower users with transparency regarding how their data is accessed and used by applications. A Practical Guide to Red Teaming in Mac Environments | 12 of 23

13. Initial access A Practical Guide to Red Teaming in Mac

    Environments | 13 of 23

14. Using Homebrew to get a foothold Homebrew is a free

    and open-source software package management system that simplifies the installation of software on Apple’s operating system, macOS (as well as Linux). brew tap command adds more repositories to the list of formulae that your Homebrew instance tracks, updates, and installs from. By default, tap assumes that the repositories come from GitHub, but the command isn’t limited to any one location. Hexbrew - creating brew tap made easy brew tap aws/tap brew install aws/tap/eksctl brew tap your-own-tap A Practical Guide to Red Teaming in Mac Environments | 14 of 23

15. Using .dmg quirks to bypass Gatekeeper A user can right-click

    to open the application shared as .dmg rather than by double-clicking it. This would not prompt the user with the Gatekeeper consent message. A lot of popular malware adapted this technique. A Practical Guide to Red Teaming in Mac Environments | 15 of 23

16. Post Exploitation A Practical Guide to Red Teaming in Mac

    Environments | 16 of 23

17. None CVE ways to work around TCC TCC protection is

    applicable to directories that potentially contain personal user content like Documents or Downloads. TCC protection is not applicable to sensitive linux style file/directories like ~/.config` or ~/.ssh Use Full Disk Access permission provided to an Application to access the files that are otherwise protected by TCC but not by System Integrity Protection (SIP) sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \ "SELECT client AS bundle_id FROM access WHERE service='kTCCServiceSystemPolicyAllFiles';" A Practical Guide to Red Teaming in Mac Environments | 17 of 23

18. LOOBins for fun and profit Living Off the Orchard: macOS

    Binaries (LOOBins) is a resource designed to provide detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes. https://www.loobins.io # Find yaml files across the system mdfind 'kMDItemFSName == *.yaml || kMDItemFSName == *.yml' A Practical Guide to Red Teaming in Mac Environments | 18 of 23

19. Lateral movement via Jamf Jamf is a product suite focused

    on Apple device management. The core product used by many organisations is Jamf Pro, a Mobile Device Management (MDM) unified endpoint management solution designed for Apple- first deployments. A Practical Guide to Red Teaming in Mac Environments | 19 of 23

20. Lateral movement via Jamf You can find Jamf portal login

    at: https://ORG-NAME.jamfcloud.com The credentials are generally work email & laptop password You can also try to find the Jamf management tokens which can give varied level of access to your org’s Jamf instance Jamf has extensive documentation around the APIs JamfHound by SpecterOps A Practical Guide to Red Teaming in Mac Environments | 20 of 23

21. Red Team Frameworks for MacOS Mythic Framework A Practical Guide

    to Red Teaming in Mac Environments | 21 of 23

22. References Modern macOS Red Teaming Tactics by SpecterOps The (Mis)Education

    of macOS Security Internals by Stuart Ashenbrenner MacAdmins Conference https://redcanary.com/threat-detection-report/techniques/gatekeeper-bypass/ A Practical Guide to Red Teaming in Mac Environments | 22 of 23

23. That’s all, folks! Cast (In order of appearance) Presentation Akshay

    Bharath Funding c0c0n & Us Slides Slidev Unocss Figma Vuejs Vite A Practical Guide to Red Teaming in Mac Environments | 23 of 23