Gone Apple Pickin': Red Teaming macOS Environments in 2021

Presented at DEF CON 29 (2021), Aug. 6, 2021, 10 a.m. (45 minutes).

Though the vast majority of US companies are enterprise Windows shops, there is a growing percentage of companies that are shifting away from this model. Most of these types of companies tend to be based in the SF Bay Area and are often tech companies. This talk will provide a glimpse into what common attack paths in these environments look like in the absence of typical enterprise Active Directory implementations. Examples include techniques for targeting macOS endpoints, cloud and IdaaS, CI/CD pipeline, and other fun approaches. I will begin by discussing common tech stacks and macOS deployments and then move into macOS initial access (including the Gatekeeper bypass I found) and post exploitation options in these modern tech environments as well as detection opportunities.


Presenters:

  • Cedric Owens - Offensive Security Engineer
    Cedric is currently an offensive security engineer who came from a blue team background. His passion revolves around red teams and blue teams working closely together to improve each other's tradecraft. Cedric enjoys researching techniques and writing tools related to macOS post exploitation and infrastructure automation. His blogs can be found here: https://medium.com/@cedowens His tools can be found here: https://github.com/cedowens @cedowens

Links:

Similar Presentations: