Full Report
We uncover macOS lateral movement tactics, such as SSH key misuse and AppleScript exploitation. Strategies to counter this attack trend are also discussed. The post Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples appeared first on Unit 42.
Analysis Summary
# Tool/Technique: SSH Key Theft and Unauthorized Access
## Overview
This technique describes how attackers achieve lateral movement in a macOS environment by stealing and exfiltrating existing SSH keys from a compromised host, or by placing their own SSH keys into the trusted `authorized_keys` file on target systems.
## Technical Details
- Type: Technique
- Platform: macOS, Linux (Implied by SSH usage)
- Capabilities: Gaining unauthorized access to remote systems via legitimate SSH authentication mechanisms.
- First Seen: N/A (Standard system functionality exploited)
## MITRE ATT&CK Mapping
- T1021 - Remote Services
- T1021.004 - SSH
- T1078 - Valid Accounts
- T1078.001 - Local Accounts
- T1078.004 - Cloud Accounts (If keys are used for cloud access)
## Functionality
### Core Capabilities
- Stealing and exfiltrating existing SSH private keys belonging to legitimate users.
- Placing attacker-controlled public keys into the target system’s `~/.ssh/authorized_keys` file to establish persistent, trusted access.
### Advanced Features
- Leveraging SSH's built-in trust mechanism (key-based authentication) to bypass password checking for lateral movement.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `~/.ssh/id_rsa`, `~/.ssh/id_dsa`, `~/.ssh/id_ecdsa`, `~/.ssh/id_ed25519`, `~/.ssh/authorized_keys` (modified or added content)
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on stealthy authentication, network indicators would depend on subsequent actions)
- Behavioral Indicators: Unauthorized reading/copying of files in the `.ssh` directory; new, unknown keys added to `authorized_keys`.
## Associated Threat Actors
- N/A (General technique used by various actors)
## Detection Methods
- Signature-based detection: N/A
- Behavioral detection: Monitoring read access to SSH key files, and monitoring modifications to `authorized_keys` files outside of standard system initialization.
- YARA rules: N/A
## Mitigation Strategies
- Implement strong access controls and mandatory multi-factor authentication (MFA) where possible (though MFA is less common/easily bypassed for pure SSH key logins).
- Regularly audit `authorized_keys` files on critical systems for unauthorized public keys.
- Restrict SSH access permissions and monitor for key exfiltration.
- Ensure proper permissions are set on SSH key files (`id_rsa` should typically be permission 600).
## Related Tools/Techniques
- T1098 (Account Manipulation) if keys are added under programmatic control.
***
# Tool/Technique: Apple Remote Desktop (ARD)
## Overview
Apple Remote Desktop (ARD) is a legitimate macOS administration tool. When an attacker compromises an administrator's machine that has ARD installed and configured, they can leverage its capabilities to gain significant command-and-control over multiple corporate macOS machines managed by that administrator account.
## Technical Details
- Type: Tool (Legitimate utility exploited for malicious purposes)
- Platform: macOS
- Capabilities: Remote control, file transfer, running commands, and system management across multiple managed macOS hosts.
- First Seen: 2002 (ARD Release)
## MITRE ATT&CK Mapping
- T1021 - Remote Services
- T1021.003 - Remote Desktop Protocol (Mapped conceptually to administrative remote control)
- T1560 - Archive Collected Data (If ARD is used for exfiltration)
## Functionality
### Core Capabilities
- Establishing remote sessions to managed macOS machines.
- Executing arbitrary shell commands across the managed fleet.
### Advanced Features
- Leveraging pre-existing administrator trust relationships established via the ARD setup to move laterally with high privileges.
## Indicators of Compromise
- File Hashes: N/A (Focus is on application usage)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic patterns consistent with ARD communication protocols.
- Behavioral Indicators: Unscheduled or unauthorized remote command execution originating from the compromised administrator's host via ARD protocols.
## Associated Threat Actors
- N/A (General technique for high-value internal network compromise)
## Detection Methods
- Signature-based detection: Monitoring for ARD application initiating commands or connections from atypical hosts.
- Behavioral detection: Monitoring sequences of commands executed via ARD that indicate reconnaissance or data staging.
- YARA rules: N/A
## Mitigation Strategies
- Harden all administrator workstations where ARD is installed.
- Limit the scope of machines managed by specific ARD instances.
- Use Principle of Least Privilege (PoLP) for administrator accounts used by ARD.
- Monitor ARD usage logs aggressively for unusual command execution patterns.
## Related Tools/Techniques
- Remote Apple Events (RAE), as both are used for authorized remote command execution that can be abused.
***
# Tool/Technique: Remote Apple Events (RAE) via AppleScript
## Overview
Remote Apple Events (RAE) allow an application on one macOS system ('client') to send an event/command to a specific application running on a remote macOS system ('server') within the local network, typically using AppleScript. This is abused by attackers for low-noise lateral movement.
## Technical Details
- Type: Technique (Leveraging built-in OS feature)
- Platform: macOS
- Capabilities: Sending remote commands and events to applications on other local network machines using AppleScript.
- First Seen: N/A (Fundamental feature of macOS IPC)
## MITRE ATT&CK Mapping
- T1021 - Remote Services
- T1570 - Lateral Movement (General mapping)
- T1105 - Ingress Tool Transfer (If RAE is used to download payloads)
## Functionality
### Core Capabilities
- Using AppleScript commands (e.g., `tell application "Finder" of machine "eppc://target.local" to...`) to execute actions remotely.
- Operating within the local network context where RAE might be permitted by default firewall settings.
### Advanced Features
- Executing scripts or code within the context of a running remote application, potentially leading to persistence or further compromise without triggering typical shell execution alerts.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Scripts containing `eppc://` or `remote script` commands.
- Registry Keys: N/A
- Network Indicators: Network activity related to Apple Event communication between hosts.
- Behavioral Indicators: Unexpected AppleScript execution that targets remote hosts within the internal network.
## Associated Threat Actors
- N/A (General technique for internal network exploitation)
## Detection Methods
- Signature-based detection: Monitoring for known malicious AppleScript payloads being executed.
- Behavioral detection: Detecting the use of `System Events` or inter-application communication (IAC) targeting remote machines via RAE protocols, especially from unauthorized processes.
- YARA rules: N/A
## Mitigation Strategies
- Disable "Allow invitations to connect to this computer" under Sharing settings, or restrict access severely.
- Enforce strict firewall rules to block unsolicited remote Apple Event traffic between hosts.
- User training to discourage the use of AppleScript automation that connects to remote systems unless strictly necessary.
## Related Tools/Techniques
- T1059.004 (Command and Scripting Interpreter: OS Command and Scripting Interpreter: AppleScript)