CEL has a lot of features and is often a good way to remove unneeded functionality e.g. preventing users to run Electron apps with --inspect or Chrome with remote debugging.
You can also block env vars so if you need to stop the DYLD_ env vars you can.
More CEL functionality to come.
A fun little entry where we can use network extension entitlements to flag remote access tools and VPNs.
macOS entitlements are kinda slept on for detection & prevention
It's not a silver bullet, but it certainly gets you a lot of coverage without maintaining a list.
Other fun things we posted over the weekend @northpolesec.bsky.social
- Day 21: macOS insecurity - blocking dump-keychain
northpole.security/blog/2025-ad...
- Day 20: Where's the remote - blocking users from enabling SSH & remote apple events via systemsetup
northpole.security/blog/2025-ad...
This is another old one & a classic from
@theevilbit.bsky.social's Beyond Good Ol' LaunchAgents theevilbit.github.io/beyond/beyon...
Workshop and Santa's File access rules were built to allow you to lock down directories like this to just the apps that need it & quickly get legitimate approvals.
This is probably the most common, known & least stealthy option for malware to persist
This year Kristin Smith gave a solid talk at BSides Canberra on using models & our file access rules to find anomalous creation LaunchDaemons
You can see the talk here youtube.com/watch?v=YJWf...
This is an oldie but can still be relevant.
@theevilbit.bsky.social calls it out directly in his blog series Beyond Good Ol' LaunchAgents theevilbit.github.io/beyond/beyon...
This is a super common technique for infostealers e.g. Huntress blogged about this yesterday
www.huntress.com/blog/amos-st...
just blogged about AMOS doing this yesterday, after tricking users to install their malware via AI generated instructions to use bash and curl.
Always enjoy your set lists. Thanks
One thing I like about our system is that it's easy to make these kinda trip wires where you can lock these things down. But quickly make an exception if you need to allow something and then dial it back off.
This is another simple but powerful control. You almost never need to disable Gatekeeper. And if you do you should be able to handle that on a case by case basis.
Stopping things like infostealers by locking down the cookie jar to just the signed browser processes is a simple but powerful control
While Chrome is working on Device Bound Session Credentials (DBSC). You can deploy this today.
Also if you use another browser like Firefox, it'll still work.
This is a great feature that I'm using daily.
Honestly feels like we found a solid way to close the monitor mode is always on for devs gap.
Super proud of the team @northpolesec.bsky.social for landing this
What about the imaginary CISO?
Will be curious to get your thoughts on it. The soundtrack is great.
But something feels off about it for me.
Join us in celebrating North Pole Security's first anniversary! 🎉
Reflect on a year of innovation, growth, & unwavering commitment to livable security with Santa and Workshop. Read about our journey and what's next! #FirstAnniversary #Santa #Workshop
northpole.security/blog/one-yea...
m.media-amazon.com/images/I/71m...
Headed to hacker summer camp looking first to seeing people and sharing @northpolesec.bsky.social’s Workshop with people.
Tbh I did it because it seems to get the word out to folks who’ve split from Twitter, to Bluesky and mastodon.
LinkedIn seems to be one of the few common spots.
Also I’m stuck on the plane.
In case you see me. Yes this is why I look so exhausted. 😂
It's not just one release, it's two!
It's been an 11 month journey to build Workshop, the integrated backend Santa always deserved
Lots of things we'd always wanted at Google are now real
The MVP's already powerful & we're just getting started
Thank you to Zane & the team at A16Z, Royal Hansen and the team @northpolesec.bsky.social
I made this gist gist.github.com/pmarkowsky/9... to show how @northpolesec.bsky.social Santa FAA rules lockdown the Spotlight importers used in Sploitlight microsoft.com/en-us/securi... &
@theevilbit.bsky.social's persistence trick.
I also added an example rule for blocking access to the DBs.
Going to be attending @bsideslv.org and around. Summer camp.
If you’re around say hello.
This was a big release. Getting CEL in opens up so many possibilities and like all good things it's a take what you need.
Really looking forward to seeing what people do with this.
Lots of great features in 2025.5.
Santa is now easier to use without having to drop to the command line.
Be sure to check out the videos in the 🧵
It’s something that feels like the sci-fi future media promised us as kids
Yikes. Got any other FRs? Asking for a friend…
Have to admit it's exciting to see years of work coming together.
