Introducing MacHound: A Solution to MacOS Active Directory-Based Attacks

As a security researcher at XM Cyber, designing core product support for MacOS was one of my goals last year. Designing this support meant researching MacOS’s attack surface with a focus on creating the greatest impact for our current and future clients. As I began my research, I noticed that, as opposed to my initial assumptions, MacOS were not standalone devices that sometimes were managed by an MDM solution; rather, they were integrated and partially managed by the client’s Active Directory (on-prem or Azure). I started mapping out the attack surface that an Active Directory integration adds to MacOS, focusing on performing a lateral movement from the Mac- to the Windows-based parts of the Active Directory, and vice versa. While doing the research, I stumbled upon many security tools that provide most, if not all, of the required capabilities that I was looking for, such as “Bifrost” and “Orchard” by Cody Thomas (kudos!).

MacOS Integration With Microsoft Active Directory

Active Directory-Based Attack Vectors

Image for post
MacOS built-in remote access features
Image for post
Active Directory users and groups added to remote login feature
Image for post
״Allowed administration by” with Active Directory groups enabled

Introducing MacHound

Data Collector

How Does the Data Collection Work? — Computer SMB SID

Image for post
An example execution output used to extract the SMB SID

How Does the Data Collection Work? — Local OpenDirectory Scheme

Image for post
Example of a user plist file
Image for post
Example of a group plist file

How Does the Data Collection Work? — Local Administrative Group Members

How Does the Data Collection Work? — Logged-in Sessions

MacHound Collector Final Output

Image for post
An example output of the MacHound collector

Database Ingestor

Image for post
An example of MacOS logged sessions
Image for post
An example of using Bloodhound to see unrolled administrators on MacOS

Next Steps

Conclusion and Final Thoughts

Rony Munitz is Senior Security Researcher at XM Cyber