My most recent blog post on leveraging expect routines in Purple Team Exercises: cedowens.medium.com/what-to-expect…

Neat tool release today on our team! 🙌🏽Check this out especially if you’re running purple team engagements in your environment

Tomorrow at 9:00 am, I'll have my first DEF CON talk. Join me and see how Electron apps installed on Macs can be automatically exploited and abused to get the TCC-protected resources. #Defcon #macos #security

Great seeing old friends and making new friends in Vegas this week at #BlackHat and #BsidesLV! Also the retro 80s/90s theme of the Microsoft MSRC event was beyond dope!!!! Until next time! ✌🏽

If you missed the BSidesLV talk AdamTheAnalyst and I gave on TTPForge last week, you're in luck! It's already on youtube, enjoy: youtu.be/H9YqJ1Ry1l8?t=…

Happy Monday!✌🏽 I added some macOS TTPs to our team’s public ForgeArmory repo (ForgeArmory is the TTP repo for our ttpforge tool). These TTPs span various macOS techniques and include some TTPs from the LOOBins project! Link: github.com/facebookincuba…

During a Azeria training, Tom found stack smashing protection was broken for GCC AArch64 under a certain (not uncommon) condition. GCC + Arm have fixed it, but lots of exploitable overflows will remain compiled in the wild. Sometimes it is the compiler! rtx.meta.security/mitigation/202…

My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth as any user for good measure. trustedsec.com/blog/okta-for-…

🎉🥁 The wait is over. Please welcome "Dock Tile Plugins" to the persistence club. My new favorite. 🤩 In the blog: 🍎 background and details 🍎 how to create and use 🍎 how to detect 🍎 sample code and binary theevilbit.github.io/beyond/beyond_…

I put all my slides, whitepapers, workbooks, etc... for all of my past workshops and talks on my blog and added links for recordings where available. Now it's all available in a single space. theevilbit.github.io/talks/

DO ITTTT 🫡❤️

💺 SwiftBelt A macOS enumeration tool Stealthy: uses Swift instead of CLI tools, avoids pop-ups Checks: * Full disk access * Presence of security tools * Searches for SSH and cloud creds * Browser history * Slack cookies + more By Cedric Owens #redteam github.com/cedowens/Swift…

Dropping a quick blog post with a few videos walking through a review of how Gatekeeper looks up Notarization tickets! Calling the endpoint yourself is super quick. swiftly-detecting.notion.site/How-does-Gatek…

Mythic just got an update! ✨ Check out Cody Thomas's latest blog post for a rundown of the updates made in Mythic v3.2, including: ✅ Push C2 ✅ Interactive Async Tasking ✅ Dynamic File Browser Read more! ghst.ly/46zRFsg

Short post where I revisit NPM payloads on macOS. medium.com/@D00MFist/load…

The recent macOS malware which leverages python and ObjC has some pretty cool functionality. How it creates the path for the .py script for killing the NotificationCenter is a fun one so let's dive in: 🧵

🔊 New blog post about impersonating TCC permissions via Electron apps on macOS Sonoma wojciechregula.blog/post/electroni…

🆕🍎My new blogpost Kandji about how Apple attempts to mitigate some installer script vulnerabilities using "Install Script Actions" and "Install Script Mutations" in the PackageKit framework. blog.kandji.io/apple-mitigate…

What have I been doing recently? Working on a 100% automated attack simulation framework for Microsoft Defender 🛡️ called M0rphy (named after Paul Morphy the chess genius) that supports both Linux, macOS and Windows, as well as accidently finding some vulns while doing so!

Alright here’s a new blog post for a new macOS malware by Adam Kohler and I! This was a fun one to reverse: stripped, encoded strings, persistence, and more :) Enjoy!! blog.kandji.io/malware-cuckoo…