Cedric OwensWhat To Expect When You’re “Expecting” — Purple Team EditionThis blog post describes how “expect” routines can be used to help make Purple Team exercises more efficient and repeatable. In particular…Aug 4, 2023Aug 4, 2023
Cedric OwensTaking ESF For A(nother) Spin2+ years ago from the date of this blog post I wrote my initial blog post where I started becoming familiar with Apple’s Endpoint Security…May 25, 2022May 25, 2022
Cedric OwensGive Me Some (macOS) Context…This blog post will dive into what I like to call “execution contexts” on macOS and why it is important to understand these different…Feb 26, 2022Feb 26, 2022
Cedric OwensQuerying Spotlight APIs With JXATL;DR This blog post takes a brief look at how to use JXA (native JavaScript for Automation on macOS) to query Spotlight APIs. In…Feb 19, 2022Feb 19, 2022
Cedric Owens“Spotlighting” Your TCC Access PermissionsNote: This is not a TCC Bypass. Instead this is a technique for checking TCC access permissionsOct 30, 2021Oct 30, 2021
Cedric Owens“HELK’ing” Your macOS Red Team Tools For DetectionsThis post builds on content from 4n7m4n’s prior blog post “Acting Red — Seeing Blue” (link). Specifically, I automated HELK server standup…Aug 3, 2021Aug 3, 2021
Cedric OwensWorking Around macOS Privacy Controls in Red Team OpsThis blog post will take a look at some simple basics around what macOS privacy controls (Transparancy, Consent, and Control a.k.a. TCC)…Jul 16, 20211Jul 16, 20211
Cedric OwensInteresting macOS Chrome Browser FilesThis blog will take a quick look at Chrome files on macOS that are not protected by TCC and do not require root access to read from. As…Jul 11, 2021Jul 11, 2021
Cedric OwensmacOS MS Office Sandbox Brain DumpThis blog will take a look at some observations regarding what is still possible from the MS Office Sandbox on macOS. This is a combination…May 22, 2021May 22, 2021
Cedric OwensCVE-2021–30657 RevisitedThis is a quick follow-up to my previous blog where I discussed how I found the bug behind CVE-2021–30657 (link to previous blog, which…May 3, 2021May 3, 2021
