has become the defacto device for engineering teams MacOS is under explored from a Red Team PoV Demystify red teaming in MacOS without 0 days A Practical Guide to Red Teaming in Mac Environments | 4 of 23
mechanisms aka hurdles during red teaming A walk-through of red teaming techniques for Mac environments Some ideas for you to explore further A Practical Guide to Red Teaming in Mac Environments | 5 of 23
etc that applies a quarantine extended attribute to files downloaded by users of those applications. # Get attributes xattr <file-location > # Get quarantine attributes xattr -p com.apple.quarantine /Applications/Firefox.app # Delete quarantine attributes xattr -d -r com.apple.quarantine <file-location > A Practical Guide to Red Teaming in Mac Environments | 9 of 23
code issues on macOS 10.15+ (Catalina and later) Typical process: Code sign the app, Upload it to Apple for scanning, Apple stamps it if is clean Helps Gatekeeper trust apps from the internet A Practical Guide to Red Teaming in Mac Environments | 10 of 23
developer, is notarised by Apple to be free of known malicious content and hasn’t been altered. Gatekeeper also requests user approval before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file. A Practical Guide to Red Teaming in Mac Environments | 11 of 23
Apple to manage access to sensitive user data on macOS. The primary goal of TCC is to empower users with transparency regarding how their data is accessed and used by applications. A Practical Guide to Red Teaming in Mac Environments | 12 of 23
and open-source software package management system that simplifies the installation of software on Apple’s operating system, macOS (as well as Linux). brew tap command adds more repositories to the list of formulae that your Homebrew instance tracks, updates, and installs from. By default, tap assumes that the repositories come from GitHub, but the command isn’t limited to any one location. Hexbrew - creating brew tap made easy brew tap aws/tap brew install aws/tap/eksctl brew tap your-own-tap A Practical Guide to Red Teaming in Mac Environments | 14 of 23
to open the application shared as .dmg rather than by double-clicking it. This would not prompt the user with the Gatekeeper consent message. A lot of popular malware adapted this technique. A Practical Guide to Red Teaming in Mac Environments | 15 of 23
applicable to directories that potentially contain personal user content like Documents or Downloads. TCC protection is not applicable to sensitive linux style file/directories like ~/.config` or ~/.ssh Use Full Disk Access permission provided to an Application to access the files that are otherwise protected by TCC but not by System Integrity Protection (SIP) sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \ "SELECT client AS bundle_id FROM access WHERE service='kTCCServiceSystemPolicyAllFiles';" A Practical Guide to Red Teaming in Mac Environments | 17 of 23
Binaries (LOOBins) is a resource designed to provide detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes. https://www.loobins.io # Find yaml files across the system mdfind 'kMDItemFSName == *.yaml || kMDItemFSName == *.yml' A Practical Guide to Red Teaming in Mac Environments | 18 of 23
on Apple device management. The core product used by many organisations is Jamf Pro, a Mobile Device Management (MDM) unified endpoint management solution designed for Apple- first deployments. A Practical Guide to Red Teaming in Mac Environments | 19 of 23
at: https://ORG-NAME.jamfcloud.com The credentials are generally work email & laptop password You can also try to find the Jamf management tokens which can give varied level of access to your org’s Jamf instance Jamf has extensive documentation around the APIs JamfHound by SpecterOps A Practical Guide to Red Teaming in Mac Environments | 20 of 23
of macOS Security Internals by Stuart Ashenbrenner MacAdmins Conference https://redcanary.com/threat-detection-report/techniques/gatekeeper-bypass/ A Practical Guide to Red Teaming in Mac Environments | 22 of 23
0xbharath
manfredsteyer
syumai
rollbear
snhryt
yukukotani
niftycorp
arkw
satohjohn
geekplus_tech
seosoft
hyshu
suikabar
portentint
baasie
signer
irinanazarova
tmiket
tammyeverts
davidcarrasco
csswizardry
joshbly
soudai
jlugia
