T1559.003

XPC Services

Adversaries may abuse macOS XPC (Cross-Process Communication) services to execute malicious code with elevated privileges. XPC services provide privilege separation between application components, with helper daemons running as root under launchd. Applications communicate with these daemons using the low-level XPC C API or the NSXPCConnection API. When XPC services fail to properly validate client identity (via audit token checks) or sanitize input parameters, adversaries can send crafted messages to execute arbitrary code in the context of the privileged daemon. This technique has been exploited in the wild via CVE-2021-30724 targeting Apple's CVMServer (com.apple.cvmsServ), and is frequently combined with T1068 (Exploitation for Privilege Escalation) to achieve root-level code execution from an unprivileged user context.

Microsoft Sentinel / Defender

kusto

// T1559.003 - XPC Services Abuse Detection (macOS via MDE)
let SuspiciousInterpreters = dynamic([
    "bash", "sh", "zsh", "python3", "python", "ruby", "perl",
    "osascript", "curl", "wget", "nc", "ncat", "php"
]);
let XPCServicePaths = dynamic([
    "/Library/PrivilegedHelperTools",
    "/Library/LaunchDaemons",
    "XPCServices",
    "/System/Library/XPCServices"
]);
let LegitInstallers = dynamic([
    "Installer", "pkgd", "softwareupdate", "mdmclient",
    "osinstallersetupd", "jamf", "santa", "falcond"
]);
// Branch 1: launchd spawning unexpected scripting interpreters
// (XPC exploitation causes launchd to spawn code in the daemon's context)
let Branch1 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "launchd"
| where FileName has_any (SuspiciousInterpreters)
| extend DetectionBranch = "launchd_spawned_interpreter"
| extend RiskReason = strcat("launchd spawned interpreter: ", FileName, " — potential XPC service exploitation")
| extend ProcessCommandLine = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, FileName,
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
         FolderPath, DetectionBranch, RiskReason;
// Branch 2: New/modified files in XPC service and privileged helper directories
let Branch2 = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (XPCServicePaths)
| where FileName endswith ".plist" or FileName endswith ".dylib" or FileName endswith ".xpc"
| where not(InitiatingProcessFileName has_any (LegitInstallers))
| extend DetectionBranch = "xpc_service_file_modification"
| extend RiskReason = strcat("XPC service file modified by ", InitiatingProcessFileName, ": ", FolderPath, "/", FileName)
| extend ProcessCommandLine = ""
| project Timestamp, DeviceName, AccountName, FileName,
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
         FolderPath, DetectionBranch, RiskReason;
// Branch 3: Any process (not just launchd) writing to PrivilegedHelperTools
let Branch3 = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has "/Library/PrivilegedHelperTools"
| where ActionType in ("FileCreated", "FileModified", "FileDeleted")
| where not(InitiatingProcessFileName has_any (LegitInstallers))
| extend DetectionBranch = "privileged_helper_modification"
| extend RiskReason = strcat("PrivilegedHelperTools modified by: ", InitiatingProcessFileName)
| extend ProcessCommandLine = ""
| project Timestamp, DeviceName, AccountName, FileName,
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
         FolderPath, DetectionBranch, RiskReason;
union Branch1, Branch2, Branch3
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation File: File Modification Microsoft Defender for Endpoint (macOS agent)

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

macOS software updates and package installers (Installer.app, pkgd, softwareupdate) writing new XPC service plists and helper binaries during legitimate installation
Enterprise MDM solutions (Jamf, Mosyle, Kandji) deploying or updating privileged helper tools as part of endpoint configuration management
Developer workstations where Xcode, xcode-select, and related tooling cause launchd to spawn shells during build processes, codesigning, and notarization tasks
Legitimate application daemons that are architecturally designed to spawn sh or bash as part of their maintenance functionality invoked via XPC
Security agents and EDR tools (CrowdStrike, SentinelOne, Jamf Protect) that install and register their own privileged helpers and may spawn shells during health checks

Splunk

spl

// T1559.003 - XPC Services Abuse (macOS via osquery)
// Requires osquery deployed on macOS with process_events and file_events tables enabled
(
  sourcetype="osquery:results" name="process_events"
    parent_path="/sbin/launchd"
    (path="*/bash" OR path="*/sh" OR path="*/zsh"
     OR path="*/python3" OR path="*/python"
     OR path="*/ruby" OR path="*/perl"
     OR path="*/osascript" OR path="*/curl" OR path="*/wget"
     OR path="*/nc" OR path="*/ncat" OR path="*/php")
)
OR
(
  sourcetype="osquery:results" name="file_events"
    (target_path="*/Library/PrivilegedHelperTools/*"
     OR target_path="*/Library/LaunchDaemons/*"
     OR target_path="*XPCServices*")
    (target_path="*.plist" OR target_path="*.dylib" OR target_path="*.xpc")
    action="CREATED"
    NOT (process_name="Installer" OR process_name="pkgd" OR process_name="softwareupdate"
         OR process_name="mdmclient" OR process_name="jamf" OR process_name="santa"
         OR process_name="osinstallersetupd")
)
| eval DetectionBranch=case(
    name="process_events" AND parent_path="/sbin/launchd", "launchd_spawned_interpreter",
    name="file_events" AND target_path LIKE "%PrivilegedHelperTools%", "privileged_helper_modification",
    name="file_events" AND target_path LIKE "%LaunchDaemons%", "launch_daemon_modification",
    name="file_events" AND target_path LIKE "%XPCServices%", "xpc_service_bundle_modification",
    true(), "unknown"
  )
| eval RiskScore=case(
    DetectionBranch="privileged_helper_modification", 85,
    DetectionBranch="launchd_spawned_interpreter"
      AND (path LIKE "%/bash" OR path LIKE "%/sh" OR path LIKE "%/zsh"), 75,
    DetectionBranch="launchd_spawned_interpreter", 65,
    DetectionBranch="launch_daemon_modification", 70,
    DetectionBranch="xpc_service_bundle_modification", 55,
    true(), 40
  )
| eval SuspiciousIndicator=coalesce(path, target_path)
| eval ActingProcess=coalesce(process_name, process_name)
| table _time, host, username, SuspiciousIndicator, cmdline, parent_path,
        target_path, DetectionBranch, RiskScore
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation osquery process_events table osquery file_events table

Required Sourcetypes

osquery:results

False Positives

macOS software updates triggering launchd to spawn helper shells during system maintenance windows (softwareupdate, osinstallersetupd)
Legitimate application updates writing new XPC service bundles and plists to application directories via Installer.app
Enterprise MDM tooling (Jamf, Mosyle) managing privileged helper tools through sanctioned installation workflows
Developer workstations with Xcode and command-line developer tools where launchd frequently spawns compilation and signing helpers
Security and monitoring agents that register privileged helpers and may write files to LaunchDaemons during initial deployment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP,
  username AS Username,
  "Process Name" AS ProcessName,
  "Parent Process Name" AS ParentProcess,
  QIDNAME(qid) AS EventName,
  "File Path" AS FilePath,
  "Command Line" AS CommandLine,
  CASE
    WHEN "Parent Process Name" ILIKE '%launchd%'
      AND (
        "Process Name" ILIKE '%bash' OR "Process Name" ILIKE '%/sh'
        OR "Process Name" ILIKE '%zsh' OR "Process Name" ILIKE '%python%'
        OR "Process Name" ILIKE '%ruby' OR "Process Name" ILIKE '%perl'
        OR "Process Name" ILIKE '%osascript' OR "Process Name" ILIKE '%curl'
        OR "Process Name" ILIKE '%wget' OR "Process Name" ILIKE '%ncat'
        OR "Process Name" ILIKE '%/nc' OR "Process Name" ILIKE '%php'
      ) THEN 'launchd_spawned_interpreter'
    WHEN "File Path" ILIKE '%PrivilegedHelperTools%' THEN 'privileged_helper_modification'
    WHEN "File Path" ILIKE '%LaunchDaemons%' THEN 'launch_daemon_modification'
    WHEN "File Path" ILIKE '%XPCServices%' THEN 'xpc_service_bundle_modification'
    ELSE 'unknown'
  END AS DetectionBranch,
  CASE
    WHEN "File Path" ILIKE '%PrivilegedHelperTools%' THEN 85
    WHEN "Parent Process Name" ILIKE '%launchd%' THEN 75
    WHEN "File Path" ILIKE '%LaunchDaemons%' THEN 70
    WHEN "File Path" ILIKE '%XPCServices%' THEN 55
    ELSE 40
  END AS RiskScore
FROM events
WHERE (
  (
    "Parent Process Name" ILIKE '%launchd%'
    AND (
      "Process Name" ILIKE '%bash' OR "Process Name" ILIKE '%/sh'
      OR "Process Name" ILIKE '%zsh' OR "Process Name" ILIKE '%python%'
      OR "Process Name" ILIKE '%ruby' OR "Process Name" ILIKE '%perl'
      OR "Process Name" ILIKE '%osascript' OR "Process Name" ILIKE '%curl'
      OR "Process Name" ILIKE '%wget' OR "Process Name" ILIKE '%ncat'
      OR "Process Name" ILIKE '%/nc' OR "Process Name" ILIKE '%php'
    )
  )
  OR
  (
    (
      "File Path" ILIKE '%Library/PrivilegedHelperTools%'
      OR "File Path" ILIKE '%Library/LaunchDaemons%'
      OR "File Path" ILIKE '%XPCServices%'
    )
    AND (
      "File Path" ILIKE '%.plist'
      OR "File Path" ILIKE '%.dylib'
      OR "File Path" ILIKE '%.xpc'
    )
    AND NOT (
      "Process Name" ILIKE '%Installer%'
      OR "Process Name" ILIKE '%pkgd%'
      OR "Process Name" ILIKE '%softwareupdate%'
      OR "Process Name" ILIKE '%mdmclient%'
      OR "Process Name" ILIKE '%jamf%'
      OR "Process Name" ILIKE '%santa%'
      OR "Process Name" ILIKE '%osinstallersetupd%'
      OR "Process Name" ILIKE '%falcond%'
    )
  )
)
LAST 24 HOURS
ORDER BY RiskScore DESC, starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM osquery QRadar DSM integration macOS endpoint agents forwarding via syslog to QRadar (CarbonBlack, CrowdStrike, Cortex XDR)

Required Tables

events

False Positives

Developer toolchain setup (Xcode, Homebrew, MacPorts) where launchd legitimately invokes bash or sh to run post-install daemon scripts or environment bootstrapping operations during application installation
Enterprise MDM enrollment workflows (Jamf Pro, Kandji, Mosyle) that deploy LaunchDaemon plists or helper bundles during device onboarding where the MDM agent's internal process name does not match the exclusion list entries
macOS Rosetta 2 initialization on Apple Silicon Macs where the translation layer spawns python3 or shell helpers under launchd during first-run application asset validation or JIT compilation setup

Sumo Logic CSE

sql

(_sourceCategory=*endpoint* OR _sourceCategory=*macos* OR _sourceCategory=*osquery*)
| where (
    (parentBaseImage = "launchd"
     AND baseImage in ("bash", "sh", "zsh", "python3", "python", "ruby",
                       "perl", "osascript", "curl", "wget", "nc", "ncat", "php"))
  OR
    ((targetFilePath matches "*/Library/PrivilegedHelperTools/*"
      OR targetFilePath matches "*/Library/LaunchDaemons/*"
      OR targetFilePath matches "*XPCServices*")
     AND (targetFilePath matches "*.plist"
          OR targetFilePath matches "*.dylib"
          OR targetFilePath matches "*.xpc")
     AND !(baseImage in ("Installer", "pkgd", "softwareupdate", "mdmclient",
                         "osinstallersetupd", "jamf", "santa", "falcond")))
  )
| eval DetectionBranch = if(parentBaseImage = "launchd", "launchd_spawned_interpreter",
                        if(targetFilePath matches "*PrivilegedHelperTools*", "privileged_helper_modification",
                        if(targetFilePath matches "*LaunchDaemons*", "launch_daemon_modification",
                        "xpc_service_bundle_modification")))
| eval RiskScore = if(DetectionBranch = "privileged_helper_modification", 85,
                  if(DetectionBranch = "launchd_spawned_interpreter", 75,
                  if(DetectionBranch = "launch_daemon_modification", 70, 55)))
| fields _messageTime, device_hostname, user_username, baseImage, commandLine,
         parentBaseImage, targetFilePath, DetectionBranch, RiskScore
| sort by RiskScore desc, _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise macOS osquery via Sumo Logic Installed Collector CrowdStrike or Carbon Black macOS agent via Sumo Logic SIEM integration

Required Tables

CSE normalized records with _sourceCategory matching *endpoint*, *macos*, or *osquery*

False Positives

Legitimate XPC privileged helper installation by signed applications using SMJobBless (e.g., VirtualBox, VMware Fusion, Docker Desktop) where the helper tool installer process name is not captured in the baseImage exclusion list
Development environment bootstrappers (nix-daemon, asdf, pyenv, rbenv) that operate as launchd services and spawn shell interpreters or write wrapper scripts into monitored paths as part of version management setup
macOS SIP-disabled test environments or authorized red team macOS endpoints where launchd-spawning of interpreters is expected during OPSEC validation or privilege escalation testing under an authorized assessment

Google Chronicle / SecOps

yaral

rule t1559_003_xpc_services_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects macOS XPC Services abuse (T1559.003): launchd spawning unexpected scripting interpreters indicative of XPC daemon exploitation, or unauthorized file creation and modification in XPC service and privileged helper directories."
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1559.003"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1559/003/"
    severity = "HIGH"
    confidence = "MEDIUM"
    platform = "macOS"
    created = "2024-01-01"

  events:
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e1.principal.process.file.full_path, `/(sbin/)?launchd$`) and
      re.regex($e1.target.process.file.full_path,
        `/(bash|sh|zsh|python3?|ruby|perl|osascript|curl|wget|ncat?|php)$`)
    )
    or
    (
      ($e1.metadata.event_type = "FILE_CREATION" or
       $e1.metadata.event_type = "FILE_MODIFICATION") and
      (
        re.regex($e1.target.file.full_path, `/Library/PrivilegedHelperTools/`) or
        re.regex($e1.target.file.full_path, `/Library/LaunchDaemons/`) or
        re.regex($e1.target.file.full_path, `XPCServices`)
      ) and
      re.regex($e1.target.file.full_path, `\.(plist|dylib|xpc)$`) and
      not re.regex($e1.principal.process.file.full_path,
        `(Installer|pkgd|softwareupdate|mdmclient|osinstallersetupd|jamf|santa|falcond)`)
    )

  condition:
    $e1
}

high severity medium confidence

Data Sources

Google Chronicle SIEM macOS endpoint telemetry via Chronicle ingestion (CrowdStrike Falcon, Carbon Black, Microsoft Defender for Endpoint forwarder, osquery via Chronicle agent)

Required Tables

UDM events with event_type PROCESS_LAUNCH, FILE_CREATION, FILE_MODIFICATION

False Positives

Legitimate application autoupdate frameworks (Adobe Creative Cloud, Microsoft AutoUpdate, Dropbox) that write or replace XPC service bundles (.xpc) or LaunchDaemon plists during silent background updates using an updater process whose name does not match the exclusion regex
CI/CD self-hosted macOS build agents (GitHub Actions runner, CircleCI agent, Jenkins node) registered as launchd services that regularly invoke bash or sh to execute pipeline scripts during automated build and test workflows
macOS migration assistant and Time Machine restore operations that recreate LaunchDaemon plist files in /Library/LaunchDaemons/ using migration or backup restore binaries with non-standard process names not covered by the exclusion list

CrowdStrike LogScale (CQL)

cql

// T1559.003 - XPC Services Abuse Detection (macOS via CrowdStrike Falcon FDR)
// Branch 1: launchd spawning suspicious scripting interpreters
(
  #event_simpleName = ProcessRollup2
  | event_platform = Mac
  | ParentBaseFileName = launchd
  | FileName = /^(bash|sh|zsh|python3?|ruby|perl|osascript|curl|wget|ncat?|php)$/
  | DetectionBranch := "launchd_spawned_interpreter"
  | RiskScore := 75
)

// Union with Branch 2 & 3: Unauthorized writes to XPC service and privileged helper paths
| union {
    #event_simpleName = PlatformEvents
    | event_platform = Mac
    | OperationType in (values=["FILE_CREATE", "FILE_OPEN_WRITE"])
    | TargetFilePath = /(Library\/PrivilegedHelperTools|Library\/LaunchDaemons|XPCServices)/
    | TargetFilePath = /\.(plist|dylib|xpc)$/
    | not ParentBaseFileName in (
        values=["Installer", "pkgd", "softwareupdate", "mdmclient",
                "jamf", "santa", "osinstallersetupd", "falcond"]
      )
    | DetectionBranch := case {
        TargetFilePath = /PrivilegedHelperTools/ => "privileged_helper_modification";
        TargetFilePath = /LaunchDaemons/ => "launch_daemon_modification";
        TargetFilePath = /XPCServices/ => "xpc_service_bundle_modification";
        * => "xpc_path_modification"
      }
    | RiskScore := case {
        DetectionBranch = "privileged_helper_modification" => 85;
        DetectionBranch = "launch_daemon_modification" => 70;
        DetectionBranch = "xpc_service_bundle_modification" => 55;
        * => 40
      }
  }
| table(
    [_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName,
     TargetFilePath, DetectionBranch, RiskScore]
  )
| sort(field=RiskScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Data Replicator (FDR) CrowdStrike LogScale (Humio) Falcon sensor version 6.x+ deployed on macOS 10.15+ endpoints

Required Tables

ProcessRollup2 (FDR macOS process creation events) PlatformEvents (FDR macOS platform file system events)

False Positives

CrowdStrike Falcon sensor self-updates or response action deployments where internal Falcon processes write updated XPC service bundles or launchd plist files to managed directories during sensor version upgrades, if the internal process name differs from falcond
Legitimate macOS developer workflows where Xcode instruments, lldb, or Simulator services cause launchd to spawn shell interpreters as debug helper processes during automated UI testing, scheme execution, or continuous integration runs on developer machines
Enterprise backup and data protection agents (Acronis Cyber Protect, Veeam Agent for Mac, Druva inSync) that install or rotate privileged helper tools at runtime using installer wrapper processes with names not covered by the exclusion value list

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1559.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

XPC Services

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections