In this article, we explore various lateral movement techniques for macOS, some of which are specific to macOS while others are shared by other operating systems. We’ll also provide real-world examples to illustrate these methods and discuss detection opportunities.

This article will discuss the use of the following techniques to carry out lateral movement:

• SSH key theft and unauthorized access: This section covers how attackers can achieve lateral movement by stealing and exfiltrating SSH keys. Attackers can also place their own keys in the authorized_keys directory, essentially designating a specific key as trusted.
• Apple Remote Desktop: This section discusses the significant advantage an attacker gains by successfully compromising an administrator’s machine hosting the administrator ARD application, which could ultimately lead to total control over multiple corporate machines.
• Remote Apple Events (RAE): This section goes over how AppleScript can be used to create RAE, allowing specific events to be executed on an application, on a remote machine within a local network.

Lateral movement refers to the techniques cyberattackers use to navigate through a network after compromising an initial system. This phase is crucial for attackers to achieve their ultimate objectives, which might include data exfiltration, persistence or further system compromise.

While much focus has historically been on lateral movement in Windows environments, macOS is not immune to these tactics. Moreover, its use in attacks is a growing trend.