Macs are becoming commonplace in corporate environments as a alternative to Windows systems. Developers, security teams, and executives alike favor the ease of use and full administrative control Macs provide. However, their systems are often joined to an active directory domain and ripe for attackers to leverage for initial access and lateral movement. Mac malware is evolving as Mac computers continue to grow in popularity. As a result, there is a need for proactive detection of attacks targeting MacOS systems in a enterprise environment. Despite advancements in MacOS security tooling for a single user/endpoint, little is known and discussed regarding detection at a enterprise level. This talk will discuss common tactics, techniques and procedures used by attackers on MacOS systems, as well as methods to detect adversary activity. We will take a look at known malware, mapping the techniques utilized to the MITRE ATT&CK framework. Attendees will leave equipped to begin hunting for evil lurking within their MacOS fleet.
Richie Cyrus is a Senior Threat Hunter at SpecterOps where he specializes in detection of advanced adversaries with a focus in MacOS and Linux environments. Richie has a background in incident response, forensics and security operations spanning across Fortune 500 companies and the public sector, to include Apple Inc. and CME Group Inc. He currently maintains a DFIR focused blog at https://securityneversleeps.net.