Presented at
Black Hat USA 2021,
Aug. 5, 2021, 10:20 a.m.
(40 minutes)
This talk discusses advanced offensive tradecraft considering macOS management platforms such as Jamf and native MDM. <br><br>We will be introducing new macOS exclusive TTPs covering initial access, command and control, persistence and lateral movement. Highlights of our research include:<br>- Compromising a macOS device with a single PLIST file.<br>- Compromising Domain Admin accounts from Jamf-managed endpoints.<br>- Bypassing SIP with "out of the box" thinking.<br><br>In addition to the attacks described above, we will be performing a deep dive into the internals of several management frameworks to further the audience's understanding to help them better operate in macOS environments.<br><br>Finally, this talk introduces a myriad of new tools, including two unique Mythic C2 agents that abuse macOS management frameworks to control devices without introducing any custom code.
Presenters:
-
Calum Hall
- Security Engineer, GitHub
Calum Hall works in offensive security. Calum previously led F-Secure's perimeter-based security service for over two years, whilst also contributing to the development of the company's offensive macOS tradecraft. Predominantly he spends his time targeting macOS devices at an organization-wide scale and by nature the platforms employed to manage these estates.
-
Luke Roberts
- Security Consultant, F-Secure Consulting
Luke Roberts specializes in performing attack simulation engagements and is a part of the offensive security team at F-Secure Consulting. His most recent research considers macOS in enterprise, and the TTPs that advanced attackers could use to operate within these unique environments.
Links:
Similar Presentations: