Come to the Dark Side, We Have Apples: Turning macOS Management Evil

The presentation discusses advanced offensive tradecraft considering macOS management platforms such as Jamf and native MDM. The focus is on introducing new macOS exclusive TTPs covering initial access, command and control, persistence and lateral movement.

• Introduction to Apple's MDM solution and Jamf device management platform
• Abuse of these platforms for C2 communications or initial access vectors
• Function hooking and stealing secrets from SIP protected processes
• Release of open source materials and two Mythic agents

The presentation highlights the increasing use of Mac OS devices in corporate environments and the need for management solutions to configure devices uniformly and enforce security restrictions. The focus is on demonstrating how these management platforms can be abused for malicious purposes.

This talk discusses advanced offensive tradecraft considering macOS management platforms such as Jamf and native MDM. We will be introducing new macOS exclusive TTPs covering initial access, command and control, persistence and lateral movement. Highlights of our research include:- Compromising a macOS device with a single PLIST file.- Compromising Domain Admin accounts from Jamf-managed endpoints.- Bypassing SIP with "out of the box" thinking.In addition to the attacks described above, we will be performing a deep dive into the internals of several management frameworks to further the audience's understanding to help them better operate in macOS environments.Finally, this talk introduces a myriad of new tools, including two unique Mythic C2 agents that abuse macOS management frameworks to control devices without introducing any custom code.