List of Awesome macOS Red Teaming Resources.
As more and more companies begin to adopt macOS as a daily office solution, we often encounter macOS operating system during our Pentest/Red Teaming process. How to hacking macOS, how to achieve Persistence under macOS, and using this as a starting point Lateral Movement to DC is a topic worth research.
This list is for anyone who wants to learn about Red Teaming for macOS but has no starting point.
You can help by sending Pull Requests to add more information.
If you have better ideas or suggestions, please feel free to open a GitHub issue or contact me by email(tonghuaroot@gmail.com).
↑ C2
- Mythic - A cross-platform, post-exploit, red teaming framework designed to provide a collaborative and user friendly interface for operators.
- CrossC2 framework - Generator CobaltStrike's cross-platform beacon
- pupy - Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python.
- gdoor - Gdoor is a red team emulation tool deveoped by CyCraft Technology. We use it to construct a macOS cyber range for red team and blue team.
↑ Tooling
- Orchard - Used for Red Teaming MacOS. JavaScript for Automation (JXA) tool to do Active Directory enumeration.
- Common Domain Enumeration commands in Windows, Mac, and LDAP
- SwiftSpy - macOS keylogger, clipboard monitor, and screenshotter written in Swift
- PersistentJXA - Collection of macOS persistence methods and miscellaneous tools in JXA
- VOODOO - Man in the browser attack framework for macOS
↑ Blog
- macOS Post-Exploitation Shenanigans with VSCode Extensions
- Abusing Slack for Offensive Operations
- Hands in the Cookie Jar: Dumping Cookies with Chromium’s Remote Debugger Port
- Bring Your Own VM - Mac Edition
- We Need To Talk About MACL
- MacOS Injection via Third Party Frameworks
- MacOS Filename Homoglyphs Revisited
- Bypassing MacOS Privacy Controls
- macOS Research Outtakes - File Extensions
- Disabling MacOS SIP via a VirtualBox kext Vulnerability
- Endpoint Security Self-Protection on MacOS
- Escaping the Sandbox – Microsoft Office on MacOS
- macOS Red Team: Calling Apple APIs Without Building Binaries
- MacOS Native API calls in Electron
- Persistent JXA
- Are You Docking Kidding Me?
- Leveraging hijacked Slack sessions on macOS
- Office365 MacOS Sandbox Escape
↑ Free Video
- Mythic Feature Examples
- Hey, I'm Still In Here: An Overview of macOS Persistence Techniques
- Always Watching: macOS Eavesdropping
↑ Training
- Specter Ops - Adversary Tactics: Mac Tradecraft
- MDSec - Adversary Simulation and Red Team Tactics
- EXP-312 Offensive Security macOS Researcher