2

I was recently introduced to a variety of detection/hunting tools for MacOS. Listed below are some of the tools I am interested in learning to broaden my toolkit and better learn Mac security.

  • Google Santa
  • XNUmon
  • Little Snitch
  • OSQuery

These are just some tools and as you can see, most are detective. Coming from an offensive background, setting up a home lab is easy. You have an attack machine with your toolkit, and vulnerable machines to practice your "skillz" on.

To me, practising defensive tools seems harder and I don't have access to use these tools at work. How can I learn these tools at home? Does anybody have any experience with this problem and can share some insight into a solution?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Hysii
  • 179
  • 1
  • 5

2 Answers2

2

A defensive lab is nothing other than an offensive lab with added defensive tools. A good methodology is to have lab systems with these defensive tools, use your offensive tools to attack the lab systems, move laterally etc, and then use the defensive tools to see whether you can detect and/or prevent your attacks. If you scale that approach up to multiple people in the enterprise, you have the essence of purple teaming. In case you run out of ideas, I find the MITRE's ATT&CK framework a very useful source of inspiration, it also includes many macOS TTPs.

Daniel Roethlisberger
  • 141
  • 8
0

DetectionLab is meant to run on macOS and demonstrate Blue Team tradecraft across a Windows Server Domain using Windows servers and endpoints.

However, it uses osquery and rules specifically geared for incident response using osquery. osquery remains OS-neutral, working for Windows, Linux, and macOS. The environment can easily be adopted to support macOS demonstrativa.

atdre
  • 18,885
  • 6
  • 58
  • 107