Dropping Lotus Bombs: ATT&CK in macOS Purple Team Operations

Presented at Objective by the Sea version 6.0 (2023), Oct. 13, 2023, 4:05 p.m. (25 minutes).

Frustrated about not finding macOS emulation software or offensive testing??? We were too! That’s why we built and released the first macOS emulation plan to the Adversary Emulation Library, a GitHub repo for the offensive security community. Emulating an OceanLotus scenario, a suspected Vietnamese group, we walk through how to execute an ATT&CK based emulation and discuss lessons learned when building enterprise detection. This is the conclusion of a three-year community effort to provide a red vs. blue emulation specific to macOS. Good detection turns your environment into a minefield for attackers. Our goal is to empower red and blue teams to craft their own emulation using ATT&CK techniques and transform your macOS detection into a minefield.

Presenters:

  • Megan Carney - Detection Engineer at Target
    Megan Carney has been an analyst/bad news giver in several different environments for over ten years. Currently, she is a detection engineer at Target. She spends most of her time searching for all the places badness might hide. Can often be found staring into the abyss. It’s true the abyss stares back.
  • Cat Self - Lead Adversary Emulation Engineer at The MITRE Corporation
    Cat Self is an Adversary Emulation Engineer at The MITRE Corporation and works as the macOS ATT&CK Lead, researching macOS specific malware, advanced persistent threat actors, and techniques. Cat previously worked as an internal red team operator, threat hunter, and developer at Target Corporate. \n\n Cat is an Airborne Military Intelligence veteran with a passion for mentorship, researching all things Apple, and hiking mountains in foreign lands.

Links:

Similar Presentations: