MacOS Filename Homoglyphs Revisited

Last year I posted a few tricks to help when targeting MacOS users, and included a technique useful for spoofing file extensions with the aim of taking advantage of Finder's removal of the .app extension from certain filenames. A few weeks ago I was about to use this on an engagement and found that Apple had patched the tricks presented previously. While this was frustrating for me as an attacker, it did provide an opportunity to dig into the fix, understand just how filenames are now being sanitised by MacOS Catalina, and see if I could bypass this again. But before we start loading our disa…

Read more »

Bypassing MacOS Privacy Controls

Posted on

Encountering Apple devices during RedTeam engagements is becoming increasingly common, so it's useful to have a few techniques available when navigating around whatever privacy or security changes are introduced with each version of MacOS. When MacOS Mojave rolled out at the end of 2018, a set of privacy restrictions were introduced to alert a user when an application requested access to sensitive data, such as the camera, microphone, address book, calendar etc.. And as (more often than not) one of the key goals of an RedTeam engagement is to meet objectives without detection, we must be will…

Read more »

Analysing RPC With Ghidra and Neo4j

Hunting for new lateral movement techniques or interesting ways to execute code can be a nice way to sink some free time. With Windows spawning numerous RPC services on boot, finding unusual execution techniques is sometimes as simple as scratching just below the surface. And often the payoff far outweighs the time to discovery, with SOC or EDR vendors focusing on the more common published techniques, identifying a new way to introduce code execution on a host can throw a spanner in the works of the investigating team. In previous posts I've tried to look at different ways to mix up common att…

Read more »