hcpadkins

#!/bin/bash
#
# NOTE: This script enables the JupterLab Extension Manager and installs extensions.
#       There are code-execution risks with this, so make sure you only use trusted
#       extensions and you're comfortable with these extensions before running!
#
# This script wrappers the JupterLab Docker container. It defines a few Docker volume
# mounts to ensure that JupyterLab configuration and notebooks are persisted between
# restarts.
#

rookuu

#!/bin/sh

show_help()
{
   echo "Command line helper to generate pkg files that execute commands."
   echo "Author: @rookuu"
   echo
   echo "Syntax: gen.sh -i com.malicious.pkg -o installme.pkg [-s 'My Signing Identity'] command"
   echo "options:"
   echo "-h     Print this Help."

0xmachos

• Sarah Edwards (@iamevltwin)

  • mac4n6.com
  • SANS FOR518: Mac and iOS Forensic Analysis and Incident Response
  • Apple Pattern of Life Lazy Output'er

• Unified Log

  • Howard Oakley @howardnoakley
    • Unified log: 1 why, what and how
    • Unified log: 2 content and extraction

• Unified log: 3 finding your way

sroberts

Slides

Homemade Ramen & Threat Intel

A recipe for both

• Scott J Roberts
  • Instructor: SANS FOR578 Cyber Threat Intelligence
  • Author: Intelligence Driven Incident Response
• Metaphor Warning!!!

johnkhbaek

/*
================================================================================
modified from this: https://github.com/its-a-feature/macos_execute_from_memory (supports only bundle)
code injection : https://github.com/CylanceVulnResearch/osx_runbin by Stephanie Archibald (does not support m1 x64 emulation and FAT header)

added FAT header (universal Macho) parsing

script-kiddied, debugged, etc. by @exploitpreacher
================================================================================
*/

theevilbit

marcan

/*
 * m1cat: a proof of concept for the M1RACLES vulnerability in the Apple M1.
 * 
 * This program implements a covert channel that can be used to transmit data
 * between two processes when run on the Apple Silicon "M1" CPUs.
 *
 * The channel is slightly lossy due to (presumably) the scheduler sometimes
 * scheduling us on the wrong CPU cluster, so this PoC sends every byte twice
 * together with some metadata/framing bits, which is usually good enough.
 * A better approach would be to use proper FEC or something like that.

theevilbit

StreamLabs OBS macOS TCC bypass

The Streamlabs macOS thick client does have hardened runtime enabled, but specifically allows DYLD environment variables and also disables library validation, which kills the purpose of hardened runtime. Having these settings on the executable enables an attacker to inject custom DYLIB libraries into the application. This would allow an attacker to access data inside the app, and possibly gain persistence on a machine, beyond that, as StreamLabs has access to the microphone and camera a user would gain access to that once exploited.

We can see the wrong permissions with running the codesign utility:

csaby@bigsur ~ % codesign -dv --entitlements :- /Applications/Streamlabs\ OBS.app 
Executable=/Applications/Streamlabs OBS.app/Contents/MacOS/Streamlabs OBS
Identifier=com.streamlabs.slobs
Format=app bundle with Mach-O thin (x86_64)

daddycocoaman

##################################################
## PyDefenderCheck - Python implementation of DefenderCheck
##################################################
## Author: daddycocoaman
## Based on: https://github.com/matterpreter/DefenderCheck
##################################################


import argparse
import enum

trib0r3

md2hugo

These scripts help to convert Markdown notes into the hugo compatibile sites. I created these scripts for converting my notes (format below) into hugo-theme-learn pages.

Requirements

• hugo installed
• empty hugo site with optional hugo-theme-learn theme
• markdown notes in format: