# Credits and acknowledgements All rights to original authors. ApplePY is for **authorised** security assessments only. --- [CIS macOS Benchmark](https://www.cisecurity.org/benchmark/apple_os) Informs `checks/cis_extended.py`. Over 80 Level 1 and Level 2 controls are implemented as individual checks; each section number, evidence format, and remediation text maps directly to the benchmark. [usnistgov/macos_security](https://github.com/usnistgov/macos_security) Informs `checks/compliance.py`. The corpus is vendored into `applepy/data/macos_security` at build time. `generate_guidance.py` runs per scan to produce a compliance shell script; the resulting audit plist is parsed into per-rule findings. [cisofy/lynis](https://github.com/cisofy/lynis) Informs `checks/compliance.py`. Runs as `lynis audit system --quick --no-colors`; the hardening index and any warnings are surfaced as findings. Vendored into `applepy/data/lynis`. GPL-3.0. [cedowens/SwiftBelt](https://github.com/cedowens/SwiftBelt) Informs `checks/common_paths.py` and `checks/extended_surface.py`. The breadth-first approach to attack surface enumeration (mounts, keychains, cron, shell startup files, SSH directories, browser extensions, MDM hints) mirrors SwiftBelt's style. [cedowens/EntitlementCheck](https://github.com/cedowens/EntitlementCheck) Informs `checks/surface.py`. The `codesign -d --entitlements -` invocation pattern for sampling entitlements from installed `.app` bundles originates here. [SpecterOps SO-CON 2025 — Modern macOS Red Teaming](https://github.com/SpecterOps/presentations/) Informs `checks/deck_export.py`. The eight check themes (SystemConfiguration preferences, Time Machine plist, zsh sessions, kubeconfig, Docker, Parallels, Homebrew, OpenVPN) are structured around this presentation's red-team framework. The `APPLEPY_DECK_EXPORT_TXT` environment variable loads a reference export from the talk. [SpecterOps/JamfHound](https://github.com/SpecterOps/JamfHound) Informs `reporters/graph_json.py` and `graph_validate.py`. The JamfHound v1.1.2 OpenGraph schema is reproduced so that `graph_findings.json` can be ingested directly into BloodHound CE with the Jamf extension installed. [ReversecLabs/Jamf-Attack-Toolkit](https://github.com/ReversecLabs/Jamf-Attack-Toolkit) Informs `checks/mdm/jamf.py`. The credential pattern set (`_CRED_PATTERNS`) and extension attribute cache enumeration are drawn from this research. The toolkit itself is not bundled; an informational finding notes its scope when the Jamf agent is detected. [kandji-inc/security-toolkit](https://github.com/kandji-inc/security-toolkit) Informs `checks/mdm/kandji.py`. Application Support paths, LaunchAgent names, preference keys, and helper binary paths used in the Kandji local posture checks are sourced from this project. [RedFoxSec — macOS Privilege Escalation](https://www.redfoxsec.com/blog/macos-security-privilege-escalation) Informs `checks/privesc.py`. All five checks (sudoers NOPASSWD, unexpected SUID/SGID binaries, writable LaunchDaemon binaries, writable PATH directories, and high-risk TCC permissions) implement techniques documented in this article. [Maldev-Academy/ElectronVulnScanner](https://github.com/Maldev-Academy/ElectronVulnScanner) Informs `checks/electron.py`. ASAR archive detection and writable parent directory inspection for Electron-based `.app` bundles follow the attack pattern documented here. [LOOBins](https://www.loobins.io/) Informs `checks/catalogues.py`. The live `loobins.json` feed is fetched with a disk cache and a bundled JSON fallback. Entries are cross-referenced against binaries on `PATH` to produce per-binary findings. [GTFOBins](https://gtfobins.org/) Informs `checks/catalogues.py`. The live `api.json` feed is fetched with a disk cache. macOS-platform entries are matched against on-host binaries and summarised in a capped findings row. CC BY-SA 4.0. [lolapps-project](https://lolapps-project.github.io/) Informs `checks/catalogues.py`. Application names from the public list are checked for presence under `/Applications` and `~/Applications`. [lottunnels](https://lottunnels.github.io/) Informs `checks/catalogues.py`. Tunnelling tool names from the public list are checked for presence on `PATH` and under `/Applications`. [MITRE ATT&CK](https://attack.mitre.org/) Informs `Finding.mitre_techniques` and `checks/mitre.py`. Technique IDs are attached to every finding where applicable and expanded into a dedicated MITRE worksheet in the XLSX report with links to each technique page. [PyObjC](https://github.com/ronaldoussoren/pyobjc) Informs `checks/pyobjc_surface.py`. `NSWorkspace.sharedWorkspace().runningApplications()` is used for running process enumeration. Required on macOS. MIT licence. --- This project does not bundle proprietary Jamf, Kandji, or Apple software.