MacOs Workshop - Hunt for Red Apples: Ocean Lotus Edition Part2
2021-08-07, 14:00–18:00, Workshops Track 1

The Hunt for Red Apples workshop guides participants through emulation walkthroughs, hunting playbooks, & hunting exercises around an Ocean Lotus intrusion, an established threat actor targeting macOS. The workshop is broken into sections using both the attack lifecycle & Mitre ATT&CK knowledge base.

For each phase in the attack live cycle participants learn about one particular tactic, relevant macOS data sources, how to build a hunting plan, practice hunting, & how the red team emulated the tactic using open source intelligence.

This workshop is a resource on how to threat hunt, emulate, & use open source threat intelligence on a specific threat actor.


The Hunt for Red Apples workshop guides participants through emulation walkthroughs, hunting playbooks, and hunting exercises around an Ocean Lotus intrusion, an established threat actor targeting macOS. The workshop is broken into sections using both the attack lifecycle and Mitre ATT&CK knowledge base. For each phase in the attack live cycle participants learn about one particular tactic, relevant macOS data sources, how to build a hunting plan, practice hunting, and how the red team emulated the tactic using open source intelligence.

The objective of this workshop is to provide a balanced approach that showcases both hunting and adversary actions. This workshop is a resource on how to threat hunt, emulate, and use open source threat intelligence on a specific threat actor.

The Hunt for Red Apples workshop is broken into two four hour sessions over two days. As a bonus, we are releasing a second data set for a different scenario on day two for more advanced hunters with no playbooks or walkthroughs. Participants will get to test their macOS Threat Hunting skills! And it's all FREE!

Plug started his journey in computer security back in 1996 when he discovered a 2600 magazine that eventually lead him to his first LA2600 meeting in 1998. From that point forward, he has been involved in computer security. Plug currently leads the Threat Hunting Program for a Fortune 20 organization. In his free time he enjoys building Legos, playing with synthesizers, and when possible, he volunteers his time to computer security events.

This speaker also appears in:

Ben (@CptOfEvilMinion) is not new to creating workshops as this is his second time creating a DEFCON workshop, yet he has never actually been to DEFCON in person! Ben crafted his whimsical presenting style from being President of RIT’s security club previously known as RC3.

During the day Ben fights off cyber criminals as a DART engineer at Dropbox.com. At night Ben is the author of his blog HoldMyBeerSecurity.com where he discusses topics in security that interest him such as incident response, threat hunting, Osquery, and DevSecOps.

This speaker also appears in:

Tilottama Sanyal (wildphish) has a degree in Information technology from India and has almost 8 years of combined experience across DevOps and Cybersecurity. She holds certifications like the GCIH and currently works as an Incident Response Team member at Verizon Media (previously Yahoo!). Her areas of expertise include risk assessments, vulnerability analysis, and incident response. Her current interests include threat hunting and this is her first-ever workshop.

This speaker also appears in:

A core member of the National CCDC red team and a director for the Global CPTC. Recently wrote a book on deception applied to infosec and attack-defense competitions: https://ahhh.github.io/Cybersecurity-Tradecraft/

This speaker also appears in: