SO-CON 2022: Adversary Tactics - Mac Tradecraft Training - October 2022

SO-CON 2022: Adversary Tactics - Mac Tradecraft Training - October 2022

Actions and Detail Panel


Date and time


Hyatt Regency Reston

1800 Presidents Street

Reston, VA 20191

View map

Refund policy

Refunds up to 7 days before event

Eventbrite's fee is nonrefundable.

Hybrid Event - This course will take place onsite in Reston, VA and online, using virtual software to stream live instructors.

About this event

Hybrid Event

This course will take place both In Person in Reston, VA and Live Online (using virtual software to stream live instructors). Course scheduled delivery hours will be 9:00AM to 5:00PM ET.

Limited In Person seating is available on a first-come, first-served basis. If you would like to attend In Person, select the "In Person ticket type" during registration.

Confirmed attendees will receive logistics information one week prior to the event.


COVID Safety Protocols

Updated: June 2, 2022

  • Vaccine Status: All attendees and staff are encouraged to be fully vaccinated to attend trainings; however, there will be no vaccine status requirement or verification.
  • Masks: Masks are recommended, but not required, for everyone in attendance. Masks should be well-fitting and cover the nose and mouth.
  • Hand Sanitizing & Washing: Hand sanitizing stations will also be available throughout the training space. We encourage people to wash their hands frequently.
  • Social Distancing: Seats within the classrooms will be laid out to provide spacing between participants. As for social distancing while not in your seat, we ask that you do your best and keep your mask on.
  • Testing: Testing options will be provided onsite.
  • Wellness Checking: Please self-evaluate your wellness on a daily basis. If at any point during the training you feel sick/have a fever/have symptoms of COVID, please quarantine in your hotel room. We can immediately switch you to remote attendance so you don't miss any class time while isolating.
  • Please note that SpecterOps will continue to monitor COVID data and local guidance until the event and may update protocols accordingly. If you have any questions, please contact



Red team operators enjoyed robust community and commercial tooling to simulate advanced adversary tradecraft in traditional enterprise environments. As organizations have increasingly moved to hybrid, or non-Windows, environments our red team community knowledge has not kept pace. This course focuses on bridging that gap, highlighting the latest macOS security enhancements, and arming red teamers with the foundational knowledge to operate against macOS endpoints. The objective is to deep dive into the concepts behind techniques to enable operational flexibility and prepare for future macOS enhancements, rather than simply training with specific available tooling.

Course Summary

While Windows is the main operating system in many enterprise environments, more companies are taking a hybrid approach to allow employees a choice of Mac or Windows, or forgoing Windows environments entirely. Regardless of the base operating system, the core tactics and tenant of adversary capability is the same - given enough time and resources, adversaries will find a way to achieve their objectives. Apple's approach to addressing the adversary problem is to force all non-Apple execution to user land and introduce new security enhancements for each version of macOS that bring the macOS and iOS operating systems closer together. When it comes to emulating tactics, techniques, and procedures (TTPs) on macOS, more time and emphasis must be placed on subverting Apple's custom controls such as Gatekeeper, Application Notarization, Entitlements, TCC, and the System Integrity Protection rather than bypassing EDR products.

The Adversary Tactics: Mac Tradecraft course drops you into a modern macOS hybrid environment which mimics what SpecterOps operators encounter in real world red team exercises. Participants will focus on macOS payloads for initial access, crafting custom techniques on the fly via JXA and Objective C, identifying persistence and privilege escalation opportunities, stealing credentials, and avoiding common EDR detections via XPC services and native APIs. The course aims to teach participants about the consequences of their actions and the details behind their techniques rather than just how to run common tooling.

Course Syllabus

Updated course syllabus for the newly-expanded three-day version of this course will be published soon!

Participant Requirements

This course is not for beginners and includes a team-based, on-keyboard execution of complex red team tradecraft against macOS endpoints. Participants should be comfortable with penetration testing concepts and tools, Active Directory, and macOS internals.

Hardware Requirements

  • Internet Connection
  • 8GBs of RAM
  • Modern Web Browser capable of rendering HTML5


How can I contact the organizer with any questions?

Please email with any questions.  

What's the refund policy?

Full refunds will be provided up to 7 days before the course start date.

Share with friends