CEL has a lot of features and is often a good way to remove unneeded functionality e.g. preventing users to run Electron apps with --inspect or Chrome with remote debugging.
You can also block env vars so if you need to stop the DYLD_ env vars you can.
More CEL functionality to come.
24.12.2025 13:22 β π 0 π 0 π¬ 0 π 0
A fun little entry where we can use network extension entitlements to flag remote access tools and VPNs.
macOS entitlements are kinda slept on for detection & prevention
It's not a silver bullet, but it certainly gets you a lot of coverage without maintaining a list.
23.12.2025 14:04 β π 1 π 0 π¬ 0 π 0
Other fun things we posted over the weekend @northpolesec.bsky.social
- Day 21: macOS insecurity - blocking dump-keychain
northpole.security/blog/2025-ad...
- Day 20: Where's the remote - blocking users from enabling SSH & remote apple events via systemsetup
northpole.security/blog/2025-ad...
22.12.2025 14:31 β π 0 π 0 π¬ 0 π 0
This is another old one & a classic from
@theevilbit.bsky.social's Beyond Good Ol' LaunchAgents theevilbit.github.io/beyond/beyon...
Workshop and Santa's File access rules were built to allow you to lock down directories like this to just the apps that need it & quickly get legitimate approvals.
22.12.2025 14:25 β π 0 π 0 π¬ 0 π 0
This is probably the most common, known & least stealthy option for malware to persist
This year Kristin Smith gave a solid talk at BSides Canberra on using models & our file access rules to find anomalous creation LaunchDaemons
You can see the talk here youtube.com/watch?v=YJWf...
12.12.2025 12:18 β π 1 π 0 π¬ 0 π 0
This is an oldie but can still be relevant.
@theevilbit.bsky.social calls it out directly in his blog series Beyond Good Ol' LaunchAgents theevilbit.github.io/beyond/beyon...
11.12.2025 14:25 β π 0 π 0 π¬ 0 π 0
This is a super common technique for infostealers e.g. Huntress blogged about this yesterday
www.huntress.com/blog/amos-st...
just blogged about AMOS doing this yesterday, after tricking users to install their malware via AI generated instructions to use bash and curl.
10.12.2025 13:46 β π 0 π 0 π¬ 0 π 0
Always enjoy your set lists. Thanks
10.12.2025 13:43 β π 1 π 0 π¬ 1 π 0
One thing I like about our system is that it's easy to make these kinda trip wires where you can lock these things down. But quickly make an exception if you need to allow something and then dial it back off.
08.12.2025 15:22 β π 0 π 0 π¬ 0 π 0
08.12.2025 12:17 β π 0 π 0 π¬ 0 π 0
This is another simple but powerful control. You almost never need to disable Gatekeeper. And if you do you should be able to handle that on a case by case basis.
07.12.2025 14:25 β π 0 π 0 π¬ 0 π 0
Stopping things like infostealers by locking down the cookie jar to just the signed browser processes is a simple but powerful control
While Chrome is working on Device Bound Session Credentials (DBSC). You can deploy this today.
Also if you use another browser like Firefox, it'll still work.
06.12.2025 14:05 β π 1 π 1 π¬ 0 π 0
This is a great feature that I'm using daily.
Honestly feels like we found a solid way to close the monitor mode is always on for devs gap.
Super proud of the team @northpolesec.bsky.social for landing this
01.12.2025 12:47 β π 2 π 0 π¬ 0 π 0
What about the imaginary CISO?
24.10.2025 01:00 β π 4 π 0 π¬ 0 π 0
Will be curious to get your thoughts on it. The soundtrack is great.
But something feels off about it for me.
11.10.2025 19:57 β π 2 π 0 π¬ 1 π 0
Join us in celebrating North Pole Security's first anniversary! π
Reflect on a year of innovation, growth, & unwavering commitment to livable security with Santa and Workshop. Read about our journey and what's next! #FirstAnniversary #Santa #Workshop
northpole.security/blog/one-yea...
09.10.2025 17:45 β π 0 π 1 π¬ 0 π 0
m.media-amazon.com/images/I/71m...
03.08.2025 20:58 β π 1 π 0 π¬ 1 π 0
Headed to hacker summer camp looking first to seeing people and sharing @northpolesec.bsky.socialβs Workshop with people.
03.08.2025 14:42 β π 1 π 0 π¬ 0 π 0
Tbh I did it because it seems to get the word out to folks whoβve split from Twitter, to Bluesky and mastodon.
LinkedIn seems to be one of the few common spots.
Also Iβm stuck on the plane.
03.08.2025 14:40 β π 0 π 0 π¬ 1 π 0
In case you see me. Yes this is why I look so exhausted. π
31.07.2025 16:04 β π 2 π 0 π¬ 0 π 0
It's not just one release, it's two!
31.07.2025 16:04 β π 2 π 0 π¬ 1 π 0
It's been an 11 month journey to build Workshop, the integrated backend Santa always deserved
Lots of things we'd always wanted at Google are now real
The MVP's already powerful & we're just getting started
Thank you to Zane & the team at A16Z, Royal Hansen and the team @northpolesec.bsky.social
30.07.2025 14:48 β π 2 π 0 π¬ 0 π 0
Santa FAA rule to prevent spotlight plugins from being registered
Santa FAA rule to prevent spotlight plugins from being registered - sploitlight.md
I made this gist gist.github.com/pmarkowsky/9... to show how @northpolesec.bsky.social Santa FAA rules lockdown the Spotlight importers used in Sploitlight microsoft.com/en-us/securi... &
@theevilbit.bsky.social's persistence trick.
I also added an example rule for blocking access to the DBs.
29.07.2025 16:21 β π 1 π 0 π¬ 0 π 0
Going to be attending @bsideslv.org and around. Summer camp.
If youβre around say hello.
24.07.2025 12:14 β π 0 π 0 π¬ 0 π 0
This was a big release. Getting CEL in opens up so many possibilities and like all good things it's a take what you need.
Really looking forward to seeing what people do with this.
08.07.2025 13:36 β π 1 π 0 π¬ 0 π 0
Lots of great features in 2025.5.
Santa is now easier to use without having to drop to the command line.
Be sure to check out the videos in the π§΅
29.05.2025 13:13 β π 0 π 0 π¬ 0 π 0
Itβs something that feels like the sci-fi future media promised us as kids
14.05.2025 10:07 β π 1 π 0 π¬ 0 π 0
Yikes. Got any other FRs? Asking for a friendβ¦
11.05.2025 19:43 β π 0 π 0 π¬ 0 π 0
Have to admit it's exciting to see years of work coming together.
08.05.2025 14:05 β π 0 π 0 π¬ 0 π 0
π Threat Intelligence @ Remitly
βοΈ CTI newsletter and blog @sourcesmethods.com
A new DC hacker conference: Bringing together builders, breakers, and fixers to do cool shit.
Jan. 24-25, 2026
districtcon.org
Continuously learning about computer security through research and development.
A programming language empowering everyone to build reliable and efficient software.
Website: https://rust-lang.org/
Blog: https://blog.rust-lang.org/
Mastodon: https://social.rust-lang.org/@rust
a collection of ass brained posts written by your favorite stupid fucking idiot
Still deciding if I even like social media any more.
Proud geek; hacker turned VC.
Millionaire
Movie God
Rock Star
Muppet
https://thegreatestpictureintheworld.com
Securing every bit of your data
https://quarkslab.com
Security Engineer, D&R @Google.
Excelling at mediocrity, I run, make beer and then drink it. π»
Opinions are my own. pcap or it didn't happen.
Also, John Muir was the best.
Hacker, Vuln Research, 2x winner DEF CON CTF, Founder & CEO Blackwing Intelligence, not a CISSP
Engineer | Security Researcher | Recovering Academic | KD2WON
https://mulliner.org/collin
Wearer of many hats. Cyber, politics, countryside,π¬π§π³π΄.
Donβt follow me I have no idea where Iβm going
Neither a captain, nor a cat, nor a fish.
Working on Project Zero, Big Sleep, and V8 Security. Personal account.
