4.7 KiB
Credits and acknowledgements
All rights to original authors. ApplePY is for authorised security assessments only.
CIS macOS Benchmark
Informs checks/cis_extended.py. Over 80 Level 1 and Level 2 controls are implemented as individual checks; each section number, evidence format, and remediation text maps directly to the benchmark.
usnistgov/macos_security
Informs checks/compliance.py. The corpus is vendored into applepy/data/macos_security at build time. generate_guidance.py runs per scan to produce a compliance shell script; the resulting audit plist is parsed into per-rule findings.
cisofy/lynis
Informs checks/compliance.py. Runs as lynis audit system --quick --no-colors; the hardening index and any warnings are surfaced as findings. Vendored into applepy/data/lynis. GPL-3.0.
cedowens/SwiftBelt
Informs checks/common_paths.py and checks/extended_surface.py. The breadth-first approach to attack surface enumeration (mounts, keychains, cron, shell startup files, SSH directories, browser extensions, MDM hints) mirrors SwiftBelt's style.
cedowens/EntitlementCheck
Informs checks/surface.py. The codesign -d --entitlements - invocation pattern for sampling entitlements from installed .app bundles originates here.
SpecterOps SO-CON 2025 — Modern macOS Red Teaming
Informs checks/deck_export.py. The eight check themes (SystemConfiguration preferences, Time Machine plist, zsh sessions, kubeconfig, Docker, Parallels, Homebrew, OpenVPN) are structured around this presentation's red-team framework. The APPLEPY_DECK_EXPORT_TXT environment variable loads a reference export from the talk.
SpecterOps/JamfHound
Informs reporters/graph_json.py and graph_validate.py. The JamfHound v1.1.2 OpenGraph schema is reproduced so that graph_findings.json can be ingested directly into BloodHound CE with the Jamf extension installed.
ReversecLabs/Jamf-Attack-Toolkit
Informs checks/mdm/jamf.py. The credential pattern set (_CRED_PATTERNS) and extension attribute cache enumeration are drawn from this research. The toolkit itself is not bundled; an informational finding notes its scope when the Jamf agent is detected.
kandji-inc/security-toolkit
Informs checks/mdm/kandji.py. Application Support paths, LaunchAgent names, preference keys, and helper binary paths used in the Kandji local posture checks are sourced from this project.
RedFoxSec — macOS Privilege Escalation
Informs checks/privesc.py. All five checks (sudoers NOPASSWD, unexpected SUID/SGID binaries, writable LaunchDaemon binaries, writable PATH directories, and high-risk TCC permissions) implement techniques documented in this article.
Maldev-Academy/ElectronVulnScanner
Informs checks/electron.py. ASAR archive detection and writable parent directory inspection for Electron-based .app bundles follow the attack pattern documented here.
LOOBins
Informs checks/catalogues.py. The live loobins.json feed is fetched with a disk cache and a bundled JSON fallback. Entries are cross-referenced against binaries on PATH to produce per-binary findings.
GTFOBins
Informs checks/catalogues.py. The live api.json feed is fetched with a disk cache. macOS-platform entries are matched against on-host binaries and summarised in a capped findings row. CC BY-SA 4.0.
lolapps-project
Informs checks/catalogues.py. Application names from the public list are checked for presence under /Applications and ~/Applications.
lottunnels
Informs checks/catalogues.py. Tunnelling tool names from the public list are checked for presence on PATH and under /Applications.
MITRE ATT&CK
Informs Finding.mitre_techniques and checks/mitre.py. Technique IDs are attached to every finding where applicable and expanded into a dedicated MITRE worksheet in the XLSX report with links to each technique page.
PyObjC
Informs checks/pyobjc_surface.py. NSWorkspace.sharedWorkspace().runningApplications() is used for running process enumeration. Required on macOS. MIT licence.
This project does not bundle proprietary Jamf, Kandji, or Apple software.