This document summarizes a talk about attacking MacOS environments. It discusses setting up command and control with Mythic, initial access techniques like using Microsoft Word macros and 0-day exploits, persistence methods like login items and launch agents, collecting data like AD credentials, browser cookies and files using techniques like bypassing transparency consent and control protections, and hardening MacOS environments through enrollment in MDM and security policy enforcement. Examples of collecting OpenVPN credentials, NoMAD credentials storing in the keychain, bypassing Firefox password encryption, and accessing cloud credentials in the home directory are provided.

1. 0-day up your sleeve
AT TA C K I N G M A C O S E N V I R O N M E N T S

2. Whoami?
Wojciech Reguła
Head of Mobile Security at
• Focused on iOS/macOS #appsec
• Blogger – h8ps:/
/wojciechregula.blog
• iOS Security Suite Creator
• macOS environments security

3. Agenda
1. Introduction
2. Macs in corporate environments
3. Setting up a C2 with Mythic
4. Initial access
5. Persistence
6. Data collection & Lateral movement
7. Hardening macOS environments
8. Conclusion

4. 🙋‍ Raise your hand if:
There is at least one Mac
in your company

5. 🙋‍ Raise your hand if:
This Mac has access to your
company’s resources like other
Windows machines

6. Why did I decide to make this talk?
1. Macs are geHng more common in corporate environments (developers,
UX, designers, managers, etc.)
2. SoNware houses / IT companies have large % of Macs in their
environments
3. Macs are not symmetrically secured comparing them to Windows
machines…

7. What are the problems?
☠ Old, vulnerable macOS versions everywhere
⚙ MacOS system firewall disabled (default configura<on)
🤔 An<malware? Do Macs have viruses?
👩💻‍‍ Standard users working on admin accounts
🗒 Lack of applica<on whitelis<ng
🖥 In mid-size companies Macs are not even enrolled in MDMs…

8. Macs in corporate environments
Mac is directly bound to the AD

9. Macs in corporate environments
Mac has NoMAD installed that handles Kerberos

10. Macs in corporate environments
Mac uses SSO, there is no AD

11. ADFS SSO
NON-SSO
Desktop and other TCC-protected directories
Target for this talk

12. ü Great red teaming framework with macOS support
ü Created by Cody Thomas @its_a_feature_
ü Open source - hMps:/
/github.com/its-a-feature/Mythic
ü Extensive docs - hMps:/
/docs.mythic-c2.net/

13. h0ps:/
/vimeo.com/751596706

14. Initial access - problems
1. According to Apple all
the soNware downloaded
directly with your browser
must be notarized

15. Initial access - problems
2. NotarizaZon will check if the soNware doesn’t contain malicious
components

16. Initial access - problems
3. If you don’t notarize your
app macOS will block it.

17. Ini=al access – solu=ons for the problems
1. We can create a legit pkg file,
notarize it and risk our cer<ficate
to be revoked by Apple

18. Initial access – solutions for the problems
2. We can convince user to right click and open the app. It’s a popular
technique used by malware

19. Initial access – solutions for the problems
3. We can bypass the GateKeeper using a 0-day

20. Initial access – solutions for the problems
4. Use Microsoft Office Macro.

21. Ini=al access with a MicrosoA Word Macro

22. Ini=al access with a MicrosoA Word Macro

23. Initial access with a Microsoft Word Macro
• Madhav Bhab shared a cool technique to escape the Word’s sandbox.
However, it requires users to reboot their Macs.

24. …but we have our own 0-days 😈
Presenting :
macOS sandbox escape vulnerability

25. h0ps:/
/vimeo.com/751596839

26. Persistence
Typical macOS persistence techniques:
• Launch Agents
• Launch Daemons
• Login Items
• Cron Jobs
• Login/Logout Hooks
• Authorization Plugins
• … and tons of others -> https://theevilbit.github.io/beyond/

27. h0ps:/
/vimeo.com/751596910

28. h0ps:/
/vimeo.com/751597017

29. Persistence – macOS Ventura update

30. ADFS SSO
NON-SSO
Desktop and other TCC-protected directories
Target for this talk

31. Data Collection
We’re interested in:
• VPN credenZals
• AD credenZals (NoMAD)
• Signal messages
• Browser cookies
• Keychain entries
• AWS / other cloud keys
• Desktop/Documents files

32. Data Collec=on - OpenVPN

33. Data Collection - OpenVPN

34. Data Collec=on – OpenVPN
• You can use my universal app Keylogger
• https://gist.github.com/r3ggi/26f38e6439d96474491432621f2237c0

35. Data Collec=on - OpenVPN

36. ADFS SSO
NON-SSO
Desktop and other TCC-protected directories
Target for this talk

37. Data Collection – AD Credentials (NoMAD)
• NoMAD saves your AD credenZals in MacOS Keychain.
• The Keychain has a flaw that allows geHng entries from it without any
prompt / root access / user’s password
• hbps:/
/wojciechregula.blog/post/stealing-macos-apps-keychain-entries/

38. Data Collection – AD Credentials (NoMAD)
• I open-sourced a NoMADCredenZalsStealer tool as a part of my
#macOSRedTeamingTricks series
• hbps:/
/github.com/r3ggi/NoMADCredenZalsStealer/

39. ADFS SSO
NON-SSO
Desktop and other TCC-protected directories
Target for this talk

40. Data Collection –
Signal messages

41. ADFS SSO
NON-SSO
Desktop and other TCC-protected directories
Target for this talk

42. Data Collection – Firefox saved passwords
• Firefox stores saved logins & passwords in an encrypted form
• If master password is not set (default configuraZon) the saved
credenZals can be dumped without root
• hbps:/
/github.com/unode/firefox_decrypt

43. h0ps:/
/vimeo.com/751597088

44. ADFS SSO
NON-SSO
Desktop and other TCC-protected directories
Target for this talk

45. Data Collection – flat files and problems with TCC

46. Transparency, Consent and Control (TCC)

47. h0ps:/
/vimeo.com/751597122

48. Data Collec=on – flat files and problems with TCC
• Accessing Desktop/Documents/Microphone and other sensitive
resources will spawn a prompt
• But there are tons of TCC bypasses
• Black Hat Talk: 20+ Ways to Bypass Your macOS Privacy Mechanisms
• We can abuse other apps installed on the device and use their TCC
permissions.

49. Data Collec=on – flat files and problems with TCC

50. …we have our own vulnerabilities #2 😈
Presenting :
a TCC bypass

51. Data Collec=on – flat files and problems with TCC

52. https://vimeo.com/751597193

53. Data Collection & Lateral Movement
• Another good news for red teamers – cloud credenZals are stored in ~
• Home directory isn’t TCC-protected!
~/.ssh ~/.aws ~/.azure ~/.config/gcloud

54. ADFS SSO
NON-SSO
Desktop and other TCC-protected directories
Target for this talk

55. Hardening macOS environments
At least:
1. Enroll your company’s Macs to MDM (eg. JAMF, Intune)
2. Keep them updated
3. Enforce security policies (SIP, Firewall, GateKeeper, Filevault etc)
4. Disable Office macros (if possible in your organization)
5. Install an anti-malware solution
6. Monitor your Macs

56. h"ps://www.securing.pl/en/service/infrastructure-security-tes7ng/mac-
environments-tes7ng/

57. Summing up

58. Wojciech Reguła
Head of Mobile Security at SecuRing
@_r3ggi wojciech-regula
Thank you!