diff --git a/.gitbook/assets/image (711).png b/.gitbook/assets/image (711).png
new file mode 100644
index 000000000..0deb44652
Binary files /dev/null and b/.gitbook/assets/image (711).png differ
diff --git a/.gitbook/assets/image (712).png b/.gitbook/assets/image (712).png
new file mode 100644
index 000000000..0deb44652
Binary files /dev/null and b/.gitbook/assets/image (712).png differ
diff --git a/SUMMARY.md b/SUMMARY.md
index f5c780dd9..feb05f31e 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -151,6 +151,7 @@
* [macOS Kernel & System Extensions](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md)
* [macOS IOKit](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md)
* [macOS Kernel Extensions](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md)
+ * [macOS Kernel Vulnerabilities](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md)
* [macOS System Extensions](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md)
* [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
* [macOS File Extension & URL scheme app handlers](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
index 37e35a5c0..66b86d42d 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
@@ -12,43 +12,37 @@
-## Información básica
+## Basic Information
-Las extensiones de kernel (Kexts) son **paquetes** con extensión **`.kext`** que se **cargan directamente en el espacio del kernel** de macOS, proporcionando funcionalidades adicionales al sistema operativo principal.
+Kernel extensions (Kexts) are **packages** with a **`.kext`** extension that are **loaded directly into the macOS kernel space**, providing additional functionality to the main operating system.
-### Requisitos
+### Requirements
-Obviamente, esto es tan poderoso que es complicado cargar una extensión de kernel. Estos son los requisitos que debe cumplir una extensión de kernel para ser cargada:
+Obviously, this is so powerful that it is **complicated to load a kernel extension**. These are the **requirements** that a kernel extension must meet to be loaded:
-* Al entrar en **modo de recuperación**, las extensiones de kernel deben estar **permitidas para ser cargadas**:
+* When **entering recovery mode**, kernel **extensions must be allowed** to be loaded:
-* La extensión de kernel debe estar **firmada con un certificado de firma de código de kernel**, que solo puede ser otorgado por **Apple**. Quien revisará en detalle la **empresa** y las **razones** por las que se necesita.
-* La extensión de kernel también debe estar **notarizada**, Apple podrá verificarla en busca de malware.
-* Luego, el **usuario root** es el que puede cargar la extensión de kernel y los archivos dentro del paquete deben pertenecer a root.
-* Durante el proceso de carga, el paquete debe ser preparado en una ubicación protegida sin raíz: `/Library/StagedExtensions` (requiere la concesión `com.apple.rootless.storage.KernelExtensionManagement`)
-* Finalmente, al intentar cargarlo, el [**usuario recibirá una solicitud de confirmación**](https://developer.apple.com/library/archive/technotes/tn2459/\_index.html) y, si se acepta, la computadora debe **reiniciarse** para cargarlo.
+* The kernel extension must be **signed with a kernel code signing certificate**, which can only be **granted by Apple**. Who will review in detail the company and the reasons why it is needed.
+* The kernel extension must also be **notarized**, Apple will be able to check it for malware.
+* Then, the **root** user is the one who can **load the kernel extension** and the files inside the package must **belong to root**.
+* During the upload process, the package must be prepared in a **protected non-root location**: `/Library/StagedExtensions` (requires the `com.apple.rootless.storage.KernelExtensionManagement` grant).
+* Finally, when attempting to load it, the user will [**receive a confirmation request**](https://developer.apple.com/library/archive/technotes/tn2459/\_index.html) and, if accepted, the computer must be **restarted** to load it.
-### Proceso de carga
+### Loading process
-En Catalina era así: Es interesante destacar que el proceso de **verificación** ocurre en **userland**. Sin embargo, solo las aplicaciones con la concesión **`com.apple.private.security.kext-management`** pueden **solicitar al kernel** que **cargue una extensión:** kextcache, kextload, kextutil, kextd, syspolicyd
+In Catalina it was like this: It is interesting to note that the **verification** process occurs in **userland**. However, only applications with the **`com.apple.private.security.kext-management`** grant can **request the kernel to load an extension**: `kextcache`, `kextload`, `kextutil`, `kextd`, `syspolicyd`
-1. **`kextutil`** cli **inicia** el proceso de verificación para cargar una extensión
+1. **`kextutil`** cli **starts** the **verification** process for loading an extension
+ * It will talk to **`kextd`** by sending using a **Mach service**.
+2. **`kextd`** will check several things, such as the **signature**
+ * It will talk to **`syspolicyd`** to **check** if the extension can be **loaded**.
+3. **`syspolicyd`** will **prompt** the **user** if the extension has not been previously loaded.
+ * **`syspolicyd`** will report the result to **`kextd`**
+4. **`kextd`** will finally be able to **tell the kernel to load** the extension
-* Hablará con **`kextd`** enviando usando un servicio Mach
-
-2. **`kextd`** comprobará varias cosas, como la firma
-
-* Hablará con **`syspolicyd`** para comprobar si se puede cargar la extensión
-
-3. **`syspolicyd`** **preguntará** al **usuario** si la extensión no se ha cargado previamente
-
-* **`syspolicyd`** indicará el resultado a **`kextd`**
-
-4. **`kextd`** finalmente podrá indicar al **kernel que cargue la extensión**
-
-Si kextd no está disponible, kextutil puede realizar las mismas comprobaciones.
+If **`kextd`** is not available, **`kextutil`** can perform the same checks.
## Referencias
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md
new file mode 100644
index 000000000..e69f026cc
--- /dev/null
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md
@@ -0,0 +1,30 @@
+# macOS Kernel Vulnerabilities
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
+* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Obtén el [**swag oficial de PEASS y HackTricks**](https://peass.creator-spring.com)
+* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) **grupo de Discord** o al [**grupo de telegram**](https://t.me/peass) o **sígueme** en **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live).
+* **Comparte tus trucos de hacking enviando PR a** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **y** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+## [Pwning OTA](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/)
+
+[**In this report**](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) are explained several vulnerabilities that allowed to compromised the kernel compromising the software updater.\
+[**PoC**](https://github.com/jhftss/POC/tree/main/CVE-2022-46722).
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
+* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Obtén el [**swag oficial de PEASS y HackTricks**](https://peass.creator-spring.com)
+* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) **grupo de Discord** o al [**grupo de telegram**](https://t.me/peass) o **sígueme** en **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live).
+* **Comparte tus trucos de hacking enviando PR a** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **y** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
index 98066d828..364f157cc 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
@@ -84,6 +84,32 @@ The MRT application is located in **`/Library/Apple/System/Library/CoreServices/
**macOS** now **alerts** every time a tool uses a well known **technique to persist code execution** (such as Login Items, Daemons...), so the user knows better **which software is persisting**.
+
+
+This runs with a **daemon** located in `/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/Resources/backgroundtaskmanagementd` and the **agent** in `/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Support/BackgroundTaskManagementAgent.app`
+
+The way **`backgroundtaskmanagementd`** knows something is installed in a persistent folder is by **getting the FSEvents** and creating some **handlers** for those.
+
+Moreover, there is a plist file that contains **well known applications** that frequently persists maintained by apple located in: `/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/Resources/attributions.plist`
+
+```json
+[...]
+"us.zoom.ZoomDaemon" => {
+ "AssociatedBundleIdentifiers" => [
+ 0 => "us.zoom.xos"
+ ]
+ "Attribution" => "Zoom"
+ "Program" => "/Library/PrivilegedHelperTools/us.zoom.ZoomDaemon"
+ "ProgramArguments" => [
+ 0 => "/Library/PrivilegedHelperTools/us.zoom.ZoomDaemon"
+ ]
+ "TeamIdentifier" => "BJ4HAAB9B3"
+ }
+[...]
+```
+
+### Enumeration
+
It's possible to **enumerate all** the configured background items running the Apple cli tool:
```bash
@@ -102,8 +128,38 @@ xattr -rc dumpBTM # Remove quarantine attr
This information is being stored in **`/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v4.btm`** and the Terminal needs FDA.
-You can find more information:
+### Messing with BTM
+When a new persistence is found an event of type **`ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD`**. So, any way to **prevent** this **event** from being sent or the **agent from alerting** the user will help an attacker to _**bypass**_ BTM.
+
+* **Reseting the database**: Running the following command will reset the database (should rebuild it from the ground), however, for some reason, after running this, **no new persistence will be alerted until the system is rebooted**.
+ * **root** is required.
+
+```bash
+# Reset the database
+sfltool resettbtm
+```
+
+* **Stop the Agent**: It's possible to send a stop signal to the agent so it **won't be alerting the user** when new detections are found.
+
+```bash
+# Get PID
+pgrep BackgroundTaskManagementAgent
+1011
+
+# Stop it
+kill -SIGSTOP 1011
+
+# Check it's stopped (a T means it's stopped)
+ps -o state 1011
+T
+```
+
+* **Bug**: If the **process that created the persistence exists fast right after it**, the daemon will try to **get information** about it, **fail**, and **won't be able to send the event** indicating that a new thing is persisting.
+
+References and **more information about BTM**:
+
+* [https://youtu.be/9hjUmT031tc?t=26481](https://youtu.be/9hjUmT031tc?t=26481)
* [https://www.patreon.com/posts/new-developer-77420730?l=fr](https://www.patreon.com/posts/new-developer-77420730?l=fr)
* [https://support.apple.com/en-gb/guide/deployment/depdca572563/web](https://support.apple.com/en-gb/guide/deployment/depdca572563/web)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
index c5fb1e143..2557862e8 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
@@ -18,6 +18,14 @@ Note that entitlements starting with **`com.apple`** are not available to third-
## High
+### com.apple.rootless.install.heritable
+
+The entitlement **`com.apple.rootless.install.heritable`** allows to **bypass SIP**. Check [this for more info](macos-sip.md#com.apple.rootless.install.heritable).
+
+### **com.apple.rootless.install**
+
+The entitlement **`com.apple.rootless.install`** allows to **bypass SIP**. Check[ this for more info](macos-sip.md#com.apple.rootless.install).
+
### `com.apple.security.get-task-allow`
This entitlement allows to get the task port of the process run by the binary with this entitlement and **inject code on it**. Check [**this for more info**](../mac-os-architecture/macos-ipc-inter-process-communication/).
@@ -38,6 +46,14 @@ This entitlement allows to **load frameworks, plug-ins, or libraries without bei
This entitlement allows to **use DYLD environment variables** that could be used to inject libraries and code. Check [**this for more info**](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_allow-dyld-environment-variables).
+### com.apple.private.apfs.revert-to-snapshot
+
+TODO: In [**this report**](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) **is mentioned that this could be used to** update the SSV-protected contents after a reboot. If you know how it send a PR please!
+
+### com.apple.private.apfs.create-sealed-snapshot
+
+TODO: In [**this report**](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) **is mentioned that this could be used to** update the SSV-protected contents after a reboot. If you know how it send a PR please!
+
### **`kTCCServiceSystemPolicyAllFiles`**
Gives **Full Disk Access** permissions, one of the TCC highest permissions you can have.
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
.png)