0-Day Up Your Sleeve - Attacking macOS Environments

0-day up your sleeve
AT TA C K I N G M A C O S E N V I R O N M E N T S

Whoami?
Wojciech Reguła
Head of Mobile Security at
• Focused on iOS/macOS #appsec
• Blogger – h8ps:/
/wojciechregula.blog
• iOS Security Suite Creator
• macOS environments security

Agenda
1. Introduction
2. Macs in corporate environments
3. Setting up a C2 with Mythic
4. Initial access
5. Persistence
6. Data collection & Lateral movement
7. Hardening macOS environments
8. Conclusion

🙋‍ Raise your hand if:
There is at least one Mac
in your company

🙋‍ Raise your hand if:
This Mac has access to your
company’s resources like other
Windows machines

Why did I decide to make this talk?
1. Macs are geHng more common in corporate environments (developers,
UX, designers, managers, etc.)
2. SoNware houses / IT companies have large % of Macs in their
environments
3. Macs are not symmetrically secured comparing them to Windows
machines…

What are the problems?
☠ Old, vulnerable macOS versions everywhere
⚙ MacOS system ﬁrewall disabled (default conﬁgura<on)
🤔 An<malware? Do Macs have viruses?
👩💻‍‍ Standard users working on admin accounts
🗒 Lack of applica<on whitelis<ng
🖥 In mid-size companies Macs are not even enrolled in MDMs…

Macs in corporate environments
Mac is directly bound to the AD

Mac has NoMAD installed that handles Kerberos

Mac uses SSO, there is no AD

ADFS SSO
NON-SSO
Desktop and other TCC-protected directories
Target for this talk

ü Great red teaming framework with macOS support
ü Created by Cody Thomas @its_a_feature_
ü Open source - hMps:/
/github.com/its-a-feature/Mythic
ü Extensive docs - hMps:/
/docs.mythic-c2.net/

Initial access - problems
1. According to Apple all
the soNware downloaded
directly with your browser
must be notarized

2. NotarizaZon will check if the soNware doesn’t contain malicious
components

3. If you don’t notarize your
app macOS will block it.

Ini=al access – solu=ons for the problems
1. We can create a legit pkg ﬁle,
notarize it and risk our cer<ﬁcate
to be revoked by Apple

Initial access – solutions for the problems
2. We can convince user to right click and open the app. It’s a popular
technique used by malware

3. We can bypass the GateKeeper using a 0-day

4. Use Microsoft Office Macro.

Ini=al access with a MicrosoA Word Macro

Initial access with a Microsoft Word Macro
• Madhav Bhab shared a cool technique to escape the Word’s sandbox.
However, it requires users to reboot their Macs.

…but we have our own 0-days 😈
Presenting :
macOS sandbox escape vulnerability

Persistence
Typical macOS persistence techniques:
• Launch Agents
• Launch Daemons
• Login Items
• Cron Jobs
• Login/Logout Hooks
• Authorization Plugins
• … and tons of others -> https://theevilbit.github.io/beyond/

Persistence – macOS Ventura update

Data Collection
We’re interested in:
• VPN credenZals
• AD credenZals (NoMAD)
• Signal messages
• Browser cookies
• Keychain entries
• AWS / other cloud keys
• Desktop/Documents ﬁles

Data Collec=on – OpenVPN
• You can use my universal app Keylogger
• https://gist.github.com/r3ggi/26f38e6439d96474491432621f2237c0

Data Collection – AD Credentials (NoMAD)
• NoMAD saves your AD credenZals in MacOS Keychain.
• The Keychain has a ﬂaw that allows geHng entries from it without any
prompt / root access / user’s password
• hbps:/
/wojciechregula.blog/post/stealing-macos-apps-keychain-entries/

Data Collection – AD Credentials (NoMAD)
• I open-sourced a NoMADCredenZalsStealer tool as a part of my
#macOSRedTeamingTricks series
• hbps:/
/github.com/r3ggi/NoMADCredenZalsStealer/

Data Collection –
Signal messages

Data Collection – Firefox saved passwords
• Firefox stores saved logins & passwords in an encrypted form
• If master password is not set (default conﬁguraZon) the saved
credenZals can be dumped without root
• hbps:/
/github.com/unode/ﬁrefox_decrypt

Data Collection – flat files and problems with TCC

Transparency, Consent and Control (TCC)

Data Collec=on – ﬂat ﬁles and problems with TCC
• Accessing Desktop/Documents/Microphone and other sensitive
resources will spawn a prompt
• But there are tons of TCC bypasses
• Black Hat Talk: 20+ Ways to Bypass Your macOS Privacy Mechanisms
• We can abuse other apps installed on the device and use their TCC
permissions.

Data Collec=on – ﬂat ﬁles and problems with TCC

…we have our own vulnerabilities #2 😈
Presenting :
a TCC bypass

https://vimeo.com/751597193

Data Collection & Lateral Movement
• Another good news for red teamers – cloud credenZals are stored in ~
• Home directory isn’t TCC-protected!
~/.ssh ~/.aws ~/.azure ~/.config/gcloud

Hardening macOS environments
At least:
1. Enroll your company’s Macs to MDM (eg. JAMF, Intune)
2. Keep them updated
3. Enforce security policies (SIP, Firewall, GateKeeper, Filevault etc)
4. Disable Office macros (if possible in your organization)
5. Install an anti-malware solution
6. Monitor your Macs

h"ps://www.securing.pl/en/service/infrastructure-security-tes7ng/mac-
environments-tes7ng/

Wojciech Reguła
Head of Mobile Security at SecuRing
@_r3ggi wojciech-regula
Thank you!

0-Day Up Your Sleeve - Attacking macOS Environments

More Related Content

What's hot (20)

Similar to 0-Day Up Your Sleeve - Attacking macOS Environments (20)

More from SecuRing (20)

Recently uploaded (20)

0-Day Up Your Sleeve - Attacking macOS Environments