Many companies are deploying an increasing number of OS X hosts in their corporate networks, presenting a challenge to pentesters traditionally accustomed to Windows toolsets and tradecraft. Red teaming begets creativity, however, and if you encounter a Mac-heavy environment on an engagement, one must adapt and rise to the occasion.
This presentation covers our custom remote access tool, EmPyre, that we built in response to this very challenge. EmPyre is a Python-based RAT heavily focused towards OS X and built on the same secure communications and flexible architecture of the PowerShell Empire project. EmPyre features post-ex modules including keylogging, hash dumping, clipboard stealing, network situational awareness, lateral spread and more, as well as stager options ranging from macros to dylibs. We will also cover components of Mac tradecraft and how one can utilize EmPyre to execute a complete engagement in a predominantly OS X environment.