awesome-awesomeness/html/osxsecurity.html

<p>osx-security-awesome <a
href="https://github.com/sindresorhus/awesome"><img
src="https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg"
alt="Awesome" /></a><a
href="https://travis-ci.org/kai5263499/osx-security-awesome"><img
src="https://api.travis-ci.org/kai5263499/osx-security-awesome.svg?branch=master"
alt="Travis" /></a></p>
<hr />
<p>A collection of OSX/iOS security related resources</p>
<ul>
<li><p><a href="#news"><strong>News</strong></a></p></li>
<li><p><a href="#hardening"><strong>Hardening</strong></a></p></li>
<li><p><a href="#malware-sample-sources"><strong>Malware sample
sources</strong></a></p></li>
<li><p><a
href="#digital-forensics--incident-response-dfir"><strong>DFIR</strong></a></p></li>
<li><p><a href="#reverse-engineering"><strong>Reverse
engineering</strong></a></p></li>
<li><p><a href="#presentations-and-papers"><strong>Presentations and
Papers</strong></a></p></li>
<li><p><a href="#virus-and-exploit-writeups"><strong>Virus and exploit
writeups</strong></a></p></li>
<li><p><a href="#useful-tools-and-guides"><strong>Useful tools and
guides</strong></a></p></li>
<li><p><a href="#remote-access-toolkits"><strong>Remote Access
Toolkits</strong></a></p></li>
<li><p><a href="#worth-following-on-twitter"><strong>Worth following on
Twitter</strong></a></p></li>
</ul>
<hr />
<h2 id="news">News</h2>
<hr />
<h3 id="linking-a-microphone"><a
href="https://ubrigens.com/posts/linking_a_microphone.html">Linking a
microphone</a></h3>
<ul>
<li>The Story of CVE-2018-4184 or how a vulnearbility in OSX’s Speech
system allowed apps with access to the microphone to escape sandbox
restrictions ### <a href="https://github.com/writeups/iOS">iOS
vulnerability write-up</a></li>
<li>A repository of iOS vulnerability write-ups as they are
released</li>
<li>Also includes conference papers ### <a
href="https://docs.google.com/document/d/1TDCVavaqDJCFjcQxZsL6InzHxPEYWwMMMh9QtfRGjbY/edit">iOS
display bugs</a></li>
<li>Regularly updated list of iOS display bugs</li>
</ul>
<h3 id="mac-virus"><a href="https://macviruscom.wordpress.com">Mac
Virus</a></h3>
<ul>
<li>Frequently updated blog that provides a good summary of the latest
unique mac malware.</li>
</ul>
<h3 id="intego-mac-security-blog"><a
href="https://www.intego.com/mac-security-blog/">Intego Mac Security
Blog</a></h3>
<ul>
<li>Intego’s corporate Mac security blog often contains recent and
in-depth analysis of mac malware and other security issues</li>
</ul>
<h3 id="objective-see"><a
href="https://objective-see.com/blog.html">Objective-See</a></h3>
<ul>
<li>Objective-See’s blog often contains in-depth breakdowns of malware
they’ve reverse engineered and vulnarabilities they’ve discovered.</li>
</ul>
<h3 id="the-safe-mac"><a href="https://www.thesafemac.com/">The Safe
Mac</a></h3>
<ul>
<li>Resource to help educate Mac users about security issues. Contains
historical as well as timely security updates.</li>
</ul>
<h3 id="mac-security"><a href="https://macsecurity.net/news">Mac
Security</a></h3>
<ul>
<li>Another Mac security blog. This often includes more in-depth
analysis of specific threats.</li>
</ul>
<h3 id="osx-daily"><a href="https://osxdaily.com/">OSX Daily</a></h3>
<ul>
<li>Not strictly security-specific but it contains jailbreaking
information which has security implications</li>
</ul>
<h2 id="hardening">Hardening</h2>
<h3 id="macops"><a
href="https://github.com/google/macops">macops</a></h3>
<ul>
<li>Utilities, tools, and scripts for managing and tracking a fleet of
Macintoshes in a corporate environment collected by Google</li>
</ul>
<h3 id="supraudit"><a
href="http://newosxbook.com/tools/supraudit.html">SUpraudit</a></h3>
<ul>
<li>System monitoring tool</li>
</ul>
<h3 id="efigy"><a
href="https://github.com/duo-labs/EFIgy">EFIgy</a></h3>
<ul>
<li>A RESTful API and client that helps Apple Mac users determine if
they are running the expected EFI firmware version given their Mac
hardware and OS build version</li>
</ul>
<h3 id="launchd"><a href="https://www.launchd.info/">Launchd</a></h3>
<ul>
<li>Everything you need to know about the launchd service</li>
</ul>
<h3 id="osx-startup-sequence"><a
href="http://osxbook.com/book/bonus/ancient/whatismacosx/arch_startup.html">OSX
startup sequence</a></h3>
<ul>
<li>Step-by-step guide to the startup process</li>
</ul>
<h3 id="google-osx-hardening"><a
href="https://www.usenix.org/conference/lisa13/os-x-hardening-securing-large-global-mac-fleet">Google
OSX hardening</a></h3>
<ul>
<li>Google’s system hardening guide</li>
</ul>
<h3 id="run-any-command-in-a-sandbox"><a
href="https://www.davd.io/os-x-run-any-command-in-a-sandbox/">Run any
command in a sandbox</a></h3>
<ul>
<li>How to for using OSX’s sandbox system</li>
</ul>
<h3 id="sandblaster"><a
href="https://github.com/malus-security/sandblaster">Sandblaster</a></h3>
<ul>
<li>Reversing the Apple sandbox</li>
<li><a href="https://arxiv.org/pdf/1608.04303.pdf">Paper</a></li>
</ul>
<h3 id="osx-el-capitan-hardening-guide"><a
href="https://github.com/ernw/hardening/blob/master/operating_system/osx/10.11/ERNW_Hardening_OS_X_EL_Captain.md">OSX
El Capitan Hardening Guide</a></h3>
<ul>
<li>Hardening guide for El Capitan</li>
</ul>
<h3 id="hardening-hardware-and-choosing-a-good-bios"><a
href="https://media.ccc.de/v/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge">Hardening
hardware and choosing a good BIOS</a></h3>
<ul>
<li>Protecting your hardware from “evil maid” attacks</li>
</ul>
<h2 id="malware-sample-sources">Malware sample sources</h2>
<h3 id="objective-see-1"><a
href="https://objective-see.com/malware.html">Objective-See</a></h3>
<ul>
<li>Curated list of malware samples. Use this list if you’re looking for
interesting samples to reverse engineer ### <a
href="https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed">Alien
Vault</a> ### <a
href="http://contagiodump.blogspot.com/2013/11/osx-malware-and-exploit-collection-100.html">Contagio
malware dump</a></li>
</ul>
<h2 id="digital-forensics-incident-response-dfir">Digital Forensics /
Incident Response (DFIR)</h2>
<h3 id="apollo-tool">APOLLO tool</h3>
<ul>
<li>Python tool for advanced forensics analysis</li>
<li><a
href="https://github.com/mac4n6/Presentations/blob/master/LaunchingAPOLLO/LaunchingAPOLLO.pdf">Presentation
slides</a></li>
<li><a href="https://github.com/mac4n6/APOLLO">Source code</a> ### <a
href="https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56">venator</a></li>
<li>Python tool for proactive detection tool for malware and
trojans</li>
<li><a href="https://github.com/richiercyrus/Venator">Source</a> ### <a
href="https://github.com/CISOfy/lynis/">lynis</a></li>
<li>Security auditing tool for UNIX-based systems, including macOS ###
<a href="https://github.com/CrowdStrike/automactc">AutoMacTC</a></li>
<li><a
href="https://www.crowdstrike.com/blog/automating-mac-forensic-triage/">Modular
forensic triage collection framework</a> from CrowdStrike ### <a
href="https://github.com/knightsc/system_policy">Legacy Exec
History</a></li>
<li>OSQuery module to give you a report of 32bit processes running on a
10.14 machine ### <a
href="https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage">Using
the macOS/iOS knowledgeC.db Database to Determine Precise User and
Application Usage</a> ### <a
href="http://sud0man.blogspot.com/2015/05/artefacts-for-mac-os-x.html?m=1">Artefacts
for Mac OSX</a></li>
<li>Locations of sensitive files ### <a
href="https://github.com/sud0man/pac4mac">Pac4Mac</a></li>
<li>Forensics framework ### <a
href="https://github.com/carmaa/inception">Inception</a></li>
<li>Physical memory manipulation ### <a
href="https://github.com/n0fate/volafox">Volafox</a></li>
<li>Memory analysis toolkit ### <a
href="https://github.com/pstirparo/mac4n6">Mac4n6</a></li>
<li>Collection of OSX and iOS artifacts ### <a
href="https://repo.zenk-security.com/Forensic/Keychain%20Analysis%20with%20Mac%20OS%20X%20Memory%20Forensics.pdf">Keychain
analysis with Mac OSX Forensics</a> ### <a
href="https://github.com/Yelp/osxcollector">OSX Collector</a></li>
<li>Forensics utility developed by Yelp ### <a
href="https://www.youtube.com/watch?v=gNJ10Kt4I9E">OSX incident
response</a></li>
<li>OSX incident response at GitHub <a
href="https://speakerdeck.com/sroberts/hipster-dfir-on-osx-bsidescincy">Slides</a>
### <a
href="https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/october/ios-instrumentation-without-jailbreak/">iOS
Instrumentation without jailbreaking</a></li>
<li>How to debug an iOS application that you didn’t create ### <a
href="https://www.certosoftware.com/">Certo</a></li>
<li>Paid service for analyzing the iTunes backup of your iOS device ###
<a href="https://www.blackbagtech.com/resources/free-tools/">Blackbag
Tech free tools</a> ### <a
href="https://ponderthebits.com/2017/02/osx-mac-memory-acquisition-and-analysis-using-osxpmem-and-volatility/">OSX
(Mac) Memory Acquisition and Analysis Using OSXpmem and Volatility</a>
### <a href="https://github.com/ydkhatri/mac_apt">mac-apt</a></li>
<li>Mac Artifact Parsing Tool for processing full disk images and
extracting useful information</li>
<li>The author also has a collection of <a
href="https://github.com/ydkhatri/MacForensics">DFIR scripts</a></li>
</ul>
<h2 id="reverse-engineering">Reverse engineering</h2>
<h3 id="new-os-x-book"><a href="http://www.newosxbook.com/">New OS X
Book</a></h3>
<ul>
<li>Frequently updated book on OSX internals ### <a
href="https://github.com/michalmalik/osx-re-101">Collection of OSX
reverse engineering resources</a></li>
<li>Another Awesome-style list dedicated to OSX reverse engineering
resources ### <a href="https://www.theiphonewiki.com/wiki/Main_Page">The
iPhone Wiki</a> ### <a href="https://reverse.put.as/">Reverse
engineering OSX</a> ### <a href="https://reverse.put.as/crackmes/">OSX
crackmes</a></li>
<li>A collection of puzzles to test your reverse engineering skills ###
<a
href="https://www.fireeye.com/blog/threat-research/2017/03/introduction_to_reve.html">Introduction
to Reverse Engineering Cocoa Applications</a></li>
<li>Walkthrough for Coca applications ### <a
href="https://github.com/apple/darwin-xnu">iOS Kernel source</a></li>
<li>Source code for iOS kernel ### <a
href="https://challenges.re/">Reverse Engineering Challenges</a></li>
<li>Very good list of various crackme challenges that is categorized by
level and OS ### <a
href="https://github.com/tylerha97/awesome-reversing">Awesome
Reversing</a></li>
<li>Awesome list dedicated to reversing</li>
</ul>
<h2 id="presentations-and-papers">Presentations and Papers</h2>
<h3
id="area41-2018-daniel-roethlisberger-monitoring-macos-for-malware-and-intrusions"><a
href="https://www.youtube.com/watch?v=OSSkBgn_xJs&amp;feature=youtu.be">Area41
2018: Daniel Roethlisberger: Monitoring MacOS For Malware And
Intrusions</a></h3>
<h3 id="windshift-apt"><a
href="https://www.youtube.com/watch?v=Mza6qv4mY9I&amp;feature=youtu.be&amp;t=6h12m24s">Windshift
APT</a></h3>
<ul>
<li><a href="https://objective-see.com/blog/blog_0x38.html">Deep-dive
write-up by Objective See</a> ### <a
href="https://pure.tugraz.at/ws/portalfiles/portal/17749575">Automated
Binary Analysis on iOS – A Case Study on Cryptographic Misuse in iOS
Applications</a></li>
<li>Examining iOS applications for poorly guarded secrets ### <a
href="https://www.youtube.com/watch?v=fv4l9yAL2sU">Writing Bad @$$
Malware for OSX</a></li>
<li><a
href="https://www.slideshare.net/Synack/writing-bad-malware-for-os-x">Slides</a>
and <a href="https://www.youtube.com/watch?v=oT8BKt_0cJw">another
related video</a>. ### <a
href="https://www.youtube.com/watch?v=rhhvZnA4VNY">Methods of Malware
Persistence on OSX</a> ### <a
href="https://www.blackhat.com/presentations/bh-usa-09/DAIZOVI/BHUSA09-Daizovi-AdvOSXRootkits-SLIDES.pdf">Advanced
Mac OSX Rootkits</a> ### <a
href="https://speakerdeck.com/flankerhqd/the-python-bites-your-apple-fuzzing-and-exploiting-osx-kernel-bugs">The
Python Bytes Your Apple</a><br />
</li>
<li>Fuzzing and exploiting OSX kernel bugs ### <a
href="https://papers.put.as/papers/ios/2011/syscan11_breaking_ios_code_signing.pdf">Breaking
iOS Code Signing</a> ### <a
href="http://newosxbook.com/files/HITSB.pdf">The Apple Sandbox - 5 years
later</a> ### <a
href="https://papers.put.as/papers/ios/2012/Mathieu-RENARD-GreHACK-Practical-iOS-App-Hacking.pdf">Practical
iOS App Hacking</a> ### <a
href="https://www.virusbulletin.com/blog/2016/september/paper-behavioural-detection-and-prevention-malware-os-x/">Behavioral
Detection and Prevention of Malware on OS X</a> ### <a
href="https://www.youtube.com/watch?v=fdxxPRbXPsI">Security on OSX and
iOS</a></li>
<li><a
href="https://www.slideshare.net/nosillacast/security-on-the-mac">Slides</a></li>
</ul>
<h3 id="thunderstrike"><a
href="https://trmm.net/Thunderstrike_31c3">Thunderstrike</a></h3>
<ul>
<li><a href="https://www.youtube.com/watch?v=5BrdX7VdOr0">Video</a>,
hacking Mac’s extensible firmware interface (EFI) ### <a
href="https://github.com/ufrisk/presentations/blob/master/DEFCON-24-Ulf-Frisk-Direct-Memory-Attack-the-Kernel-Final.pdf">Direct
Memory Attack the Kernel</a> ### <a
href="https://speakerdeck.com/marcograss/dont-trust-your-eye-apple-graphics-is-compromised">Don’t
trust your eye, Apple graphics is compromised</a></li>
<li>security flaws in IOKit’s graphics acceleration that lead to
exploitation from the browser ### <a
href="https://www.slideshare.net/PacSecJP/moony-li-pacsec18?qid=15552f01-6655-4555-9894-597d62fd803c">Fuzzing
and Exploiting OSX Vulnerabilities for Fun and Profit Complementary
Active &amp; Passive Fuzzing</a> ### <a
href="https://speakerdeck.com/patrickwardle/o-kit-drivers">Strolling
into Ring-0 via I/O Kit Drivers</a> ### <a
href="https://www.youtube.com/watch?v=TKAgemHyq8w">Juice Jacking</a> ###
<a href="https://www.youtube.com/watch?v=9T_2KYox9Us">Attacking OSX for
fun and profit tool set limiations frustration and table flipping Dan
Tentler</a></li>
<li><a href="https://www.youtube.com/watch?v=bjYhmX_OUQQ">Follow-up from
target</a> ### <a
href="https://www.youtube.com/watch?v=79qzgVTP3Yc">Building an EmPyre
with Python</a> ### <a
href="https://www.youtube.com/watch?v=Aatp5gCskvk">PoisonTap</a> ### <a
href="https://www.youtube.com/watch?v=uMfmgcnrn24">Storing our Digital
Lives - Mac Filesystems from MFS to APFS</a></li>
<li><a
href="http://macadmins.psu.edu/files/2017/07/psumac2017-174-Storing-our-digital-lives-Mac-filesystems-from-MFS-to-APFS.key-254bf2y.pdf">slides</a>
### <a
href="https://drive.google.com/drive/folders/0B37-sa0Wh9_TdjVSbzRvMEVGQ2c">Collection
of mac4en6 papers/presentations</a> ### <a
href="https://www.youtube.com/watch?v=4acVKs9WPts">The Underground
Economy of Apple ID</a> ### <a
href="https://www.youtube.com/watch?v=D6cSiHpvboI">iOS of Sauron: How
iOS Tracks Everything You Do</a> ### <a
href="https://github.com/zhengmin1989/MyArticles/blob/master/PPT/DEFCON-25-Min-Spark-Zheng-macOS-iOS-Kernel-Debugging.pdf">macOS/iOS
Kernel Debugging and Heap Feng Shui</a> ### <a
href="https://www.youtube.com/channel/UCk2sx_3FUkKvDGlIhdUQa8A">Billy
Ellis iOS/OSX hacking YouTube channel</a> ### <a
href="https://www.youtube.com/watch?v=_q_2mN8U91o">A Technical Autopsy
of the Apple - FBI Debate using iPhone forensics | SANS DFIR Webcast</a>
### <a href="https://www.youtube.com/watch?v=eJpbi-Qz6Jc">Jailbreaking
Apple Watch at DEFCON-25</a> ### <a
href="http://www.icri-sc.org/fileadmin/user_upload/Group_TRUST/PubsPDF/sandscout-final-ccs-2016.pdf">SandScout:
Automatic Detection of Flaws in iOS Sandbox Profiles</a></li>
<li>An exploration of the sandbox protections policies</li>
<li><a
href="https://www.youtube.com/watch?v=TnwXEDCIowQ">Presentation</a></li>
</ul>
<h2 id="virus-and-exploit-writeups">Virus and exploit writeups</h2>
<h3 id="detailed-analysis-of-macosios-vulnerability-cve-2019-6231"><a
href="https://www.fortinet.com/blog/threat-research/detailed-analysis-of-macos-ios-vulnerability-cve-2019-6231.html">Detailed
Analysis of macOS/iOS Vulnerability CVE-2019-6231</a></h3>
<ul>
<li>Exploration of QuartzCore/CoreAnimation flaw leading to a malicious
application being able to read restricted memory. ### <a
href="https://github.com/Synacktiv-contrib/kernelcache-laundering">kernelcache
laundering</a></li>
<li>Load iOS12 kernelcaches and PAC code in IDA ### <a
href="https://github.com/bazad/blanket">blanket</a></li>
<li>Proof of concept for CVE-2018-4280: Mach port replacement
vulnerability in launchd on iOS 11.2.6 ### <a
href="https://github.com/externalist/exploit_playground/blob/master/CVE-2018-4233/pwn_i8.js">Proof
of Concept for Remote Code Execution in WebContent</a></li>
<li><a href="https://iokit.racing/machotricks.pdf">MachO tricks</a> -
Appears to be slides from a presentation that ends with the CVE listed
above ### <a
href="https://comsecuris.com/blog/posts/theres_life_in_the_old_dog_yet_tearing_new_holes_into_inteliphone_cellular_modems/">There’s
Life in the Old Dog Yet: Tearing New Holes into Intel/iPhone Cellular
Modems</a></li>
<li>How the public warning system can be used as an attack vector ### <a
href="https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/">I
can be Apple, and so can you</a></li>
<li>An exploration of a code signing vulnerability in macOS that has
persisted for 11 years</li>
<li><a
href="https://medium.com/@adam.toscher/creating-signed-and-customized-backdoored-macos-applications-by-abusing-apple-developer-tools-b4cbf1a98187">Creating
signed and customized backdoored macos apps</a> ### <a
href="https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124">Leveraging
emond on macOS for persistence</a> ### <a
href="https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp">APFS
credential leak vulnerability</a></li>
<li>A flaw in Unified Logs leaks the password for encrypted APFS
volumes</li>
</ul>
<h3 id="a-fun-xnu-infoleak"><a
href="https://bazad.github.io/2018/03/a-fun-xnu-infoleak/">A fun XNU
infoleak</a></h3>
<h3 id="meltdown">Meltdown</h3>
<ul>
<li>CPU flaw allowing kernel memory to be accessed by hijacking
speculative execution</li>
<li><a href="https://github.com/gkaindl/meltdown-poc">Proof of
concept</a></li>
<li><a href="https://support.apple.com/en-us/HT208394">Apple’s
statement</a></li>
<li><a
href="https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/">Measuring
OSX meltdown patches performance</a></li>
<li><a
href="https://www.gsmarena.com/spectre_and_meltdown_testing_performance_impact_on_iphone_8_plus-news-29132.php">iPhone
performance after Spectre patch</a> ### <a
href="https://www.cnet.com/news/more-than-600000-macs-infected-with-flashback-botnet/">Flashback</a></li>
<li><a
href="https://www.intego.com/mac-security-blog/more-about-the-flashback-trojan-horse/">Detailed
analysis</a> ### <a
href="https://www.intego.com/mac-security-blog/flashback-botnet-is-adrift/">Flashback
pt 2</a> ### <a
href="https://www.thesafemac.com/iworm-method-of-infection-found/">iWorm</a></li>
<li><a
href="https://www.intego.com/mac-security-blog/iworm-botnet-uses-reddit-as-command-and-control-center/">Detailed
analysis</a> ### <a
href="https://www.theregister.co.uk/2015/01/08/thunderstrike_shocks_os_x_with_first_firmware_bootkit/">Thunderbolt</a></li>
<li>Firmware bootkit ### <a
href="https://www.welivesecurity.com/2017/10/19/malware-firmware-exploit-sense-security/">Malware
in firmware: how to exploit a false sense of security</a></li>
<li>A post on the resurgence of bootkits and how to defend against them
### <a
href="https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does">Proton
RAT</a></li>
<li>Exploration of a Remote Access Toolkit</li>
</ul>
<h3 id="mokes"><a
href="https://thehackernews.com/2016/09/cross-platform-malware.html">Mokes</a></h3>
<h3 id="mackeeper"><a
href="https://www.cultofmac.com/170522/is-mackeeper-really-a-scam/">MacKeeper</a></h3>
<h3 id="opinionspy"><a
href="https://www.thesafemac.com/opinionspy-is-back/">OpinionSpy</a></h3>
<h3 id="elanor"><a
href="https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/">Elanor</a></h3>
<h3 id="mac-defender"><a
href="https://macsecurity.net/view/79-remove-mac-defender-virus-from-mac-os-x">Mac
Defender</a></h3>
<h3 id="wire-lurker"><a
href="https://www.paloaltonetworks.com/resources/research/unit42-wirelurker-a-new-era-in-ios-and-os-x-malware.html">Wire
Lurker</a></h3>
<h3 id="keranger"><a
href="https://techcrunch.com/2016/03/07/apple-has-shut-down-the-first-fully-functional-mac-os-x-ransomware/">KeRanger</a></h3>
<ul>
<li>First OSX ransomware ### <a
href="https://www.ehackingnews.com/2016/09/a-usb-device-can-steal-credentials-from.html">Proof-of-concept
USB attack</a> ### <a
href="https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/">Dark
Jedi</a> ### EFI attack that exploits a vulnerability in suspend-resume
cycle <a
href="https://www.sentinelone.com/blog/reverse-engineering-mac-os-x/">Sentinel
One write-up</a> ### <a
href="https://labs.bitdefender.com/2017/02/new-xagent-mac-malware-linked-with-the-apt28/">XAgent
Mac Malware Used In APT-28</a></li>
<li><a
href="http://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html">Samples</a>
### <a
href="https://www.howtogeek.com/166497/htg-explains-what-is-juice-jacking-and-how-worried-should-you-be/">Juice
Jacking</a> ### <a
href="https://github.com/zhengmin1989/macOS-10.12.2-Exp-via-mach_voucher">Local
Privilege Escalation for macOS 10.12.2 and XNU port Feng Shui</a></li>
</ul>
<h3
id="ian-beer-google-project-zero-a-deep-dive-into-the-many-flavors-of-ipc-available-on-os-x."><a
href="https://www.youtube.com/watch?v=D1jNCy7-g9k">Ian Beer, Google
Project Zero: “A deep-dive into the many flavors of IPC available on OS
X.”</a></h3>
<ul>
<li>Deep dive into the interprocess communication and its design
flaws</li>
</ul>
<h3 id="pegasus-ios-kernel-vulnerability-explained"><a
href="https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html">PEGASUS
iOS Kernel Vulnerability Explained</a></h3>
<h3 id="analysis-of-ios.guiinject-adware-library"><a
href="https://www.sentinelone.com/blog/analysis-ios-guiinject-adware-library/">Analysis
of iOS.GuiInject Adware Library</a></h3>
<h3 id="broadpwn"><a
href="https://blog.exodusintel.com/2017/07/26/broadpwn/">Broadpwn</a></h3>
<ul>
<li>Gaining access through the wireless subsystem</li>
</ul>
<h3 id="reverse-engineering-and-abusing-apple-call-relay-protocol"><a
href="https://www.martinvigo.com/diy-spy-program-abusing-apple-call-relay-protocol/">Reverse
Engineering and Abusing Apple Call Relay Protocol</a></h3>
<ul>
<li>Details the discovery of a vulnerability in Apple’s Call handoff
between mobile and desktop through analyzing network traffic.</li>
</ul>
<h3 id="exploiting-the-wifi-stack-on-apple-devices">Exploiting the Wifi
Stack on Apple Devices</h3>
<p>Google’s Project Zero series of articles that detail vulnerabilities
in the wireless stack used by Apple Devices * <a
href="https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html">Over
The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)</a> * <a
href="https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html">Over
The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)</a> * <a
href="https://googleprojectzero.blogspot.com/2017/09/over-air-vol-2-pt-1-exploiting-wi-fi.html">Over
The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices</a>
* <a
href="https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-2-exploiting-wi-fi.html">Over
The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi Stack on Apple Devices</a>
* <a
href="https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html">Over
The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple
Devices</a></p>
<h3 id="chaios-bug"><a
href="https://www.grahamcluley.com/chaios-bug-crash-ios-macos-messages/">ChaiOS
bug</a></h3>
<ul>
<li>A message that crashes iMessage</li>
<li>Looks similar to <a
href="https://arstechnica.com/gadgets/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/">previous</a>
<a
href="https://www.intego.com/mac-security-blog/crash-text-message-iphone/">bugs</a>
rendering Arabic characters</li>
</ul>
<h2 id="useful-tools-and-guides">Useful tools and guides</h2>
<h3 id="macibm"><a
href="https://github.com/IBM/mac-ibm-enrollment-app">Mac@IBM</a></h3>
<ul>
<li>Mac enrollment helper provided by IBM ### <a
href="https://github.com/0xmachos/mOSL">mOSL</a></li>
<li>Audit and fix macOS High Sierra (10.13.x) security settings ### <a
href="https://github.com/darlinghq/darling">Darling</a></li>
<li>Darwin/macOS emulation layer for Linux ### <a
href="https://github.com/didi/kemon">Kemon</a></li>
<li>Open source kernel monitoring ### <a
href="https://github.com/kai5263499/jelbrekTime">jelbrektime</a></li>
<li>Developer jailbreak for Apple Watch ### <a
href="http://michaellynn.github.io/2018/07/27/booting-secure/">Booting
Secure</a></li>
<li>Deep dive into Secure Boot on 2018 MacBook Pro ### <a
href="https://worthdoingbadly.com/xnuqemu2/">Tutorial - emulate an iOS
kernel in QEMU up to launchd and userspace</a></li>
<li>Tutorial on getting an iOS kernel to run in QEMU ### <a
href="https://www.roe.ch/xnumon">xnumon</a></li>
<li>Monitor macOS for malicious activity</li>
<li><a href="https://github.com/droe/xnumon">source</a> ### <a
href="https://sqwarq.com/detectx/">DetectX</a></li>
<li>Audits system artifacts to help you identify unknown and novel
threats ### <a
href="https://github.com/Sentinel-One/macos-are-you-really-signed">Are
you really signed?</a></li>
<li>Utility to test for code-sign bypass vulnerability ### <a
href="https://github.com/pirate/security-growler">osx security
growler</a></li>
<li>Mac menubar item that lets you know about security events on your
system ### <a
href="https://github.com/phdphuc/mac-a-mal">mac-a-mal</a></li>
<li>Automated malware analysis on macOS ### <a
href="https://github.com/rentzsch/jrswizzle">jrswizzle</a></li>
<li>method interface exchange ### <a
href="https://github.com/blankwall/MacDBG">MacDBG</a></li>
<li>C and Python debugging framework for OSX ### <a
href="https://github.com/AlexDenisov/bitcode_retriever">bitcode_retriever</a></li>
<li>store and retrieve bitcode from Mach-O binary ### <a
href="https://github.com/enthought/machotools">machotools</a></li>
<li>retrieve and change information about mach-o files ### <a
href="https://github.com/acidanthera/onyx-the-black-cat">onyx-the-black-cat</a>
(<a href="https://github.com/gdbinit/onyx-the-black-cat">outdated
original</a>)</li>
<li>kernel module for OSX to defeat anti-debugging protection ### <a
href="https://github.com/andreyvit/create-dmg">create-dmg</a></li>
<li>CLI utility for creating and modifying DMG files ### <a
href="https://sourceforge.net/projects/dmg2iso/?source=typ_redirect">dmg2iso</a></li>
<li>convert dmg to iso ### <a
href="https://github.com/kai5263499/homebrew-infosec">Infosec
Homebrew</a></li>
<li>Homebrew tap for security-related utilities ### <a
href="https://github.com/herrbischoff/awesome-macos-command-line">Awesome
OSX Command Line</a></li>
<li>Collection of really useful shell commands ### <a
href="https://github.com/juuso/keychaindump">Keychain dump</a></li>
<li>Dump keychain credentials ### <a
href="https://objective-see.com/products/knockknock.html">KnockKnock</a></li>
<li>Listing startup items. Also includes VirusTotal information ### <a
href="https://www.peterborgapps.com/lingon/">Lingon-X</a></li>
<li>GUI for launchd ### <a
href="https://www.hopperapp.com/">Hopper</a></li>
<li>Excellent OSX debugger (requires license) ### <a
href="https://github.com/threatstream/symhash">Symhash</a></li>
<li>Python utility for generating imphash fingerprints for OSX binaries
### <a href="https://github.com/IGRSoft/KisMac2">KisMac2</a></li>
<li>Wireless scanning and packet capturing ### <a
href="https://github.com/SilverMoonSecurity/PassiveFuzzFrameworkOSX">Passive
fuzz framework</a></li>
<li>Framework is for fuzzing OSX kernel vulnerability based on passive
inline hook mechanism in kernel mode ### <a
href="https://sveinbjorn.org/platypus">Platypus</a></li>
<li>GUI for generating .app bundles ### <a
href="https://github.com/munki/createOSXinstallPkg">createOSXinstallPkg</a></li>
<li>CLI for generating .pkg installers ### <a
href="https://github.com/samyk/poisontap">PoisonTap</a> ### <a
href="https://github.com/chipsec/chipsec">Chipsec</a></li>
<li>System firmware checker by Intel ### <a
href="http://phrack.org/issues/69/7.html">Revisiting Mac OS X Kernel
Rootkits by Phrack Magazine</a></li>
<li>A collection of OSX rootkit ideas ### <a
href="http://conference.hackinthebox.org/hitbsecconf2011ams/materials/D2T2%20-%20Jean-Baptiste%20Be%CC%81drune%20&amp;%20Jean%20Sigwald%20-%20iPhone%20Data%20Protection%20in%20Depth.pdf">iPhone
Data Protection in Depth</a> ### <a
href="http://www.cycript.org/">Cycript</a></li>
<li>Remote control library for fuzz testing iOS apps ### <a
href="https://github.com/synack/chaoticmarch">ChaoticMarch</a></li>
<li>Blackbox fuzz testing for iOS apps (requires jailbreak) ### <a
href="https://stackoverflow.com/questions/1498342/how-to-decrypt-an-encrypted-apple-itunes-iphone-backup">iOS
backup decrypt script</a></li>
<li>Contains a script for decrypting an encrypted iOS backup archive ###
<a
href="https://useyourloaf.com/blog/remote-packet-capture-for-ios-devices/">Remote
Packet Capture for iOS Devices</a></li>
<li>Use a remote virtual interface to capture packets from a tethered
iOS device</li>
<li><a href="https://thrysoee.dk/iospcap/">Python utility</a></li>
<li><a href="https://github.com/gh2o/rvi_capture">Another python
utility</a> ### <a href="https://paretosecurity.app/">Pareto
Security</a></li>
<li>A MenuBar app to automatically audit your Mac for basic security
hygiene. ### <a href="https://manasecurity.com/">Mana Security</a></li>
<li>Vulnerability Management app for individuals. It helps to keep macOS
and installed applications updated. ### <a
href="https://cnspec.io/">cnspec</a></li>
<li>Open source vulnerability and misconfiguration scanning for macOS
hosts + much more. ### <a
href="https://8ksec.io/mobile-malware-analysis-part-4-intro-to-ios-malware-detection/">Intro
To IOS Malware Detection</a></li>
<li>iOS malware, its types, methods of gathering forensics information
### <a
href="https://8ksec.io/ipsw-walkthrough-part-1-the-swiss-army-knife-for-ios-macos-security-research/">Ipsw
Walkthrough</a></li>
<li>Part one that covers basic uses</li>
</ul>
<h2 id="remote-access-toolkits">Remote Access Toolkits</h2>
<h3 id="empyre"><a
href="https://github.com/EmpireProject/EmPyre">Empyre</a></h3>
<h3 id="bella"><a
href="https://github.com/kai5263499/Bella">Bella</a></h3>
<h3 id="stitch"><a
href="https://nathanlopez.github.io/Stitch/">Stitch</a></h3>
<h3 id="pupy"><a href="https://github.com/n1nj4sec/pupy">Pupy</a></h3>
<h3 id="eggshell-surveillance-tool---works-on-osx-and-jailbroken-ios"><a
href="https://github.com/neoneggplant/EggShell">EggShell surveillance
tool</a> - Works on OSX and jailbroken iOS</h3>
<h3 id="evilosx---pure-python-post-exploitation-toolkit"><a
href="https://github.com/Marten4n6/EvilOSX">EvilOSX</a> - Pure python
post-exploitation toolkit</h3>
<h2 id="worth-following-on-twitter">Worth following on Twitter</h2>
<ul>
<li><a href="https://twitter.com/patrickwardle"><span class="citation"
data-cites="patrickwardle">@patrickwardle</span></a></li>
<li><a href="https://twitter.com/objective_see"><span class="citation"
data-cites="objective_see">@objective_see</span></a></li>
<li><a href="https://twitter.com/0xAmit"><span class="citation"
data-cites="0xAmit">@0xAmit</span></a></li>
<li><a href="https://twitter.com/osxreverser"><span class="citation"
data-cites="osxreverser">@osxreverser</span></a></li>
<li><a href="https://twitter.com/liucoj"><span class="citation"
data-cites="liucoj">@liucoj</span></a></li>
<li><a href="https://twitter.com/osxdaily"><span class="citation"
data-cites="osxdaily">@osxdaily</span></a></li>
<li><a href="https://twitter.com/iamevltwin"><span class="citation"
data-cites="iamevltwin">@iamevltwin</span></a></li>
<li><a href="https://twitter.com/claud_xiao"><span class="citation"
data-cites="claud_xiao">@claud_xiao</span></a></li>
<li><a href="https://twitter.com/JPoForenso"><span class="citation"
data-cites="JPoForenso">@JPoForenso</span></a></li>
<li><a href="https://twitter.com/patrickolsen"><span class="citation"
data-cites="patrickolsen">@patrickolsen</span></a></li>
</ul>
<h2 id="other-osx-awesome-lists">Other OSX Awesome lists</h2>
<ul>
<li><a
href="https://github.com/ashishb/osx-and-ios-security-awesome">ashishb/osx-and-ios-security-awesome</a></li>
</ul>
<p><a
href="https://github.com/kai5263499/osx-security-awesome">osxsecurity.md
Github</a></p>