Observing Your macOS Red Team attack footprint like an EDR with a HELK Lab

As you run your red team attack in a macOS environment, you might find yourself wondering what your blue team is seeing from their Endpoint Detection & Response (EDR) solution.

In this article, I will explain how to build a lab using the following three components. You can use it for real-time observation of Apple’s Endpoint Security Framework (ESF) events coming from your macOS client (test victim) as you perform your red team techniques against it:

With this lab, you can develop and hone your macOS tradecraft by seeing your footprints…


Introducing Conf-Thief

I don’t have to explain to the experienced Red Teamer the treasure trove of secrets and intelligence data that can be found in the pages of an organization's Confluence instance. If the Red Teamer finds herself on a victim’s Confluence site this could mean finding secrets and sensitive data that might lead to an organization’s crown jewels. One might find account passwords, source code, or even private keys and addresses to cloud infrastructure. …

Introducing G-Dir Thief

G-Dir Thief

What is this about?

During the last few Red Team Operations I’ve been on, I’ve found myself having phished my way into a victim’s G-Suite account. Among other things, I end up taking a look at the victim’s Google contacts and ultimately look at the victim organization’s Google directory. While you can absolutely export the victim user’s contacts you cannot, however export/download the organization’s directory. While super annoying as a Red Teamer, I give Google a lot of credit for this security-minded feature. Having access to an organizations complete directory is a pretty valuable to an adversary. Armed with this data…

Introducing a tool for exfiltrating all of the things from a Google Drive


I am a Master’s of Information Security Engineering student at SANS Technology Institute (STI). I was doing my reading the other night for my SEC 530: Defensible Security Architecture and Engineering course and got into the topics of Data Classification and Data Loss Prevention (DLP). This material covered the many different methods of classifying data and of implementing DLP from a detections perspective. I am professional Red Teamer, and thus began thinking about the many different times that I had hacked my way into a victim’s Google…

Enumerating TCC.db with JXA

After reading a Tweet from Wojciech Reguła (@_r3ggi), sharing 3 articles from F-Secure Labs’ blog posts concerning bypassing MacOS’ Transparency, Consent and Control (TCC) by Luke Roberts (@rookuu_) and Calum Hall (@_calumhall), my colleagues Christopher Ross (@xorrior), Andy Grant (@andywgrant), and I took part in some discussion concerning the topic.

Later Chris had been putting together some great documentation on MacOS post-exploitation situational awareness for Red Team Operations and I wondered if it might be worth adding in checks on the TCC database to see which applications have full disk access (FDA) on the victim host. …

How to get your electron app to do Mac stuff.

So, this story begins with me deciding that I wanted to develop a standalone app that can make MacOS Native API calls for purposes that I will not dive into, just yet (I plan to develop the app and do not know yet, how well it will pan out in the end, so I don’t want to give it away in this article. More to come…).

I Want it to be Pretty

I decided that I did not want to use Apple’s UIKit, because I don’t have much experience using it and I’m honestly not too impressed with the GUIs that it produces. I want something…

Are you really going there?

Yes, I am aware that attempting to answer the question “What is red teaming?” within the infosec community is a topic that tends to ruffle the feathers and stirs the pot for my red team peers, but I am writing this article anyway. I am writing this, because I have experience as a participant on all sides (I will go into detail of these “sides” later) of Military training exercises in two different branches of the U.S. military. I also have experience in these exercises in a information security capacity as well as in traditional combat scenario capacities. …

It was Halloween, October 31 2018​ and Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed to Google, step-by-step as to how anyone with a gmail account could add an event, as “accepted” to any Google Calendar via the Google Calendar API. Bullock and Felch also published a blog post that explains this attack in detail.

I gave a talk on this topic at the Texas Cyber Summit on Saturday, 10/12/2019 entitled “Gone Calishing: A Red Team Approach to weaponizing Google Calendar and How to Stop It​,” where I show exactly how to conduct this attack using my script…

An Example in Getting Around CrowdStrike Endpoint Protection

For those of you, like me who are on the red, offensive side of information security I am certain you are aware of the sea of ever expanding defensive walls emerging around you. Some of the PowerShell, and Windows cmd post-exploitation commands that, at one time in history were easy to pop off without detection, or at the very least without being stopped completely are now caught by “intelligent” endpoint protection software. What happened to the days when one could just run Mimikatz on a victim box and none were the wiser?


Red Team Pen Testing Nobody | OSCP | InfoSec | Tech Junkie | OIF Veteran | Tweets are mine, not yours, nor anyone else's... Certainly not my employer's

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store