{ "id": "57d3358d-35d2-4745-8ac5-10f2a7e03ab2", "created_at": "2026-04-06T00:10:19.204851Z", "updated_at": "2026-04-10T03:36:22.026066Z", "deleted_at": null, "sha1_hash": "c559efe5fdf9fff82b6687cd8a5ff12438b59c5b", "title": "External to DA, the OS X Way", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1721376, "plain_text": "External to DA, the OS X Way\r\nArchived: 2026-04-05 21:57:33 UTC\r\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 1 of 20\n\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 2 of 20\n\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 3 of 20\n\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 4 of 20\n\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 5 of 20\n\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 6 of 20\n\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 7 of 20\n\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 8 of 20\n\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 9 of 20\n\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 10 of 20\n\nMore Related Content\r\nPDF\r\nIntroduction to red team operations\r\nPPTX\r\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 11 of 20\n\nSticky Keys to the Kingdom\r\nPDF\r\nAddios!\r\nPDF\r\nInternal Pentest: from z3r0 to h3r0\r\nPDF\r\nDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware\r\nPDF\r\nSecurity events in 2014\r\nPPTX\r\nOutlook and Exchange for the bad guys\r\nPPTX\r\n[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques \u0026 How To (Try To...\r\nWhat's hot\r\nPDF\r\nLateral Movement: How attackers quietly traverse your Network\r\nPPTX\r\nBSIDES-PR Keynote Hunting for Bad Guys\r\nPDF\r\nDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli\r\nPDF\r\nMalware collection and analysis\r\nPDF\r\nAnatomy of a Cloud Hack\r\nPDF\r\nFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao\r\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 12 of 20\n\nPPTX\r\nInvoke-Obfuscation DerbyCon 2016\r\nPPTX\r\nPentest Apocalypse - SANSFIRE 2016 Edition\r\nPPTX\r\n[CB16] Facebook Malware: Tag Me If You Can by Ido Naor \u0026 Dani Goland\r\nPDF\r\nWeb security for developers\r\nPDF\r\nhackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2\r\nPDF\r\nDefcon 22-philip-young-from-root-to-special-hacking-ibm-main\r\nPPTX\r\nInjection flaw teaser\r\nPPTX\r\nOffensive Python for Pentesting\r\nPPT\r\nMalware Analysis Made Simple\r\nPPT\r\nBSides Philly Finding a Company's BreakPoint\r\nPDF\r\nTeelTech - Advancing Mobile Device Forensics (online version)\r\nPPTX\r\nLateral Movement - Phreaknik 2016\r\nPDF\r\nAttack All the Layers - What's Working in Penetration Testing\r\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 13 of 20\n\nPDF\r\nAttacker's Perspective of Active Directory\r\nSimilar to External to DA, the OS X Way\r\nPDF\r\nBuilding an EmPyre with Python\r\nPPTX\r\nInOffensive Security_cybersecurity2.pptx\r\nPDF\r\nAdvanced Threats and Lateral Movement Detection\r\nPDF\r\nThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class\r\nPPTX\r\nDisruptionware-TRustedCISO103020v0.7.pptx\r\nPDF\r\nWho Should Use Powershell? You Should Use Powershell!\r\nPDF\r\nThe Supporting Role of Antivirus Evasion while Persisting\r\nPPTX\r\nBridging the Gap: Lessons in Adversarial Tradecraft\r\nPDF\r\nPHDays 2018 Threat Hunting Hands-On Lab\r\nPDF\r\nGetting Bear-y Cozy with PowerShell\r\nPDF\r\nMetasploit\r\nPPTX\r\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 14 of 20\n\nRed Team Apocalypse\r\nPPTX\r\ncomputer security principles and practice chapter 8\r\nPPTX\r\nLannguyen-Detecting Cyber Attacks\r\nPDF\r\nDEF CON 27 - workshop - RICHARD GOLD - mind the gap\r\nPPTX\r\nBridging the Gap\r\nPPT\r\nBsides-Philly-2016-Finding-A-Companys-BreakPoint\r\nDOCX\r\nARMITAGE-THE CYBER ATTACK MANAGEMENT\r\nPPTX\r\nDC612 Day - Hands on Penetration Testing 101\r\nPDF\r\nTry {stuff} Catch {hopefully not} - Evading Detection \u0026 Covering Tracks\r\nExternal to DA, the OS X Way\r\n1.\r\nExternal to DA,the OS X Way Operating in an OS X-heavy environment\r\n2.\r\nContents Introduction Overview Tradecraft Preparation Challenges The Agent Phishing \r\nSituational Awareness: Host Enumeration Privilege Escalation Persistence Situational Awareness:\r\nNetwork and User Enumeration Lateral Movement\r\n3.\r\nIntroductions Alex Rymdeko-Harveyis a previous US Army Solider that recently transitioned and\r\ncurrently works at the Adaptive Threat Division at Veris Group as a Penetration Tester and Red Teamer.\r\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 15 of 20\n\nAlex has a wide range of skills and experience from offensive and defensive operations taking place in\r\ntoday's security surface. Steve Borosh is a long-time security enthusiast. Prior: U.S. Army Infantry\r\nCombat Veteran and private security contractor. Currently working as a Penetration Tester, Red Teamer and\r\nInstructor with Veris Group’s Adaptive Threat Division. Steve enjoys bug hunting, building useful security\r\ntools and teaching.\r\n4.\r\nOverview • Typical penetrationtests cover Windows / Linux • Assessments become mundane • Client\r\napproaches with a large OS X user-base • Use common methodologies with new tools and techniques\r\nadapted for OS X • Utilize EmPyre, a Remote Access Trojan based of of the Empire framework\r\n5.\r\nAdversarial Use • WireLurker(Trojanized applications, Infects connected ios devices) • XcodeGhost\r\n(Infected xcode package in China) • Hacking Team (Remote Code Systems compromise platform) •\r\nOceanLotus (Flash Dropper, Download Mach-O binary) • KeRanger (Ransomware, Infected transmission\r\npackage)\r\n6.\r\nThe Scenario • Aclient requests an external penetration test against their corporate infrastructure. • Phishing\r\nwith payloads may be conducted with email addresses harvested from publicly available sources. • 90% of\r\nusers utilize OS X with several developers using Windows\r\n7.\r\nScenario: Goals • PhishOS X users • Elevate local privileges • Move Laterally if needed • Gain control of\r\nthe Active Directory domain\r\n8.\r\nTradecraft Preparation • Planningand Preparation • Right tools for the job • Live off the land • pbpaste •\r\nscreencapture • Native vs Non-Native • Methodology • Reconnaissance • Exploitation (gain access) •\r\nSitiuational Awareness • Escalate Privileges • Establish Persistence • Lateral Movement Gain Access\r\nSituational Awareness Escalate Privileges Establish Persistence Lateral Movement\r\n9.\r\nChallenges Limited informationon operating in OS X environments No open-sourced asynchronous\r\nRemote Access Trojan (RAT) Lateral Spread OS X/Linux Windows Less phishing payloads\r\navailable No OLE Less executable types\r\n10.\r\n11.\r\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 16 of 20\n\nThe Agent: EmPyre Remote Access Trojan (RAT) Python (core developed by @harmj0y) based on the\r\nEmpire project Asynchronous / C2 Secure Diffie-Hellman exchange communications Post-Exploitation modules OS X/Linux Launcher detects Little Snitch\r\n12.\r\nThe Agent: EmPyre The Diffie Hellman implementation is from Mark Loiseau's project at\r\nhttps://github.com/lowazo/pyDHE, licensed under version 3.0 of the GNU General Public License. The\r\nAES implementation is adapted from Richard Moore's project at https://github.com/ricmoo/pyaes, licensed\r\nunder the MIT license.\r\n13.\r\n14.\r\nPhishing: Payload Generation 2015-7007 HTML Applescript launcher OS X Microsoft Office Macro\r\n Supports 2011 2016 = “Sandbox”\r\n15.\r\n16.\r\nSituational Awareness: Host Previous Tradecraft PowerShell WMI PowerUp Cobalt Strike\r\nBeacon modules Meterpreter modules The core of knowing your land How do we priv-esc?\r\n17.\r\nSituational Awareness: Host Keylog Keychain Dump Clipboard Monitoring Scrape Messages \r\nHash Dump Browser Dump\r\n18.\r\n19.\r\n20.\r\nSituational Awareness: KeychainDump Cleartext Keychain Dump Versions Prior to OS X El Capitan\r\nInspired / Adapted from Juuso: https://github.com/juuso /keychaindump\r\n21.\r\nSituational Awareness: SearchMessages Scrapes Message.app DB iMessage, Jabber, Google Talk,\r\nYahoo, AIM Enumerate X messages Account Service Number message\r\n22.\r\n23.\r\n24.\r\n25.\r\n26.\r\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 17 of 20\n\nPersistence Login Hooks Login persistence Crontab Hourly persistence LaunchDaemon \r\nReboot persistence DyLib Hijacking Application start persistence\r\n27.\r\nPersistence: Login Hook- User Context Persistence Mac Login Hooks Bash / Applescript execution \r\nAccessible to all users Uses “Defaults” tool Sets com.apple.loginwindow LoginHook\r\n28.\r\n29.\r\n30.\r\n31.\r\n32.\r\n33.\r\n34.\r\nSituational Awareness: ActiveDirectory Modules \r\nsituational_awareness/network/active_directory/get_computers \r\nsituational_awareness/network/active_directory/get_domaincontrollers \r\nsituational_awareness/network/active_directory/get_fileservers \r\nsituational_awareness/network/active_directory/get_groupmembers \r\nsituational_awareness/network/active_directory/get_groupmemberships \r\nsituational_awareness/network/active_directory/get_groups \r\nsituational_awareness/network/active_directory/get_ous \r\nsituational_awareness/network/active_directory/get_userinformation \r\nsituational_awareness/network/active_directory/get_users\r\n35.\r\nSituational Awareness: GPP Group Policy Preferences Pulls “Encrypted” passwords from SYSVOL \r\nMS14-025 https://raw.githubusercontent.com/leonteale/pentestpackage/master/Gpprefdecrypt.py\r\n36.\r\n37.\r\nSituational Awareness: LDAPQueries Utilizes LDAP queries to pull objects such as computers, users,\r\ngroups and more from Active Directory.\r\n38.\r\nSituational Awareness: WebServices find_fruit module Checks for possible vulnerable web\r\napplications Tomcat jboss idrac Apache Axis2 etc..\r\n39.\r\nLateral Movement PreviousTradecraft Linux SSH Telnet Exploitation Windows \r\nPSEXEC WMI Exploitation RDP\r\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 18 of 20\n\n40.\r\n41.\r\n43.\r\nHonorable Mention: RESTAPI EmPyre implements the same RESTful API specification as Empire \r\nhttps://github.com/PowerShellEmpire/Empire/wiki/RESTful-API External users/projects can fully\r\ncontrol an EmPyre server in a predictable way REST requests This opens the possibility for web front\r\nends, Android apps, multi- player CLI UIs, and more\r\n44.\r\nWhat’s next SocksProxy Community Modules More Exploitation Modules Merge with Empire\r\nThanks to @harmj0y, @xorrior, @CptJesus for their contributions to this effort!\r\nEditor's Notes\r\n#3 Steve starts talking\r\n#4 Introduce ourselves\r\n#5 As a Penetration Tester or Red Teamer, the path to Domain Administrator in many environments may\r\nseem all too easy or “cookie cutter” these days. But what happens when you engage a high-security client\r\nwith an OS X-heavy environment? Do you turn down the engagement or accept the challenge and up your\r\ngame? This talk explores such a scenario and how testers can utilize various tools, techniques, and lessons-learned to successfully perform a complete assessment in an OS X domain-joined environment. We will\r\ncover a custom-built OS X/Linux agent and its associated tradecraft, from gaining initial access, to post-exploitation, lateral spread, persistence, and domain compromise. \r\n#9 Keep in mind, methodologies stay the same for OS X, tradecraft may change. Explain such as “How do\r\nwe gain access in OS X”? SSH/Phishing.\r\n#10 Different operating systems present their own lateral spread challenges. (linux: no smb, wmi,\r\npowershell) (Windows: no ssh, OS X doesnt have net commands)\r\n#11 Alex Start Familiar interface for Empire users.\r\n#15 Currently ,we have two payloads for phishing.\r\n#17 Talk about tradecraft as a whole, This is post exploitation enumeration\r\n#18 Keychain Dump - No el Capitan YET\r\n#19 Currently saves to target in an unencrypted format.\r\n#22 Talk about how messages are stored unencrypted in a database\r\n#24 Currently, only dumps history. Useful for hunting internal web services.\r\n#29 Steve Starts\r\n#35 Utilizes “ldapsearch” for AD enumeration\r\n#37 In order to perform LDAP queries we’ll need to start off by finding the domain controller that we are\r\ngoing to bind our LDAP queries to. One quick solution is a single nslookup query.\r\n#40 During most penetration tests, you may find yourself moving from host to host using common\r\ntechniques such as PSEXEC, WMI or RDP. Operating in an OS X environment presents challenges as\r\nthese methods may not be available. \r\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 19 of 20\n\nSource: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nhttp://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way" ], "report_names": [ "external-to-da-the-os-x-way" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434219, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c559efe5fdf9fff82b6687cd8a5ff12438b59c5b.pdf", "text": "https://archive.orkl.eu/c559efe5fdf9fff82b6687cd8a5ff12438b59c5b.txt", "img": "https://archive.orkl.eu/c559efe5fdf9fff82b6687cd8a5ff12438b59c5b.jpg" } }