CybersecurityDefense

Black Hat USA 2025 | Leveraging Jamf for Red Teaming in Enterprise Environments

Black Hat
Black HatApr 7, 2026

Why It Matters

Unmonitored Jamf Pro deployments give attackers a powerful, low‑visibility pathway to compromise macOS fleets, making proactive monitoring and permission hardening essential for enterprise security.

Key Takeaways

  • Jamf Pro often left unmonitored after initial deployment.
  • Stolen Jamf credentials enable lateral movement across Mac fleets.
  • API CRUD permissions allow creation or update of privileged accounts.
  • Self‑signed package deployment can bypass EDR detection mechanisms.
  • New tools Eve and JHound help audit and exploit Jamf tenants.

Summary

The Black Hat USA 2025 session highlighted how adversary emulation teams can weaponize Jamf Pro—Apple’s enterprise‑device management platform—to conduct red‑team operations in Fortune‑500 environments. Speakers Lance Kane and Dan Mayer described Jamf’s prevalence in developer‑heavy organizations, its default “set‑and‑forget” configuration, and the lack of continuous monitoring that creates a fertile attack surface.

Key insights included the discovery of hard‑coded Jamf API credentials in command‑line histories, Git commits, and cloud storage, which enabled attackers to enumerate JSS objects, manipulate CRUD permissions, and create or update privileged accounts tenant‑wide. By exploiting self‑signing and package‑deployment features, malicious code could be signed and run without triggering typical EDR alerts, while the platform’s noisy admin actions often mask malicious activity.

A vivid case study recounted a compromised Mac user whose curl requests revealed Jamf tokens, allowing the team to move laterally across the entire Mac fleet and remain undetected for weeks. The presenters also released two open‑source tools—Eve, a Python CLI for interacting with compromised Jamf servers, and JHound, which generates BloodHound‑compatible data to map attack paths within a Jamf tenant.

The talk underscored the urgent need for continuous Jamf tenant monitoring, strict API permission hygiene, and proactive defensive controls such as token rotation, audit logging, and verification of self‑signed packages. Organizations that ignore these gaps risk giving adversaries a stealthy foothold across their macOS estate.

Original Description

During the preceding year, SpecterOps has had a surprising amount of success leveraging Jamf APIs to laterally move and execute code on managed macOS systems in mature Fortune 500 client environments with multiple name-brand security products in use. Much of this is due to a lack of awareness among defenders regarding the impacts a compromised Jamf account can have on their organization.
Come learn the details of Jamf exploitation techniques available to threat actors and employed by SpecterOps during the preceding year, performing red team assessments of Fortune 500 client organizations to execute reconnaissance and lateral movement undetected. SpecterOps will share the processes they employ upon gaining access to Jamf administrators or service accounts to leverage APIs to accomplish objectives targeting macOS while evading detections in mature environments.
Demonstrations will be included of newly available open-source tooling introduced to automate the attack paths described. The presentation will end with recommendations to prevent and detect the actions performed for onsite or cloud hosted Jamf tenants.
By:
Lance Cain | Service Architect - Consulting Services, SpecterOps, Inc.
Daniel Mayer | Consultant - Adversary Simulation, SpecterOps, Inc.
Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...