Leveraging Jamf for Red Teaming in Enterprise Environments
Black Hat USA 2025 · Day 1 · Briefings
SpecterOps researchers Lance Kane and Dan Mayer revealed that Jamf Pro — the dominant mobile device management platform in enterprise macOS environments — can be systematically abused for privilege escalation, lateral movement, and persistent code execution, often undetected by modern EDRs. They released two open-source tools at the talk: Eve, a purpose-built Jamf attack toolkit, and Jamf Hound, a BloodHound-compatible graph-based attack path mapper for Jamf environments. ---
AI review
SpecterOps found a management plane that security teams completely ignore, built a BloodHound-compatible attack graph tool for it, went undetected on production EDR for six to seven weeks in real engagements, and released two open-source tools at the talk. The extension attribute fleet-wide execution primitive is particularly ugly. Real work, real tooling.