This is a quick follow-up to my previous blog where I discussed how I found the bug behind CVE-2021–30657 (link to previous blog, which also contains a link to Patrick Wardle’s deep dive into the bug itself: https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508). In this blog post I will share another very basic method that abuses this bug in unpatched versions of macOS (i.e., versions of Big Sur prior to 11.3 and Catalina 10.15.7 versions before Catalina Update 2021–002). Apple’s fix DOES prevent this method from working on patched versions of macOS. The Apple Security Advisory for macOS 11.3 can be found at: https://support.apple.com/en-us/HT212325.


This post will briefly discuss how a bug that I uncovered in macOS Catalina 10.15 (specifically tested on 10.15.7) and in macOS Big Sur before Big Sur 11.3 allows an attacker to very easily craft a macOS payload that is not checked by Gatekeeper. This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg — no pop ups or warnings from macOS are generated. Therefore, if you are reading this, please update to Big Sur 11.3 or Catalina update 2021–002…


I currently work as an offensive security engineer in the tech industry and have been in security now for 17 years (I cannot believe it has been this long!). However, I have worked in various capacities across different security functions through my security career. I have learned that there is no “right path” into security and that each person’s journey provides a unique perspective on things. In this post, I will highlight my journey and things I have learned along the way

Chapter 1

The first 5 years of my career.

I began my professional experience as an IT Auditor…


The areas of responsibility for internal red teams include many different aspects, ranging from tool development to operations planning and execution to infrastructure standup/maintenance and everything in between. As an internal red teamer, I believe there are opportunities for automation that will allow teams to more efficiently operate by handling some of the routine and repetitive tasks. I do not believe that red team functions as a whole can be automated — there are too many factors that require human intervention/insight/experience. This article will instead look at some practical examples of how red teams can automate infrastructure standup.

Infrastructure Needs


In this blog post, I will skip over talking about what red teaming is and discuss some common approaches to red teaming often used by internal corporate red teams. I will briefly mention some of the approaches and discuss some considerations of each and hopefully this will help internal red teams as they figure out and plan how they want to approach red teaming. Also of note: red teams often perform other tasks that are not listed in this blog as well…this blog just highlights different approaches specifically around red team operations.

Approach 1: A Long Running Operation

In this approach, an internal red team will…


I recently started a side project looking at what python-based post exploitation making Objective C calls looks like on modern macOS systems (Catalina and Big Sur). Christopher Ross spearheaded python based post exploitation on macOS years ago with his EmPyre project. However a lot has changed on macOS since then so this became a fun side project for me. Apple has stated plans to remove scripting runtimes from base OS installs, however python 2 in particular still continues to hang around. In fact, the initial release of Big Sur includes python 2 in its base OS installs (yes you read…


Despite being quite antiquated, MS Office macros continue to be used by red teams (and attackers) due to the fact that they are easy to craft and they still work (and on the macOS side of the house, they often go undetected without building custom content). I have written MS Office macros for a couple different macOS C2 tools in the past…and in both I used python as the means of running the C2 payload:

With the landscape starting to shift in the macOS arena to moving away from python-based offensive tooling, I thought I would take a…


This post aims to discuss some decent purple team exercise inputs based on common red team techniques/attack paths along with defensive considerations in modern tech environments. This post is not all encompassing, but looks at some of the most likely attack paths along with some things blue teams can do to help posture for these attack paths (this may be proactive purple team exercise scenarios, hunting, table top exercises, etc.). …


In this blog post I will walk through using a neat Swift package that imports local python libraries into Swift so that you can run python commands directly inside of Swift (without running the python binary). Note: This method does require that python libraries already be installed on the host. Also, while the methods tested may get around some python parent child relationship detections, my tests below leveraged command line utilities which are easily traceable. As of the time of this post, new macOS installs include both python2 and python3 (though python2 has been sunset). Apple has noted plans to…


What is IdaaS?

In a nutshell Identity as a Service providers are cloud based services that organizations leverage to provide a means for employees to remotely access some organizational resources such as email, chat, file storage, etc. Often times an organization will link the IdaaS service to an internally managed authentication system (such as Active Directory or a custom LDAP solution) so that the employees are logging in with the same set of credentials used in their corporate environment at work. Usually an employee will access the IdaaS solution remotely over https, enter his/her corporate username and password, use their…

Cedric Owens

Red teamer with blue team roots🤓👨🏽‍💻 Twitter: @cedowens

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store