mattreduce
Follow
π macos
Swift code to programmatically perform dylib injection
JXA and swift code that can perform some macOS situational awareness without generating TCC prompts.
Scripts (python3 and Swift) for macOS to recursively check /Applications and also check /usr/local/bin, /usr/bin, and /usr/sbin for binaries with problematic/interesting entitlements. Also checks fβ¦
JXA implementation of some SwiftBelt functions. Author: Cedric Owens
Spins up a docker container with several useful tools for offensive security in macOS/cloud environments. Also installs the needed dependencies for each tool/utility during docker setup.
JXA Scripts for extracting data from Firefox
A macOS enumeration tool inspired by harmjoy's Windows-based Seatbelt enumeration tool. Author: Cedric Owens
A JXA script that leverages sqlite3 API calls to add items to the user's TCC database at: ~/Library/Application Support/com.apple.TCC/TCC.db
Unit tests for blue teams to aid with building detections for some common macOS post exploitation methods.
Swift code to programmatically execute local or hosted JXA payloads from Terminal without using the on-disk osascript binary.
A Swift port of some of the original PersistentJXA projects by D00MFist. Original PersistentJXA repo: https://github.com/D00MFist/PersistentJXA
Python3 script to generate a macro to launch a Mythic payload. Author: Cedric Owens
A wrapper around the on disk jamf binary (for JAMF managed macOS hosts). Useful for unit testing detections of offensive jamf host-based commands.
JXA script based on research by Jeff Johnson on leveraging TextEdit to remove quarantine attributes on files. Jeff's original research is here: https://lapcatsoftware.com/articles/sandbox-escape.html
Proof of concept MacOS post exploitation tool written in Swift. Designed as a POC for blue teams to build macOS detections. Author: Cedric Owens
Swift code to parse the quarantine history database, Chrome history database, Safari history database, and Firefox history database on macOS.
A Swift (and slightly modified) version of Thomas Reed's PICT (Post Infection Collection Toolkit)
Developer machine management for Linux/OSX. Think Terraform/Ansible for your dotfiles/packages! βοΈπ
This is a malware analyzer for Mac OS X that extends the Cuckoo Sandbox project (https://cuckoosandbox.org/)
Container runtimes on macOS (and Linux) with minimal setup
macOS command line tool to return the available disk space on APFS volumes
Python module intended to assist IT administrators with manipulation of the macOS Dock.
A command-line tool and Xcode Extension for formatting Swift code