{"id":11002,"date":"2020-07-23T16:42:45","date_gmt":"2020-07-23T11:12:45","guid":{"rendered":"http:\/\/kalilinuxtutorials.com\/?p=11002"},"modified":"2020-07-23T16:42:45","modified_gmt":"2020-07-23T11:12:45","slug":"santa","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/santa\/","title":{"rendered":"Santa : A Binary Whitelisting\/Blacklisting System For macOS"},"content":{"rendered":"\n<p><strong>Santa <\/strong>is a binary authorization system for macOS. It consists of a kernel extension (or a system extension on macOS 10.15+) that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.<\/p>\n\n\n\n<p>It is named Santa because it keeps track of binaries that are naughty or nice.<\/p>\n\n\n\n<p>Santa is a project of Google&#8217;s Macintosh Operations Team.<\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Docs<\/strong><\/p>\n\n\n\n<p>The Santa docs are stored in the <a href=\"https:\/\/github.com\/google\/santa\/blob\/master\/docs\">Docs<\/a> directory. A Read the Docs instance is available here: <a href=\"https:\/\/santa.readthedocs.io\">https:\/\/santa.readthedocs.io<\/a>.<\/p>\n\n\n\n<p>The docs include deployment options, details on how parts of Santa work and instructions for developing Santa itself.<\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Get Help<\/strong><\/p>\n\n\n\n<p>If you have questions or otherwise need help getting started, the <a href=\"https:\/\/groups.google.com\/forum\/#!forum\/santa-dev\">santa-dev<\/a> group is a great place.<\/p>\n\n\n\n<p>If you believe you have a bug, feel free to report <a href=\"https:\/\/github.com\/google\/santa\/isues\">an issue<\/a> and we&#8217;ll respond as soon as we can.<\/p>\n\n\n\n<p>If you believe you&#8217;ve found a vulnerability, please read the <a href=\"https:\/\/github.com\/google\/santa\/security\/policy\">security policy<\/a> for disclosure reporting.<\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Admin-Related Features<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Multiple modes: In the default MONITOR mode, all binaries except those marked as blocked will be allowed to run, whilst being logged and recorded in the events database. In LOCKDOWN mode, only listed binaries are allowed to run.<\/li><li>Event logging: When the kext is loaded, all binary launches are logged. When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.<\/li><li>Certificate-based rules, with override levels: Instead of relying on a binary&#8217;s hash (or &#8216;fingerprint&#8217;), executables can be allowed\/blocked by their signing certificate. You can therefore allow\/block all binaries by a given publisher that were signed with that cert across version updates. A binary can only be allowed by its certificate if its signature validates correctly but a rule for a binary&#8217;s fingerprint will override a decision for a certificate; i.e. you can allowlist a certificate while blocking a binary signed with that certificate, or vice-versa.<\/li><li>Path-based rules (via NSRegularExpression\/ICU): This allows a similar feature to that found in Managed Client (the precursor to configuration profiles, which used the same implementation mechanism), Application Launch Restrictions via the mcxalr binary. This implementation carries the added benefit of being configurable via regex, and not relying on LaunchServices. As detailed in the wiki, when evaluating rules this holds the lowest precedence.<\/li><li>Failsafe cert rules: You cannot put in a deny rule that would block the certificate used to sign launchd, a.k.a. pid 1, and therefore all components used in macOS. The binaries in every OS update (and in some cases entire new versions) are therefore automatically allowed. This does not affect binaries from Apple&#8217;s App Store, which use various certs that change regularly for common apps. Likewise, you cannot block Santa itself, and Santa uses a distinct separate cert than other Google apps.<\/li><\/ul>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Intentions &amp; Expectations<\/strong><\/p>\n\n\n\n<p>No single system or process will stop <em>all<\/em> attacks, or provide 100% security. Santa is written with the intention of helping protect users from themselves. People often download malware and trust it, giving the malware credentials, or allowing unknown software to exfiltrate more data about your system. As a centrally managed component, Santa can help stop the spread of malware among a large fleet of machines. Independently, Santa can aid in analyzing what is running on your computer.<\/p>\n\n\n\n<p>Santa is part of a defense-in-depth strategy, and you should continue to protect hosts in whatever other ways you see fit.<\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Security &amp; Performance-Related Features<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>In-kernel caching: allowed binaries are cached in the kernel so the processing required to make a request is only done if the binary isn&#8217;t already cached.<\/li><li>Userland components validate each other: each of the userland components (the daemon, the GUI agent and the command-line utility) communicate with each other using XPC and check that their signing certificates are identical before any communication is accepted.<\/li><li>Kext uses only KPIs: the kernel extension only uses provided kernel programming interfaces to do its job. This means that the kext code should continue to work across OS versions.<\/li><\/ul>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Known Issues<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Santa only blocks execution (execve and variants), it doesn&#8217;t protect against dynamic libraries loaded with dlopen, libraries on disk that have been replaced, or libraries loaded using DYLD_INSERT_LIBRARIES. As of version 0.9.1 we do address __PAGEZERO missing issues that were exploited in some versions of macOS. We are working on also protecting against similar avenues of attack.<\/li><li>Kext communication security: the kext will only accept a connection from a single client at a time and said client must be running as root. We haven&#8217;t yet found a good way to ensure the kext only accepts connections from a valid client.<\/li><li>Database protection: the SQLite database is installed with permissions so that only the root user can read\/write it. We&#8217;re considering approaches to secure this further.<\/li><li>Scripts: Santa is currently written to ignore any execution that isn&#8217;t a binary. This is because after weighing the administration cost vs the benefit, we found it wasn&#8217;t worthwhile. Additionally, a number of applications make use of temporary generated scripts, which we can&#8217;t possibly allow list and not doing so would cause problems. We&#8217;re happy to revisit this (or at least make it an option) if it would be useful to others.<\/li><\/ul>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Sync Servers<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The <code><strong>santactl<\/strong><\/code> command-line client includes a flag to synchronize with a management server, which uploads events that have occurred on the machine and downloads new rules. There are several open-source servers you can sync with:<ul><li><a href=\"https:\/\/github.com\/google\/upvote\">Upvote<\/a> &#8211; An AppEngine-based server that implements social voting to make managing a large fleet easier.<\/li><li><a href=\"https:\/\/github.com\/groob\/moroz\">Moroz<\/a> &#8211; A simple golang server that serves hardcoded rules from simple configuration files.<\/li><li><a href=\"https:\/\/github.com\/zentralopensource\/zentral\/wiki\">Zentral<\/a> &#8211; A centralized service that pulls data from multiple sources and deploy configurations to multiple services.<\/li><\/ul><\/li><li>Alternatively, <code><strong>santactl<\/strong><\/code> can configure rules locally (without a sync server).<\/li><\/ul>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Kext Signing<\/strong><\/p>\n\n\n\n<p>Kernel extensions on macOS 10.9 and later must be signed using an Apple-provided Developer ID certificate with a kernel extension flag. Without it, the only way to load an extension is to enable kext-dev-mode or disable SIP, depending on the OS version.<\/p>\n\n\n\n<p>There are two possible solutions for this, for distribution purposes:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Use a <a href=\"https:\/\/github.com\/google\/santa\/releases\">pre-built, pre-signed version<\/a> of the kext that we supply. Each time changes are made to the kext code we will update the pre-built version that you can make use of. This doesn&#8217;t prevent you from making changes to the non-kext parts of Santa and distributing those. If you make changes to the kext and make a pull request, we can merge them in and distribute a new version of the pre-signed kext.<\/li><li>Apply for your own <a href=\"https:\/\/developer.apple.com\/contact\/kext\/\">kext signing certificate<\/a>. Apple will only grant this for broad distribution within an organization, they won&#8217;t issue them just for testing purposes.<\/li><\/ol>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Disclaimer<\/strong><\/p>\n\n\n\n<p>This is <strong>not<\/strong> an official Google product.<\/p>\n\n\n\n<div class=\"wp-block-buttons aligncenter is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-outline is-style-outline--1\"><a class=\"wp-block-button__link has-background has-vivid-cyan-blue-background-color\" href=\"https:\/\/github.com\/google\/santa\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Download<\/strong><\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Santa is a binary authorization system for macOS. It consists of a kernel extension (or a system extension on macOS 10.15+) that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":16413,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png","fifu_image_alt":"Santa : A Binary Whitelisting\/Blacklisting System For macOS","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[394,1966,2931,3679],"class_list":["post-11002","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-blacklisting","tag-macos","tag-santa","tag-whitelisting"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Santa : A Binary Whitelisting\/Blacklisting System For macOS<\/title>\n<meta name=\"description\" content=\"Santa is a binary authorization system for macOS. It consists of a kernel extension (or a system extension on macOS 10.15+) that monitors for executions\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/santa\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Santa : A Binary Whitelisting\/Blacklisting System For macOS\" \/>\n<meta property=\"og:description\" content=\"Santa is a binary authorization system for macOS. It consists of a kernel extension (or a system extension on macOS 10.15+) that monitors for executions\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/santa\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2020-07-23T11:12:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/santa\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/santa\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"Santa : A Binary Whitelisting\/Blacklisting System For macOS\",\"datePublished\":\"2020-07-23T11:12:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/santa\/\"},\"wordCount\":1168,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/santa\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png\",\"keywords\":[\"Blacklisting\",\"MacOS\",\"Santa\",\"Whitelisting\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/santa\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/santa\/\",\"name\":\"Santa : A Binary Whitelisting\/Blacklisting System For macOS\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/santa\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/santa\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png\",\"datePublished\":\"2020-07-23T11:12:45+00:00\",\"description\":\"Santa is a binary authorization system for macOS. It consists of a kernel extension (or a system extension on macOS 10.15+) that monitors for executions\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/santa\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/santa\/#primaryimage\",\"url\":\"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png\",\"contentUrl\":\"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Santa : A Binary Whitelisting\/Blacklisting System For macOS","description":"Santa is a binary authorization system for macOS. It consists of a kernel extension (or a system extension on macOS 10.15+) that monitors for executions","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/santa\/","og_locale":"en_US","og_type":"article","og_title":"Santa : A Binary Whitelisting\/Blacklisting System For macOS","og_description":"Santa is a binary authorization system for macOS. It consists of a kernel extension (or a system extension on macOS 10.15+) that monitors for executions","og_url":"https:\/\/kalilinuxtutorials.com\/santa\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2020-07-23T11:12:45+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/santa\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/santa\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"Santa : A Binary Whitelisting\/Blacklisting System For macOS","datePublished":"2020-07-23T11:12:45+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/santa\/"},"wordCount":1168,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/santa\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png","keywords":["Blacklisting","MacOS","Santa","Whitelisting"],"articleSection":["Kali Linux"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/santa\/","url":"https:\/\/kalilinuxtutorials.com\/santa\/","name":"Santa : A Binary Whitelisting\/Blacklisting System For macOS","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/santa\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/santa\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png","datePublished":"2020-07-23T11:12:45+00:00","description":"Santa is a binary authorization system for macOS. It consists of a kernel extension (or a system extension on macOS 10.15+) that monitors for executions","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/santa\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/santa\/#primaryimage","url":"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png","contentUrl":"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/1.bp.blogspot.com\/-Wm6WtYEMSmc\/XxQxirsxx7I\/AAAAAAAAG7g\/IOWa26_sz3ArlIrpXXnDVLkTHxZZIeM9QCLcBGAsYHQ\/s1600\/1.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":11340,"url":"https:\/\/kalilinuxtutorials.com\/sinter\/","url_meta":{"origin":11002,"position":0},"title":"Sinter : User-Mode Application Authorization System For MacOS","author":"R K","date":"August 26, 2020","format":false,"excerpt":"Sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift. It uses the user-mode EndpointSecurity API to subscribe to and receive authorization callbacks from the macOS kernel, for a set of security-relevant event types. The current version of Sinter supports allowing\/denying process executions; in\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":37119,"url":"https:\/\/kalilinuxtutorials.com\/uefitool-uefiextract-uefifind-ne-a70\/","url_meta":{"origin":11002,"position":1},"title":"UEFITool \/ UEFIExtract \/ UEFIFind NE A70 : A Major Release","author":"Varshini","date":"March 18, 2025","format":false,"excerpt":"The latest version of UEFITool \/ UEFIExtract \/ UEFIFind, labeled as NE A70, marks a significant milestone in the evolution of these tools. Released on March 13, 2025, this version transitions from hand-crafted parsers to those generated using the KaitaiStruct declarative DSL for all NVRAM parsers. This shift enhances the\u2026","rel":"","context":"In &quot;Hacking Tools&quot;","block_context":{"text":"Hacking Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/hacking-tools\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/UEFITool-UEFIExtract-UEFIFind-NE-A70-1.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/UEFITool-UEFIExtract-UEFIFind-NE-A70-1.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/UEFITool-UEFIExtract-UEFIFind-NE-A70-1.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/UEFITool-UEFIExtract-UEFIFind-NE-A70-1.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/UEFITool-UEFIExtract-UEFIFind-NE-A70-1.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/UEFITool-UEFIExtract-UEFIFind-NE-A70-1.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":11680,"url":"https:\/\/kalilinuxtutorials.com\/swiftbelt\/","url_meta":{"origin":11002,"position":2},"title":"SwiftBelt : A macOS Enumeration Tool Inspired By Harmjoy&#8217;S Windows","author":"R K","date":"October 21, 2020","format":false,"excerpt":"SwiftBelt is a macOS enumerator inspired by @harmjoy's Windows-based Seatbelt enumeration tool. SwiftBelt does not utilize any command line utilities and instead uses Swift code (leveraging the Cocoa Framework, Foundation libraries, OSAKit libraries, etc.) to perform system enumeration. This can be leveraged on the offensive side to perform enumeration once\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":31492,"url":"https:\/\/kalilinuxtutorials.com\/red-canary-mac-monitor\/","url_meta":{"origin":11002,"position":3},"title":"Enhancing macOS Security: A Guide to Red Canary Mac Monitor","author":"Varshini","date":"December 11, 2023","format":false,"excerpt":"Red Canary Mac Monitor is an\u00a0advanced, stand-alone system monitoring tool tailor-made for macOS security research, malware triage, and system troubleshooting. Harnessing Apple Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to surface only the events that are relevant to you.\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTJcRR-l35dPqZvNpd7K1gtZmLeL_fDAoywwbFPuOjZPHRo1jIYCwdgR3NruqMmMWbhCx9noF8e265VXkKlbCmnfnjLPVywZe6KZScn9asHMvaEaEadK9-klpqf0C7g8-ffUEUXeY5K0GBWx3JOEeM6Qltfk9ooflM1dU-5HZoCIXPwKbL_T4K3rg7wA\/s16000\/Mac%20Monitor.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTJcRR-l35dPqZvNpd7K1gtZmLeL_fDAoywwbFPuOjZPHRo1jIYCwdgR3NruqMmMWbhCx9noF8e265VXkKlbCmnfnjLPVywZe6KZScn9asHMvaEaEadK9-klpqf0C7g8-ffUEUXeY5K0GBWx3JOEeM6Qltfk9ooflM1dU-5HZoCIXPwKbL_T4K3rg7wA\/s16000\/Mac%20Monitor.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTJcRR-l35dPqZvNpd7K1gtZmLeL_fDAoywwbFPuOjZPHRo1jIYCwdgR3NruqMmMWbhCx9noF8e265VXkKlbCmnfnjLPVywZe6KZScn9asHMvaEaEadK9-klpqf0C7g8-ffUEUXeY5K0GBWx3JOEeM6Qltfk9ooflM1dU-5HZoCIXPwKbL_T4K3rg7wA\/s16000\/Mac%20Monitor.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTJcRR-l35dPqZvNpd7K1gtZmLeL_fDAoywwbFPuOjZPHRo1jIYCwdgR3NruqMmMWbhCx9noF8e265VXkKlbCmnfnjLPVywZe6KZScn9asHMvaEaEadK9-klpqf0C7g8-ffUEUXeY5K0GBWx3JOEeM6Qltfk9ooflM1dU-5HZoCIXPwKbL_T4K3rg7wA\/s16000\/Mac%20Monitor.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTJcRR-l35dPqZvNpd7K1gtZmLeL_fDAoywwbFPuOjZPHRo1jIYCwdgR3NruqMmMWbhCx9noF8e265VXkKlbCmnfnjLPVywZe6KZScn9asHMvaEaEadK9-klpqf0C7g8-ffUEUXeY5K0GBWx3JOEeM6Qltfk9ooflM1dU-5HZoCIXPwKbL_T4K3rg7wA\/s16000\/Mac%20Monitor.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTJcRR-l35dPqZvNpd7K1gtZmLeL_fDAoywwbFPuOjZPHRo1jIYCwdgR3NruqMmMWbhCx9noF8e265VXkKlbCmnfnjLPVywZe6KZScn9asHMvaEaEadK9-klpqf0C7g8-ffUEUXeY5K0GBWx3JOEeM6Qltfk9ooflM1dU-5HZoCIXPwKbL_T4K3rg7wA\/s16000\/Mac%20Monitor.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":1917,"url":"https:\/\/kalilinuxtutorials.com\/frisky\/","url_meta":{"origin":11002,"position":4},"title":"Frisky &#8211; Tools To Assist Binary App Reversing &#038; Augmentation","author":"R K","date":"July 15, 2018","format":false,"excerpt":"Frisky is an instruments to assist in binary application reversing and augmentation, geared towards walled gardens like iOS. Most, if not all, recently tested on iOS 11.1.2 and macOS 10.12.6. frida-url-interceptor.js(Frisky) Intercepts all URLs of an iOS\/macOS application, allowing you to trace and alter\/intercept all network traffic, including https, per\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2018\/04\/button_download.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":10358,"url":"https:\/\/kalilinuxtutorials.com\/crescendo\/","url_meta":{"origin":11002,"position":5},"title":"Crescendo : Real Time Event Viewer For MacOS","author":"R K","date":"April 22, 2020","format":false,"excerpt":"Crescendo is a swift based, real time event viewer for macOS. It utilizes Apple's Endpoint Security Framework. Apple has introduced some new security mechanisms that we need to enable to get Crescendo running. Ensure that you have moved the app to your \/Applications director or the system extension will fail\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/11002","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=11002"}],"version-history":[{"count":0,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/11002\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/16413"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=11002"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=11002"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=11002"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}