git-adm/applepy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a67459e7e015dc1c794d830035ec7f2580d4161f
applepy/CREDITS.md
Warezpeddler 3325436017 Initial commit
2026-04-25 23:09:31 +01:00

61 lines
4.7 KiB
Markdown
Raw Blame History

# Credits and acknowledgements
All rights to original authors. ApplePY is for **authorised** security assessments only.
---
[CIS macOS Benchmark](https://www.cisecurity.org/benchmark/apple_os)
Informs `checks/cis_extended.py`. Over 80 Level 1 and Level 2 controls are implemented as individual checks; each section number, evidence format, and remediation text maps directly to the benchmark.
[usnistgov/macos_security](https://github.com/usnistgov/macos_security)
Informs `checks/compliance.py`. The corpus is vendored into `applepy/data/macos_security` at build time. `generate_guidance.py` runs per scan to produce a compliance shell script; the resulting audit plist is parsed into per-rule findings.
[cisofy/lynis](https://github.com/cisofy/lynis)
Informs `checks/compliance.py`. Runs as `lynis audit system --quick --no-colors`; the hardening index and any warnings are surfaced as findings. Vendored into `applepy/data/lynis`. GPL-3.0.
[cedowens/SwiftBelt](https://github.com/cedowens/SwiftBelt)
Informs `checks/common_paths.py` and `checks/extended_surface.py`. The breadth-first approach to attack surface enumeration (mounts, keychains, cron, shell startup files, SSH directories, browser extensions, MDM hints) mirrors SwiftBelt's style.
[cedowens/EntitlementCheck](https://github.com/cedowens/EntitlementCheck)
Informs `checks/surface.py`. The `codesign -d --entitlements -` invocation pattern for sampling entitlements from installed `.app` bundles originates here.
[SpecterOps SO-CON 2025 — Modern macOS Red Teaming](https://github.com/SpecterOps/presentations/)
Informs `checks/deck_export.py`. The eight check themes (SystemConfiguration preferences, Time Machine plist, zsh sessions, kubeconfig, Docker, Parallels, Homebrew, OpenVPN) are structured around this presentation's red-team framework. The `APPLEPY_DECK_EXPORT_TXT` environment variable loads a reference export from the talk.
[SpecterOps/JamfHound](https://github.com/SpecterOps/JamfHound)
Informs `reporters/graph_json.py` and `graph_validate.py`. The JamfHound v1.1.2 OpenGraph schema is reproduced so that `graph_findings.json` can be ingested directly into BloodHound CE with the Jamf extension installed.
[ReversecLabs/Jamf-Attack-Toolkit](https://github.com/ReversecLabs/Jamf-Attack-Toolkit)
Informs `checks/mdm/jamf.py`. The credential pattern set (`_CRED_PATTERNS`) and extension attribute cache enumeration are drawn from this research. The toolkit itself is not bundled; an informational finding notes its scope when the Jamf agent is detected.
[kandji-inc/security-toolkit](https://github.com/kandji-inc/security-toolkit)
Informs `checks/mdm/kandji.py`. Application Support paths, LaunchAgent names, preference keys, and helper binary paths used in the Kandji local posture checks are sourced from this project.
[RedFoxSec — macOS Privilege Escalation](https://www.redfoxsec.com/blog/macos-security-privilege-escalation)
Informs `checks/privesc.py`. All five checks (sudoers NOPASSWD, unexpected SUID/SGID binaries, writable LaunchDaemon binaries, writable PATH directories, and high-risk TCC permissions) implement techniques documented in this article.
[Maldev-Academy/ElectronVulnScanner](https://github.com/Maldev-Academy/ElectronVulnScanner)
Informs `checks/electron.py`. ASAR archive detection and writable parent directory inspection for Electron-based `.app` bundles follow the attack pattern documented here.
[LOOBins](https://www.loobins.io/)
Informs `checks/catalogues.py`. The live `loobins.json` feed is fetched with a disk cache and a bundled JSON fallback. Entries are cross-referenced against binaries on `PATH` to produce per-binary findings.
[GTFOBins](https://gtfobins.org/)
Informs `checks/catalogues.py`. The live `api.json` feed is fetched with a disk cache. macOS-platform entries are matched against on-host binaries and summarised in a capped findings row. CC BY-SA 4.0.
[lolapps-project](https://lolapps-project.github.io/)
Informs `checks/catalogues.py`. Application names from the public list are checked for presence under `/Applications` and `~/Applications`.
[lottunnels](https://lottunnels.github.io/)
Informs `checks/catalogues.py`. Tunnelling tool names from the public list are checked for presence on `PATH` and under `/Applications`.
[MITRE ATT&CK](https://attack.mitre.org/)
Informs `Finding.mitre_techniques` and `checks/mitre.py`. Technique IDs are attached to every finding where applicable and expanded into a dedicated MITRE worksheet in the XLSX report with links to each technique page.
[PyObjC](https://github.com/ronaldoussoren/pyobjc)
Informs `checks/pyobjc_surface.py`. `NSWorkspace.sharedWorkspace().runningApplications()` is used for running process enumeration. Required on macOS. MIT licence.
---
This project does not bundle proprietary Jamf, Kandji, or Apple software.
Reference in New Issue View Git Blame Copy Permalink