This blog post will dive into what I like to call “execution contexts” on macOS and why it is important to understand these different contexts from a red team perspective when operating on macOS endpoints. …

TL;DR This blog post takes a brief look at how to use JXA (native JavaScript for Automation on macOS) to query Spotlight APIs. In particular, this post will be looking at how to run mdfind searches in JXA without invoking the on-disk mdfind binary. Why? I enjoy writing scripts/utilities for…

Note: This is not a TCC Bypass. Instead this is a technique for checking TCC access permissions As an offensive security engineer, one of the things I aim to avoid is quickly burning initial access on a host. On macOS hosts, one of the ways to do this is to…

This post builds on content from 4n7m4n’s prior blog post “Acting Red — Seeing Blue” (link). Specifically, I automated HELK server standup using terraform to stand up your HELK server in Digital Ocean with the appropriate specs as well as with firewall rules to protect access to your HELK server…

This blog post will take a look at some simple basics around what macOS privacy controls (Transparancy, Consent, and Control a.k.a. TCC) are and how red team operations on macOS hosts can still be effective despite these controls. This blog post will not cover any TCC bypasses but will instead…

This blog will take a quick look at Chrome files on macOS that are not protected by TCC and do not require root access to read from. As these files are not protected by TCC, any non-sandboxed macOS payload will be able to access these files without needing TCC permissions. …

This blog will take a look at some observations regarding what is still possible from the MS Office Sandbox on macOS. This is a combination of insight from others as well as some tests that I have attempted. …

This is a quick follow-up to my previous blog where I discussed how I found the bug behind CVE-2021–30657 (link to previous blog, which also contains a link to Patrick Wardle’s deep dive into the bug itself: https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508). In this blog post I will share another very basic method that…

This post will briefly discuss how a bug that I uncovered in macOS Catalina 10.15 (specifically tested on 10.15.7) and in macOS Big Sur before Big Sur 11.3 allows an attacker to very easily craft a macOS payload that is not checked by Gatekeeper. This payload can be used in…