Cedric Owens

My latest blog post on how in memory JXA exec, dylib exec, keylogging, and other techniques look through the lens of Apple’s ESF 🔎: cedowens.medium.com/taking-esf-for…

One thing I’m being reminded of lately: the only sure foundation that I have is Jesus Christ 🙏🏽. His kingdom transcends this economy and job market 🙌🏽. If I can help in any way during these uncertain times please reach out! Be encouraged!

@xorrior Congrats bro 💪🏽

This is a little late but finally got my first one 🙂

Alright here’s a new blog post for a new macOS malware by @AdamJKohler and I! This was a fun one to reverse: stripped, encoded strings, persistence, and more :) Enjoy!! blog.kandji.io/malware-cuckoo…

@philofishal Neat!! Thanks for sharing @infosecb - FYI

What have I been doing recently? Working on a 100% automated attack simulation framework for Microsoft Defender 🛡️ called M0rphy (named after Paul Morphy the chess genius) that supports both Linux, macOS and Windows, as well as accidently finding some vulns while doing so!

🆕🍎My new blogpost @KandjiMDM about how Apple attempts to mitigate some installer script vulnerabilities using "Install Script Actions" and "Install Script Mutations" in the PackageKit framework. blog.kandji.io/apple-mitigate…

@_xpn_ @SpecterOps Congrats Adam!

First con talk done. Was scarier than I thought, but in a good way! Looking forward to doing it again! Also excited that I’ll be joining @SpecterOps in April. This is a team that I’ve wanted to work with ever since the company started. I’ve used so many of their revolutionary tools and techniques over my career, I can’t wait to be involved. And after meeting people in IRL, I’m excited to get going!! Lots of interesting things to learn 🤘🤘

@Laughing_Mantis @_r3ggi @yo_yo_yo_jbo @theevilbit @gergely_kalman @patrickwardle Ah interesting. Yeah I have used office macros in the past for initial access but that was a few years ago.

@_r3ggi @yo_yo_yo_jbo @cedowens @theevilbit @gergely_kalman @patrickwardle 🙋‍♂️ hi malicious Mac office macros still exist and are used in targeted attacks via threat actors. A few cases I have personally seen are those mimicking real world financial macros and plugins but they were rare indeed.

Are malicious office macros on macOS still a thing? Flagging the gang @cedowens @_r3ggi @theevilbit @gergely_kalman @patrickwardle

🔊 New blog post about impersonating TCC permissions via Electron apps on macOS Sonoma wojciechregula.blog/post/electroni…

The recent macOS malware which leverages python and ObjC has some pretty cool functionality. How it creates the path for the .py script for killing the NotificationCenter is a fun one so let's dive in: 🧵

Short post where I revisit NPM payloads on macOS. @D00MFist/loads-of-fun-e1f0dac3d4f8" target="_blank" rel="nofollow noopener">medium.com/@D00MFist/load…

Mythic just got an update! ✨ Check out @its_a_feature_'s latest blog post for a rundown of the updates made in Mythic v3.2, including: ✅ Push C2 ✅ Interactive Async Tasking ✅ Dynamic File Browser Read more! ghst.ly/46zRFsg

@PartyD0lphin Neat! Thanks for sharing!

Dropping a quick blog post with a few videos walking through a review of how Gatekeeper looks up Notarization tickets! Calling the endpoint yourself is super quick. swiftly-detecting.notion.site/How-does-Gatek…

💺 SwiftBelt A macOS enumeration tool Stealthy: uses Swift instead of CLI tools, avoids pop-ups Checks: * Full disk access * Presence of security tools * Searches for SSH and cloud creds * Browser history * Slack cookies + more By @cedowens #redteam github.com/cedowens/Swift…

@L0Psec @patrickwardle Yeah sad I’m missing it this year ☹️. Best con hands down!

@cedowens @patrickwardle Thanks dude! Was really hoping to catch you here.

#OBTS Dream come true to present on stage with someone I’ve looked up to for years. @patrickwardle

DO ITTTT 🫡❤️

I put all my slides, whitepapers, workbooks, etc... for all of my past workshops and talks on my blog and added links for recordings where available. Now it's all available in a single space. theevilbit.github.io/talks/

🎉🥁 The wait is over. Please welcome "Dock Tile Plugins" to the persistence club. My new favorite. 🤩 In the blog: 🍎 background and details 🍎 how to create and use 🍎 how to detect 🍎 sample code and binary theevilbit.github.io/beyond/beyond_…