Norimaci – Simple And Lightweight Malware Analysis Sandbox For macOS

[*] “Norimaci” is a simple and lightweight malware analysis sandbox for macOS. This tool was inspired by “Noriben“. Norimaci uses the features of OpenBSM or to monitor macOS system activity instead of Sysinternals Process Monitor (procmon). Norimaci consists of 3 Python scripts. : Main script : OpenBSM audit log converter :Read More

Ma2Tl – macOS Forensic Timeline Generator Using The Analysis Result DBs Of Mac_Apt

This is a DFIR tool for generating a macOS forensic timeline from the analysis result DBs of mac_apt. Requirements Python 3.7.0 or later pytz tzlocal xlsxwriter Installation % git clone Usage % python ./ -husage: [-h] [-i INPUT] [-o OUTPUT] [-ot OUTPUT_TYPE] [-s START] [-e END] [-t TIMEZONE] [-l LOG_LEVEL] plugin [plugin …]ForensicRead More

Boko – Application Hijack Scanner For macOS is an application scanner for macOS that searches for and identifies potential dylib hijacking and weak dylib vulnerabilities for application executables, as well as scripts an application may use that have the potential to be backdoored. The tool also calls out interesting files and lists them instead of manually browsing the file system forRead More

MacHound – An extension to audit Bloodhound collecting and ingesting of Active Directory relationships on MacOS hosts

MacHound is an extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts. MacHound collects information about logged-in users, and administrative group members on Mac machines and ingest the information into the Bloodhound database. In addition to using the HasSession and AdminTo edges, MacHound adds three new edgesRead More

Swift-Attack – Unit Tests For Blue Teams To Aid With Building Detections For Some Common macOS Post Exploitation Methods

Unit tests for blue teams to aid with building detections for some common macOS post exploitation methods. I have included some post exploitation examples using both command line history and on disk binaries (which should be easier for detection) as well as post exploitation examples using API calls only (which will be more difficult forRead More

LibAFL – Advanced Fuzzing Library – Slot Your Fuzzer Together In Rust! Scales Across Cores And Machines. For Windows, Android, MacOS, Linux, No_Std, …

Advanced Fuzzing Library – Slot your own fuzzers together and extend their features using Rust. LibAFL is written and maintained by Andrea Fioraldi [email protected] and Dominik Maier [email protected] Why LibAFL? LibAFL gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable. Some highlight features currently include: fast: We do everything weRead More

PoisonApple – macOS Persistence Tool

Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cyber threat emulation purposes. Install Do it up: $ pip3 install poisonapple –user Note: PoisonApple was written & tested using Python 3.9, it should work using Python 3.6+ Important Notes! PoisonApple will make modificationsRead More

Duf – Disk Usage/Free Utility (Linux, BSD, macOS & Windows)

Disk Usage/Free Utility (Linux, BSD, macOS & Windows) Features User-friendly, colorful output Adjusts to your terminal’s width Sort the results according to your needs Groups & filters devices Can conveniently output JSON Installation Packages Linux Arch Linux: duf Nix: nix-env -iA nixpkgs.duf Packages in Alpine, Debian & RPM formats BSD FreeBSD: pkg install duf macOSRead More

SwiftBelt – A macOS Enumeration Tool Inspired By Harmjoy’S Windows-based Seatbelt Enumeration Tool

SwiftBelt is a macOS enumerator inspired by @harmjoy’s Windows-based Seatbelt enumeration tool. SwiftBelt does not utilize any command line utilities and instead uses Swift code (leveraging the Cocoa Framework, Foundation libraries, OSAKit libraries, etc.) to perform system enumeration. This can be leveraged on the offensive side to perform enumeration once you gain access to aRead More

Sinter – A User-Mode Application Authorization System For MacOS Written In Swift

Sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift.Sinter uses the user-mode EndpointSecurity API to subscribe to and receive authorization callbacks from the macOS kernel, for a set of security-relevant event types. The current version of Sinter supports allowing/denying process executions; in future versions we intend to supportRead More