Brandon Dalton Brandon7CC

## es_coreanalytics_event_subs.js
/*
    Author: Brandon Dalton (Red Canary Threat Research)
    Date: 2023-12-07
    Summary: This script attempts to instrument the `sendEvent:event:` method of the ESCoreAnalytics class.
      - Download this script
      - Target: You're targeting `endpointsecurityd`, so grab its PID: `sudo launchctl list | grep endpointsecurityd`
      - To run: `sudo frida -p $PID -l es_coreanalytics_event_subs.js`
*/

const eventTypeMapping = {

## enumerate_es_client_subscriptions.js
/*
    Author: Brandon Dalton (Red Canary Threat Research)
    Date: 2023-12-07
    Summary: This script enumerates the event subscriptions requested by an arbitrary client
             by hooking the `es_subscribe` function.

    Target: Any arbitrary ES client like an EDR sensor's System Extension
    Usage: `sudo frida -p $(TARGET_CLIENT) -l event_subscription_interceptor.js`
*/

## speak_ollama.sh
function speak_ollama() {
    if ! command -v ollama &> /dev/null; then
        echo "Error: ollama is not installed."
        return 1
    fi

    if [ "$#" -ne 2 ]; then
        echo "Usage: speak_ollama <file_path> <model>"
        return 1
    fi

## gcloud_install.sh
#!/bin/sh
# Set up `gcloud` cli on macOS and Linux

# Check which OS we're on
if [[ "$OSTYPE" == "linux-gnu" ]]; then
  OS="linux"
elif [[ "$OSTYPE" == "darwin"* ]]; then
  OS="darwin"
else
  echo "Unsupported OS: $OSTYPE"

## chrome_page_save.zsh
#!/bin/zsh

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
    --headless --incognito --dump-dom https://github.com > /tmp/github.html

## FileMetadataHelpers.swift
//
//  FileMetadataHelpers.swift
//  FileMetadataHelpers
//
//  Created by Brandon Dalton on 10/7/23.
//

import Foundation

/// Helper functions for working with file metadata.

## SystemConfigurationHelpers.swift
//
//  csr_check.swift
//  csr_check
//
//  Created by Brandon Dalton on 01/11/24.
//
// Compile: `swiftc -import-objc-header SystemConfig-Bridging-Header.h csr_check.swift -o csr_check.o`
//

import Foundation

## lzfse_compress.swift
import Foundation
import Compression
import OSLog

// Compress JSON representation with the Apple recommended compression algo LZFSE
// https://developer.apple.com/documentation/compression/algorithm/lzfse
public func getCompressedJSON(from jsonString: String) -> Data {
    var sourceBuffer = Array(jsonString.utf8)
    let destinationBuffer = UnsafeMutablePointer<UInt8>.allocate(capacity: jsonString.count)
    let algorithm = COMPRESSION_LZFSE

## x2p.c
//
//  x2p.c
//  MachXPC
//
//  Created by Brandon Dalton on 04/09/2024.
//

#include <xpc/xpc.h>
#include <stdio.h>
#include <stdlib.h>

## archive_utility_types.py
#
#  Brandon Dalton
#  Date: 20240828 / Original Red Canary ATH 20240116
#
#  Description: Returns the list of supported file types (CFBundleDocumentTypes) in Archive Utility.app
#  Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/6b00e8f41062da2c424ab4e7ec71bd3ec3a6f112/posix/src/posixath/utils/common.py#L530
#

import os
import json
	/*
	Author: Brandon Dalton (Red Canary Threat Research)
	Date: 2023-12-07
	Summary: This script attempts to instrument the `sendEvent:event:` method of the ESCoreAnalytics class.
	- Download this script
	- Target: You're targeting `endpointsecurityd`, so grab its PID: `sudo launchctl list \| grep endpointsecurityd`
	- To run: `sudo frida -p $PID -l es_coreanalytics_event_subs.js`
	*/

	const eventTypeMapping = {
	/*
	Author: Brandon Dalton (Red Canary Threat Research)
	Date: 2023-12-07
	Summary: This script enumerates the event subscriptions requested by an arbitrary client
	by hooking the `es_subscribe` function.

	Target: Any arbitrary ES client like an EDR sensor's System Extension
	Usage: `sudo frida -p $(TARGET_CLIENT) -l event_subscription_interceptor.js`
	*/
	function speak_ollama() {
	if ! command -v ollama &> /dev/null; then
	echo "Error: ollama is not installed."
	return 1
	fi

	if [ "$#" -ne 2 ]; then
	echo "Usage: speak_ollama <file_path> <model>"
	return 1
	fi
	#!/bin/sh
	# Set up `gcloud` cli on macOS and Linux

	# Check which OS we're on
	if [[ "$OSTYPE" == "linux-gnu" ]]; then
	OS="linux"
	elif [[ "$OSTYPE" == "darwin"* ]]; then
	OS="darwin"
	else
	echo "Unsupported OS: $OSTYPE"
	#!/bin/zsh

	/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
	--headless --incognito --dump-dom https://github.com > /tmp/github.html
	//
	// FileMetadataHelpers.swift
	// FileMetadataHelpers
	//
	// Created by Brandon Dalton on 10/7/23.
	//

	import Foundation

	/// Helper functions for working with file metadata.
	//
	// csr_check.swift
	// csr_check
	//
	// Created by Brandon Dalton on 01/11/24.
	//
	// Compile: `swiftc -import-objc-header SystemConfig-Bridging-Header.h csr_check.swift -o csr_check.o`
	//

	import Foundation
	import Foundation
	import Compression
	import OSLog

	// Compress JSON representation with the Apple recommended compression algo LZFSE
	// https://developer.apple.com/documentation/compression/algorithm/lzfse
	public func getCompressedJSON(from jsonString: String) -> Data {
	var sourceBuffer = Array(jsonString.utf8)
	let destinationBuffer = UnsafeMutablePointer<UInt8>.allocate(capacity: jsonString.count)
	let algorithm = COMPRESSION_LZFSE
	//
	// x2p.c
	// MachXPC
	//
	// Created by Brandon Dalton on 04/09/2024.
	//

	#include <xpc/xpc.h>
	#include <stdio.h>
	#include <stdlib.h>
	#
	# Brandon Dalton
	# Date: 20240828 / Original Red Canary ATH 20240116
	#
	# Description: Returns the list of supported file types (CFBundleDocumentTypes) in Archive Utility.app
	# Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/6b00e8f41062da2c424ab4e7ec71bd3ec3a6f112/posix/src/posixath/utils/common.py#L530
	#

	import os
	import json