Companion to Terra Incognita — Apple Silicon Forensics · v1.0 · Konrad (@unrooted) Klawikowski · 02/06/2026
The wall is also a witness. The same lockdown that denies you the old acquisition options — Target Disk Mode, block-level imaging, chip-off, memory dumps, SEP introspection — is the architecture that signs, caches, logs, and SIP-protects more persistent evidence than Intel ever did.
| #Requires -Version 5.1 | |
| $ErrorActionPreference = 'Stop' | |
| # wsb.exe LOLBAS PoC: truly-headless command execution via Windows Sandbox CLI. | |
| # | |
| # Demonstrates that wsb.exe (Windows 11 24H2+) can run arbitrary commands | |
| # inside a Defender-free sandbox with NO interactive window, NO .wsb file | |
| # on disk, and the abuse signal SPLIT across two separate wsb.exe invocations | |
| # so that naive "single-call detection" rules miss the pattern. | |
| # |
injection - inject into runtime after the boot Windows -> WinPE env. Linux -> initramfs env.
{
"injection": [
{
"image": "/linux.iso",
"archive": "/archives/compressedDepressed.[zip/tar.[gz/bz2/xz/lzma]]"| # If you come from bash you might have to change your $PATH. | |
| export PATH=$HOME/bin:/usr/local/bin:$HOME.local/bin:$PATH | |
| # Path to your oh-my-zsh installation. | |
| export ZSH="/home/viper/.oh-my-zsh" | |
| # export Nix | |
| . /home/viper/.nix-profile/etc/profile.d/nix.sh | |
| export NIX_PATH=$HOME/.nix-defexpr/channels${NIX_PATH:+:}$NIX_PATH |
| ! special | |
| *.foreground: #d2d0ce | |
| *.background: #11100f | |
| *.cursorColor: #d2d0ce | |
| ! black | |
| *.color0: #282a2e | |
| *.color8: #373b41 | |
| ! red |
systemctl list-unit-filessystemctl list-unitssystemctl --failedsystemctl --allsystemctl start [SERVICE_NAME]systemctl stop [SERVICE_NAME]