Detect XPC Services in Elastic Security
Adversaries may abuse macOS XPC (Cross-Process Communication) services to execute malicious code with elevated privileges. XPC services provide privilege separation between application components, with helper daemons running as root under launchd. Applications communicate with these daemons using the low-level XPC C API or the NSXPCConnection API. When XPC services fail to properly validate client identity (via audit token checks) or sanitize input parameters, adversaries can send crafted messages to execute arbitrary code in the context of the privileged daemon. This technique has been exploited in the wild via CVE-2021-30724 targeting Apple's CVMServer (com.apple.cvmsServ), and is frequently combined with T1068 (Exploitation for Privilege Escalation) to achieve root-level code execution from an unprivileged user context.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1559 Inter-Process Communication
- Sub-technique
- T1559.003 XPC Services
- Canonical reference
- https://attack.mitre.org/techniques/T1559/003/
Elastic Detection Query
any where
(
event.category == "process" and event.type == "start" and
process.parent.name == "launchd" and
process.name in ("bash", "sh", "zsh", "python3", "python", "ruby", "perl",
"osascript", "curl", "wget", "nc", "ncat", "php")
)
or
(
event.category == "file" and
event.type in ("creation", "change") and
(
file.path : "*Library/PrivilegedHelperTools*" or
file.path : "*Library/LaunchDaemons*" or
file.path : "*XPCServices*"
) and
(
file.extension == "plist" or
file.extension == "dylib" or
file.extension == "xpc"
) and
not process.name in ("Installer", "pkgd", "softwareupdate", "mdmclient",
"osinstallersetupd", "jamf", "santa", "falcond")
)Detects T1559.003 XPC Services abuse on macOS using Elastic EQL against Elastic Endpoint Security telemetry. Branch 1 identifies launchd spawning unexpected scripting interpreters, which occurs when a privileged XPC daemon is exploited and the attacker coerces it to execute arbitrary code. Branch 2 detects unauthorized creation or modification of plist, dylib, or XPC bundle files in /Library/PrivilegedHelperTools, /Library/LaunchDaemons, or XPCServices directories by processes not on the legitimate installer allowlist.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers (e.g., Homebrew, Xcode Command Line Tools, Nix) that spawn bash or sh under launchd as part of post-install hooks or daemon-based package operations where the spawning process name is not in the exclusion list
- macOS system updates or XProtect/MRT signature refreshes that write plist or dylib files to /Library/LaunchDaemons/ via a background update daemon whose binary name does not match softwareupdate or mdmclient
- Third-party endpoint security or MDM agents (e.g., Mosyle, Kandji, Absolute) that deploy or rotate XPC service bundles and privileged helper tools during device configuration management cycles using process names not captured in the allowlist
Other platforms for T1559.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1XPC Service and Privileged Helper Enumeration
Expected signal: MDE DeviceProcessEvents: launchctl spawned multiple times with 'list' argument, parent = shell (bash/zsh). osquery process_events: launchctl and ls executions with enumeration arguments. File creation event for /tmp/df00tech_xpc_services.txt in MDE DeviceFileEvents and osquery file_events.
- Test 2Malicious LaunchDaemon XPC Service Registration
Expected signal: MDE DeviceFileEvents: FileCreated for /Library/LaunchDaemons/com.df00tech.test.xpcservice.plist by the test process (InitiatingProcessFileName=cp or sudo). osquery file_events: target_path=/Library/LaunchDaemons/com.df00tech.test.xpcservice.plist, action=CREATED. MDE DeviceProcessEvents: launchd spawning /bin/sh with the touch/echo command. macOS Unified Log: launchd registering service label 'com.df00tech.test.xpcservice' and subsequent execution.
- Test 3Privileged Helper Tool Tampering Simulation
Expected signal: MDE DeviceFileEvents: FileCreated action for /Library/PrivilegedHelperTools/com.df00tech.test.backdoor.helper, InitiatingProcessFileName=sudo or touch. osquery file_events: target_path=/Library/PrivilegedHelperTools/com.df00tech.test.backdoor.helper, action=CREATED, process_name=touch. macOS Unified Log: filesystem write event at the PrivilegedHelperTools path. codesign invocation captured in process events.
- Test 4XPC Client Connection Simulation via Python
Expected signal: MDE DeviceProcessEvents: python3 spawned with inline script via shell. osquery process_events: python3 execution with cmdline containing 'subprocess', parent=bash/zsh. launchctl subprocess spawns visible as child process events. If this test is run from a launchd context (e.g., via a cron job registered with launchd), the 'launchd_spawned_interpreter' detection branch fires with python3 as the spawned interpreter.
References (10)
- https://attack.mitre.org/techniques/T1559/003/
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
- https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
- https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
- https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/
- https://developer.apple.com/documentation/xpc
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.003/T1559.003.md
- https://www.uptycs.com/blog/macos-privilege-escalation-via-xpc-services
- https://objective-see.org/blog/blog_0x4C.html
Unlock Pro Content
Get the full detection package for T1559.003 including response playbook, investigation guide, and atomic red team tests.