(
args.exists(arg, arg == "-create" || arg == "create") &&
args.join(" ").contains("/Users/")
) && (
args.join(" ").contains("$(") ||
args.join(" ").contains("`") ||
args.join(" ").contains("${") ||
args.join(" ").matches(".*\\$[A-Za-z_].*")
) ? BLOCKLIST : ALLOWLIST
pmarkowsky
/ celrule.md
Last active
January 15, 2026 14:35
pmarkowsky
/ sploitlight.md
Last active
July 31, 2025 00:48
Santa FAA rule to prevent spotlight plugins from being registered
An example Santa FAA rule that prevents Spotlight Importers from Being Added to Stop the Patrick Wardle's persistence trick and Sploitlight (CVE-2025-31199)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Version</key>
<string>Lockdown Spotlight importers</string>
<key>WatchItems</key>
pmarkowsky
/ convert-json-to-static-rules.py
Last active
January 7, 2025 19:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Description: Convert Santa JSON rules to static rules | |
| # | |
| #$ python3 ./json-rules-to-static-rules.py --help | |
| #usage: json-rules-to-static-rules.py [-h] input output | |
| # | |
| #Convert Santa JSON rules to static rules | |
| # | |
| #positional arguments: | |
| # input Input JSON file | |
| # output Output file |
pmarkowsky
/ CLA.md
Created
September 14, 2024 01:00
North Pole Security, Inc. Individual Contributor License Agreement
In order to clarify the intellectual property license granted with Contributions from any person or entity, North Pole Security, Inc. ("North Pole Security") must have a Contributor License Agreement ("CLA") on file that has been signed by each Contributor, indicating agreement to the license terms below. This license is for your protection as a Contributor as well as the protection of North Pole Security; it does not change your rights to use your own Contributions for any other purpose. You accept and agree to the following terms and conditions for Your present and future Contributions submitted to North Pole Security. Except for the license granted herein to North Pole Security and recipients of software distributed by North Pole Security, You reserve all right, title, and interest in and to Your Contributions.
- Definitions. "You" (or "Your") shall mean the copyright owner or legal entity authorized by the copyright owner that is maki
pmarkowsky
/ Mermaid_on_Github_Examples.md
Last active
August 16, 2024 11:16
— forked from ChristopherA/Mermaid_on_Github_Examples.md
Mermaid on Github Examples
All of these diagrams are dynamically rendered during html display by Github, the images generated from text inside the Github-Flavored Markdown. None are static images. Mermaid support was released for Github on 2022-02-14
Pros & Cons:
- Pro: You don't need to care about the layout.
- Con: You cannot control the layout.
Notes:
- Not all the features of Mermaid (in particular symbols
B-->C[fa:fa-ban forbidden], hyperlink and tooltips) are supported by Github.
pmarkowsky
/ gist:368f25613db94e5c7dd833a28daa54ee
Created
November 5, 2023 02:20
This looks just wrong
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| No VM guests are running outdated hypervisor (qemu) binaries on this host. | |
| root@ubuntu23:/home/user# vim foo.bat | |
| Error detected while processing /usr/share/vim/vim90/defaults.vim: | |
| line 1: | |
| E492: Not an editor command: ^?ELF^B^A^A | |
| line 2: | |
| E492: Not an editor command: <fa>^A | |
| line 9: | |
| E492: Not an editor command: )^B | |
| line 11: |
pmarkowsky
/ kpc_demo.c
Created
May 18, 2023 04:05
— forked from ibireme/kpc_demo.c
A demo shows how to read Intel or Apple M1 CPU performance counter in macOS.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ============================================================================= | |
| // XNU kperf/kpc demo | |
| // Available for 64-bit Intel/Apple Silicon, macOS/iOS, with root privileges | |
| // | |
| // | |
| // Demo 1 (profile a function in current thread): | |
| // 1. Open directory '/usr/share/kpep/', find your CPU PMC database. | |
| // For M1 (Pro/Max), the database file is '/usr/share/kpep/a14.plist'. | |
| // 2. Select a few events that you are interested in, | |
| // add their names to the `profile_events` array below. |
pmarkowsky
/ simplevm.c
Created
May 16, 2023 16:32
— forked from imbushuo/simplevm.c
Demonstrates Hypervisor.Framework usage in Apple Silicon
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // simplevm.c: demonstrates Hypervisor.Framework usage in Apple Silicon | |
| // Based on the work by @zhuowei | |
| // @imbushuo - Nov 2020 | |
| // To build: | |
| // Prepare the entitlement with BOTH com.apple.security.hypervisor and com.apple.vm.networking WHEN SIP IS OFF | |
| // Prepare the entitlement com.apple.security.hypervisor and NO com.apple.vm.networking WHEN SIP IS ON | |
| // ^ Per @never_released, tested on 11.0.1, idk why | |
| // clang -o simplevm -O2 -framework Hypervisor -mmacosx-version-min=11.0 simplevm.c | |
| // codesign --entitlements simplevm.entitlements --force -s - simplevm |
pmarkowsky
/ lkvh.c
Created
March 15, 2023 18:14
— forked from ryanwoodsmall/lkvh.c
get linux kernel version from linux/version.h header and uname() syscall
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <linux/version.h> | |
| #include <sys/utsname.h> | |
| /* | |
| * from rhel7's linux/version.h: | |
| * #define LINUX_VERSION_CODE 199168 | |
| * #define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c)) | |
| */ |
NewerOlder