{ "id": "8947137d-ae23-41e4-ae18-70a371c22d05", "created_at": "2026-04-06T00:22:32.124937Z", "updated_at": "2026-04-10T13:12:29.112357Z", "deleted_at": null, "sha1_hash": "0a4fc1c110fd626769fc2c6b603eff89d220e300", "title": "Operating with EmPyre", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 562625, "plain_text": "Operating with EmPyre\r\nBy Steve Borosh\r\nPublished: 2018-04-11 · Archived: 2026-04-05 18:27:25 UTC\r\nIf you’re reading this post, I sincerely hope you’ve already started with reading @harmj0y’s first blog post about\r\nEmPyre located here:http://www.harmj0y.net/blog/empyre/building-an-empyre-with-python/\r\nThis post is second in what will be a great series to help user’s understand and operate using EmPyre. Let’s get\r\nstarted!\r\nOperating in an OS X environment may seem like a daunting task. Many people are under the assumption that\r\nmerely using a Mac computer makes you or your organization secure. This blog post will cover why that is not\r\nnecessarily true, how an attacker can effectively operate in an OS X or mixed environment and what defenders\r\ncan do to avoid having their OS X infrastructure breached.\r\nEvery year, CVE Details reports on the number of distinct vulnerabilities found in software and operating systems.\r\nIn 2015 OS X topped the list with a recorded 416 reported vulnerabilities.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363\r\nPage 1 of 5\n\nCompare that to Windows Server 2012’s 155 and you can see a huge difference in statistics. Operating from an OS\r\nX platform certainly does not mean you are more secure these days. Malware authors have taken notice to the\r\nrising market share of the OS X operating system and the numbers of malware for OS X are also climbing. In\r\n2016, Carbon Black released a report titled “2015: The Most Prolific Year for OS X Malware”. In this report,\r\nCarbon Black research found 948 malware samples compared to 180 total for the years 2010 to 2014. Attackers\r\nare certainly finding ways to operate on the OS X platform.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363\r\nPage 2 of 5\n\nAs an attacker or security tester, options have been very limited on how to conduct operations against targets\r\nutilizing OS X. The Italian security firm “The Hacking Team” utilizes home-grown implants known as the Remote\r\nCode Systems (RCS) compromise platform to operate on OS X environments. For the rest of the world, you either\r\nhave to create your own Remote Access Trojan or find another method for continuous operations. Enter EmPyre,\r\nan OS X/Linux offshoot of the PowerShell Empire project.\r\nEmPyre was initially developed by @harmj0y in response to a client’s need for testing OS X platforms. The initial\r\npost on EmPyre may be found here containing more details of the RAT’s infrastructure and communications\r\nplatform. I’m going to cover some of the tradecraft that was built into the RAT to support continuously operating\r\nin an OS X environment.\r\nGet Steve Borosh’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nWhile operating from an OS X environment brings its own challenges, the methodology commonly used for\r\npenetration tests or red teams still applies.\r\nhttps://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363\r\nPage 3 of 5\n\nDuring a penetration test or red team, gaining access can either be manually seeded by the client Point of Contact\r\n(POC) or phishing may be required. If you must conduct phishing to gain access, options are limited in\r\ncomparison to those available to testers targeting Windows systems. Currently, EmPyre supports two payloads that\r\nmay be used in a phishing attack. These payloads are Microsoft Office macros or an HTML page that calls an\r\nApplescript launcher based on CVE 2015–7007.\r\nOS X environments provide some native situational awareness commands that typically aren’t available on other\r\noperating systems. Some examples are “pbpaste” for grabbing clipboard contents, “screencapture” for grabbing\r\nscreenshots, and “curl” which and be useful for downloading files or data exfiltration. For the EmPyre RAT, we’ve\r\nused some lessons learned during operations to decrease the chances of detection. We’ve also taken these native\r\nmethods and created non-native Python modules that perform the same action and are harder to detect. With\r\nEmPyre you’re also able to run port scans, query active directory, dump hashes, and perform all the standard post-exploitation functions.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363\r\nPage 4 of 5\n\nPrivilege escalation from EmPyre is currently limited to spawning an agent using the “sudo” command. There\r\nhave recently been several local privilege escalation exploits released for OS X in 2016. These have yet to be built\r\ninto EmPyre and would be great way for the community to provide support to the project.\r\nOS X has several mechanisms available to obtain persistence. Cronjobs allow for time-based persistence, login\r\nhooks allow for user login persistence, launch daemons that persist through reboots and much like Windows DLL\r\nhijacking, there’s DyLib hijacking based on the research of @patrickwardle. All of these methods have been built\r\ninto EmPyre.\r\nFinally, lateral movement is the last portion of tradecraft to cover. With Windows, there are many luxuries such as\r\nWMI, Pass-the-hash, executing files over UNC, WinRM and Remote Desktop Protocol. OS X provides us with\r\nSSH, if it’s enabled. Lessons learned from engagements show that it is usually turned on in a corporate\r\nenvironment as administrators need to admin somehow. EmPyre has modules to either launch SSH commands or\r\nsend a launcher string for a new agent to a remote host. Pivoting from OS X to Windows becomes even trickier as\r\nthere currently isn’t a solid Pass-the-Hash solution for OS X. EmPyre does, however, have a module to exploit\r\nJBoss on Windows via Java Serialization and that can send an agent callback to another Empire server.\r\nIn closing, we now understand that organizations who utilize OS X as a security boundary may not be doing\r\nthemselves justice without a proper defense-in-depth approach. As research shows, OS X is prone to\r\nvulnerabilities just like other operating systems and software. With the proper tools such as EmPyre, a security\r\ntester can effectively perform security testing through a pure OS X or mixed environment. What does this mean\r\nfor the blue teams out there? Email filters, blocking macros, host-based protection, network heuristics and log\r\naggregation all still play in the defense-in-depth approach. We know that OS X has several commands that we\r\nshould look for. Most of your users aren’t going to be running “pbpaste” from the terminal. Most users aren’t\r\ngoing to curl data out of your network either. Monitoring for subtleties like this can be a huge tip-off of malicious\r\nactivity in the network.\r\nStay tuned for more in-depth blogs from other ATD members!\r\nGet started with EmPyre here\r\nSource: https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363\r\nhttps://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363" ], "report_names": [ "operating-with-empyre-ea764eda3363" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434952, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0a4fc1c110fd626769fc2c6b603eff89d220e300.pdf", "text": "https://archive.orkl.eu/0a4fc1c110fd626769fc2c6b603eff89d220e300.txt", "img": "https://archive.orkl.eu/0a4fc1c110fd626769fc2c6b603eff89d220e300.jpg" } }