SpecterOps training - VRO and Mac Tradecraft review

I ended up doing two offerings of SpecterOps Adversary tactics training this year, Vulnerability research for operators (VRO), and Mac Tradecraft (https://specterops.io/how-we-help/training-offerings/adversary-tactics-vulnerability-research-for-operators and https://specterops.io/how-we-help/training-offerings/adversary-tactics-mac-tradecraft), which were both pretty good offerings.

Both offerings ran for two days, and were performed over the week of 16th to 20th of November, running via PST time and done over Zoom.

Living in AU, this practically turned into waking up at midnight and staying awake until midday to do the training.

The VRO course covered the following topics:

• SID/ACL/DACLs in Windows
• Token (ab)use
• Integrity levels
• .net serialisation issues / .net remoting
• IPC (Network socket / ALPC/RPC / WCF / Com / DCOM)
• File system bugs
• Path canonicalisation
• Driver vulnerabilities

I think the big thing for me was going into driver reversing (it’s easier than you’d think, the binaries end up with a lot less guff to read) and COM abuse. The rest would be fantastic for your up and coming junior-ish staff, and was fairly easy to follow along.

The Mac Tradecraft was also fairly good, however it showed the state of security for OSX is way behind what it is in windows land, ie:

• Safari Drive-by’s look about as bad as the Trusted Zone in IE (see: https://objective-see.com/blog/blog_0x38.html)
• Transparency Consent and Control (TCC) is the most infuriating thing to use, which ends up moving your computer to a phone and not a general purpose PC
• Users usually have admin anyway, and can run silly stuff
• You don’t have COM, instead you have Apple Events
• You can’t run portable (You have MachO instead), but you do have scripts in package files (Which people have to run as part of their workflow)
• You also have python, and this AppleScript/Automation framework, which is basically just JavaScript (JXA - JavaScript for Automation)
• Theres a bit more social engineering involved

You’d think an OSX machine should be harder to deal with, but in the end it comes down to slightly more social engineering, and the machines are so annoying that people are going to ignore the 50 pop-ups for TCC, and install/doubleclick/run your payload anyway, as it’s just business as usual.

I didn’t see the point of TCC other than to make your computer less of a general purpose PC, and move it towards a Phone and give you less control, however it’s only a fairly recent thing (2019?), which will prompt the user if you try to do things like that screenshots, but won’t stop you from reading the users ssh private keys or config stored on disk in their home directory. There’s also this annoying file system permissions thing, but you can ultimately ignore it if you just SSH to the system.

Theres a handful of silly mitigations, like how the system will run yara against certain files before you install them, but as it’s just yara, pull the XProtect.yara rules file and try your payload before sending it (but you probably won’t need to, as the signatures are pretty specific and trashy).

At worst, pivot to one of these machines, pull the users credentials for every other system then bail, do not sit on one of these silly boxes for too long.

Both of the courses run really well over Zoom, you remote into a team-based lab using Guacamole, and seem to run fairly well. Our team ended up with some good guys, and with a lot of good time with the specterops staff (we ended up having some cool chats with https://github.com/cobbr and https://github.com/D00MFist for both courses, as they just hop into your zoom call and say hi.)

Would recommend the training, but it does make me wonder if organisations are better off with Windows/Azure AD boxes - at least end users don’t expect to be able to just run arbitrary crap all the time (Maybe the app packaging options for OSX are bad?), or to run as admin.