In the last few years, MacOS backdoors have become a hot topic in the industry. What used to be a rare occurrence in the wild is happening more and more frequently. As this topic grows in popularity the details on post-exploitation of Mac intrusions remain a mystery. This talk aims to fill that gap by showing attendees a full Mac intrusion performed by a hostile adversary. Process visualizations, command lines, and other artifacts will be shared from real world intrusions revealing how they got in, what commands were used to move laterally, and how they manually set up their backdoors while trying to fly under the radar by using anti-forensics techniques. Some Linux attack details will be shared as well due to a lot of tools, techniques, and procedures being cross-platform. This will be the first time these cases have seen the light of day. They haven’t been blogged or talked about anywhere else.
Jaron started his career out of college as an incident responder for APT based intrusions at a very large corporation. From there he went on to CrowdStrike where he’s done work in many different areas including intrusion analysis, detection engineering, and research. A large portion of his time is spent investigating Mac and Linux based intrusions as it is his personal belief that these platforms do not gain enough attention in the security industry. Jaron is the author of the book OS X Incident Response Scripting and Analysis which he wrote while living on The Big Island. After Shakacon, you will likely find him in Hilo eating a moco or swimming in the Wailuku River.