Posts List

ELECTRONizing macOS privacy

Publications This research has been presented at: DEF CON 31 - ELECTRONizing macOS privacy Objective By the Sea - ELECTRONizing macOS Privacy - a New Weapon in Your Red Teaming Armory The backstory In 2019 I wrote a blog post about injecting code to Electron apps to impersonate their TCC permissions. The trick was really simple because at that time the only thing an attacker had to do was to modify one of the Electron app’s HTML files or the whole ASAR.

macOS Red Teaming: Apple Dev-ID signed Java environment

macOS Red Teaming Tricks series The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements The trick There were a lot of different code execution & persistence methods on macOS, also those that include delivering your own interpreters/environments like Java. Recently, I found out that Apple’s Transporter app contains a working Java environment. So if you need Java binary signed directly with the Apple Dev-ID certificate go and grab it!

macOS Red Teaming: Initial access via AppleScript URL

macOS Red Teaming Tricks series The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements. The trick This post is about a funny trick that may help you in achieving initial access on a macOS machine. It requires performing advanced phishing but the code execution with built-in TCC bypass is extremely powerful. Let’s go to the point. The Script Editor (/System/Applications/Utilities/Script Editor.

macOS Red Teaming: Bypass TCC with old apps

macOS Red Teaming Tricks series The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements. The trick This post shows how to bypass the macOS privacy framework (TCC) using old app versions. During red teaming engagements sometimes you need access to the Camera/Microphone or files stored on the user’s Desktop. It turns out that on macOS you cannot do this without special permissions that are handled by the TCC framework.

macOS Red Teaming: Get Active Directory credentials from NoMAD

macOS Red Teaming Tricks series This is the first post of the new #macOSRedTeamingTricks series. The idea is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements. The trick This post shows how to get AD data, including a user’s login and password from a macOS machine with configured NoMAD. NoMAD helps Mac users bound with AD domains, and from my experience, it is widely used software, particularly in legacy Windows environments.