The Adversary Tactics: Mac Tradecraft course, hosted by SpecterOps, immerses participants in a modern macOS hybrid environment, closely resembling real-world red team exercises. This course is designed for experienced red team operators who want to enhance their skills in operating against macOS endpoints.
Here are the key highlights of the course:
- Objective:
- The primary goal is to bridge the gap in red team knowledge related to macOS environments.
- Participants will gain foundational knowledge to operate effectively against macOS endpoints.
- Focus Areas:
- Latest macOS Security Enhancements: Understand the most recent security features and enhancements in macOS.
- Custom Techniques: Learn to craft custom techniques on the fly using JXA (JavaScript for Automation) and Objective C.
- Persistence and Privilege Escalation: Identify opportunities for persistence and privilege escalation.
- Credential Theft: Explore techniques for stealing credentials.
- Avoiding EDR Detections: Discover methods to evade common EDR (Endpoint Detection and Response) detections via XPC services and native APIs.
- Approach:
- Rather than relying solely on specific available tooling, the course emphasizes understanding the underlying concepts behind techniques.
- Participants will operate on the keyboard, executing complex red team tradecraft against macOS endpoints.
- Apple’s Security Approach:
- Apple forces all non-Apple execution to user land.
- Each macOS version introduces new security enhancements, bringing macOS and iOS closer together.
- Focus on subverting Apple’s custom controls, such as Gatekeeper, Application Notarization, Entitlements, TCC (Transparency, Consent, and Control), and System Integrity Protection.
- Prerequisites:
- Participants should be comfortable with penetration testing concepts, tools, Active Directory, and macOS internals.
- This course is not suitable for beginners.
-
Realistic Environment:
- Participants will engage in team-based, hands-on execution of red team tradecraft against macOS endpoints.
- The course mirrors what SpecterOps operators encounter during real-world exercises.