I’m working on a new book Thank you to all those who told me my first book has helped them in the macOS world in some way This book focuses on the internals necessary to build detections and perform analysis of intrusions on macOS Any shares to help measure interest helps!

🍎🪳Second part of the diskarbitrationd - storagekitd vulnerability blog series is out on Kandji 's blog. These vulnerabilities were presented at Black Hat #BHEU2024 and POC_Crew 👨‍👩‍👦‍👦 #POC2024 conferences. kandji.io/blog/macos-aud…

I have no idea why these have to be independent toggles and it was driving me insane troubleshooting Safari and blaming lag on my Pi-hole. IP tracking managed through iCloud settings, specific Safari settings as well as WiFi settings.

A side effect of 🍎's privacy mindset: in-memory payloads remain largely invisible/inaccessible to macOS security/3rd-party tools Apple nuked their reflective code loading APIs - but was that enough? 🫣 From #OBTS v7: "Restoring Reflective Code Loading" objective-see.org/blog/blog_0x7C…

Just handed in my resignation at CrowdStrike after almost 5 years. Privileged to work with such an amazing group of super smart and passionate individuals. Looking forward to the new year and new opportunities.

Was diffing executable entitlements overnight through some recent releases and noticed something I'd missed earlier... Anyway, first TCC bypass of the new year has come a little later than I'd have liked, but I'll take it 😆

Very excited to be announcing that I am starting at Huntress in a couple of weeks. Working with friends old and new!

Ooowee! Now we're cookin

Trust me-- watch previous OBTS presentations on YouTube with a Terminal window open. You will find bugs! And any paid bounty would more than cover your attendance at future OBTS conferences It really can pay for itself!

If you’re hunting for macOS stealers, this VirusTotal query yields good results: type:script filename:"/Volumes/" filename:".file" behavior_command_executions:base64

This post by Csaba Fitzl has inspired many subsequent successful tcc bypasses, including one I managed to obtain overnight on 15.5 beta 1. Worth giving it a read, a re-read, a re-re-read, etc kandji.io/blog/malware-b…

Received minutes apart for an account I created maybe a decade ago and never use. Breach disclosure incoming?

I didn't have enough time to weaponise this beyond a simple dos but a neat example of bypassing TCC and SIP to nuke a user's files and brick a macOS device. Only managed unlink() unfortunately, and not full rootless ent's. Requires priv'd user to succeed.

NEW macOS 15.4 🥫🍝 sauce! 🎉 xnu: github.com/apple-oss-dist… dyld: github.com/apple-oss-dist… objc4: github.com/apple-oss-dist… Security: github.com/apple-oss-dist… Libc: github.com/apple-oss-dist… - this post was generated by `ipsw` 🤖

I doubt that I was the first to find this quirky bug, however the impact of basically having tccd fail open was very easy to overlook. Remains unpatched in Ventura and Sonoma unfortunately.

New RE Video: youtube.com/watch?v=2Bj3rz… Spent some time reversing a recent sample that uses a bit of obfuscation (made easier with a Binary Ninja script), sets up persistence, and uses curl APIs. This one is a little longer than usual but fun since I go through most of the sample.

🎙️😍 Was stoked to talk nerdy on the Mac Admins Podcast! If you're interested in macOS malware, Apple security & detection, and much more, have a listen: linkedin.com/feed/update/ur…

Kudos to Apple for releasing this so soon!

macOS 26 (beta) Endpoint Security enhancements: - es_process_t adds es_cs_validation_category_t indicating code signature policy; - iokit_open adds parent_path & parent_registry_id; and - xp_malware_detected gains detected_executable for accurate binary path (e.g in app bundles).

Yes yes I know macOS 26 is in beta, but it just tickles me that the quirky Setup Assistance ui bugs that were squashed in Sequoia are back! _mbsetupuser TCC enforcement is non-standard. Coupled with an LPE this would be a cheeky way to mess with new hardware, as it was pre 15.3.