Showing Posts About

Luke roberts

Attack Detection Fundamentals 2021: macOS - Lab #1

This article explores macOS attack detection fundamentals using the Mythic post-exploitation framework. It demonstrates initial access via Office macros, persistence techniques using LaunchAgents, and sandbox breakout methods. The focus is on detecting malicious process trees and understanding macOS security mechanisms through practical attack scenarios.

Attack Detection Fundamentals 2021: macOS - Lab #2

This article explores LaunchAgent persistence techniques on macOS, demonstrating how attackers can abuse system functionality to maintain access. Detection methods using Endpoint Security Framework and osquery are discussed to identify suspicious LaunchAgent behavior. Key strategies include monitoring file creation events and analyzing unsigned binaries executed by LaunchAgents.

Attack Detection Fundamentals 2021: macOS - Lab #3

This article explores a macOS attack technique that bypasses Apple's Transparency, Consent & Control (TCC) security mechanism. The attack leverages SSH's full disk access to directly modify the TCC database, allowing unauthorized access to protected system resources. Detection methods are demonstrated, focusing on monitoring local SSH connections and direct database modifications.

Operationalising Calendar Alerts: Persistence on macOS

A novel macOS persistence technique leverages calendar alerts in Automator.app to execute arbitrary applications at specified times. The method exploits an undocumented API in EventKit to programmatically create calendar events with executable alerts. By using JavaScript for Automation (JXA), attackers can establish stealthy persistence on macOS systems through calendar event manipulation.

Jamfing for Joy: Attacking macOS in Enterprise

The article details multiple attack vectors against Jamf, a macOS enterprise management platform. Multiple techniques for compromising device management systems are explored, including password spraying, user enumeration, and policy abuse. An open-source Jamf Attack Toolkit was developed to demonstrate and facilitate these cybersecurity vulnerabilities.