Bridge the Mac Gap
Red team operators have long enjoyed robust community and commercial tooling to simulate advanced adversary tradecraft in traditional enterprise environments. As organizations have increasingly moved to hybrid, or non-Windows, environments our red team community knowledge has not kept pace. This course focuses on bridging that gap to enable red teamers to operate in increasingly hybridized or macOS-focused environments.
In Adversary Tactics: Mac Tradecraft, we highlight the latest macOS security enhancements and arm participants with the foundational knowledge to operate against macOS endpoints and environments. The course then builds on that foundation through a deep dive into the concepts behind techniques to enable operational flexibility and prepare for future macOS enhancements, rather than simply training with specific available tooling.
- Introduction & Course Overview
- Lab and course range infrastructure
- macOS Introduction
- macOS Security
- C2 Frameworks & Mythic Overview
- Initial Access & Payload Development
- Situational Awareness
- Active Directory & Kerberos
- Entitlements, TCC, & System Integrity Protection
- Privilege Escalation
- Credential Access
The Adversary Tactics: Mac Tradecraft course drops you into a modern macOS hybrid environment that mimics what SpecterOps operators encounter in real-world red team exercises. Participants will focus on macOS payloads for initial access, crafting custom techniques on the fly via JXA and Objective C, identifying persistence and privilege escalation opportunities, stealing credentials, and avoiding common EDR detections via XPC services and native APIs. The course aims to teach participants about the potential OPSEC consequences of their actions and the details behind their techniques rather than just how to run common tooling.
This is an advanced course is intended for expert red team operators or those with previous macOS experience looking to learn more about how macOS controls and technology affects an adversary’s tradecraft or mindset. The course includes a team-based, hands-on lab requiring on-keyboard execution of complex red team tradecraft against macOS endpoints.
Participants should be familiar with penetration testing concepts and tools, Active Directory, and macOS internals.
Participants must provide their own computer with a modern web browser installed to access training materials and complete the course’s labs. The SpecterOps training platform URL (https://specterops.training) must be accessible from the participant’s computer throughout the duration of the course.
There are no local virtual machines or special software required to fully participate in the course or labs.
During the course, participants will be provided access to a comprehensive range to perform course labs and goals.
Upon completion of the course, participants are provided with a copy of course slides, copies of solution guides/videos, and a certificate of completion.
Explore Other Training Options
If a public offering of the training classes does not fit your busy schedule, our team of experts are available to provide a private training offering to your organization. This is by far the best way for your team to get one on one access to the instructors and solidify the material. We provide all training material as well as laptops and classroom locations if needed.Private Trainings