Stealing Chrome Cookies

Cookies are the keys to the kingdom - In today’s enterprise and consumer environments, Single Sign-On (SSO) and SaaS applications dominate the web landscape. These platforms heavily rely on session cookies to maintain persistent authenticated states across multiple services and domains.

As a result, post-authentication session cookies have become highly valuable targets for attackers. With the proliferation of U2F MFA adversaries are focussing on the user’s browser as a post-compromise foothold seeking to extract cookies and tokens that grant ongoing access to sensitive systems without triggering additional authentication.

Read more →

macOS DMG Malware

As macOS endpoint controls continue to evolve, adversaries are consistently adapting their TTPs to defeat Apple’s ever-changing security frameworks. Although .dmg files remain a popular initial access vector, the traditional “right-click and open” method has become largely ineffective—especially with the security enhancements introduced in macOS Sequoia.

This analysis delves into some contemporary disk-image malware campaigns, their execution primitives and obfuscation techniques.

Read more →

Santa File Access Authorization

In the evolving landscape of macOS security, NorthPoleSec’s Santa has earned a solid reputation as a flexible and lightweight endpoint security tool. Originally developed by Google, Santa acts as a binary whitelisting/blacklisting system, but in recent iterations, it also provides incredibly powerful features including file-access authorization. This lesser-known feature is a game-changer for protecting sensitive data on disk, such as session tokens, SSH keys, and browser cookies.

In this post, we’ll take a look at how Santa’s file access authorization mechanism works and how you can configure it to prevent common threat actor behaviors on macOS endpoints.

Read more →