Which SIEM platforms have a T1559.003 detection rule?

df00tech provides T1559.003 (XPC Services) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect XPC Services (T1559.003)?

Detecting XPC Services requires the following data sources: Process: Process Creation, File: File Creation, File: File Modification, Microsoft Defender for Endpoint (macOS agent).

What severity and confidence is the T1559.003 detection?

The T1559.003 detection is rated high severity with medium confidence.

What are common false positives for T1559.003?

Common false positives for T1559.003 include: macOS software updates and package installers (Installer.app, pkgd, softwareupdate) writing new XPC service plists and helper binaries during legitimate installation; Enterprise MDM solutions (Jamf, Mosyle, Kandji) deploying or updating privileged helper tools as part of endpoint configuration management; Developer workstations where Xcode, xcode-select, and related tooling cause launchd to spawn shells during build processes, codesigning, and notarization tasks.

T1559.003 IBM QRadar · QRadar

Detect XPC Services in IBM QRadar

Adversaries may abuse macOS XPC (Cross-Process Communication) services to execute malicious code with elevated privileges. XPC services provide privilege separation between application components, with helper daemons running as root under launchd. Applications communicate with these daemons using the low-level XPC C API or the NSXPCConnection API. When XPC services fail to properly validate client identity (via audit token checks) or sanitize input parameters, adversaries can send crafted messages to execute arbitrary code in the context of the privileged daemon. This technique has been exploited in the wild via CVE-2021-30724 targeting Apple's CVMServer (com.apple.cvmsServ), and is frequently combined with T1068 (Exploitation for Privilege Escalation) to achieve root-level code execution from an unprivileged user context.

MITRE ATT&CK

Tactic: Execution
Technique: T1559 Inter-Process Communication
Sub-technique: T1559.003 XPC Services
Canonical reference: https://attack.mitre.org/techniques/T1559/003/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP,
  username AS Username,
  "Process Name" AS ProcessName,
  "Parent Process Name" AS ParentProcess,
  QIDNAME(qid) AS EventName,
  "File Path" AS FilePath,
  "Command Line" AS CommandLine,
  CASE
    WHEN "Parent Process Name" ILIKE '%launchd%'
      AND (
        "Process Name" ILIKE '%bash' OR "Process Name" ILIKE '%/sh'
        OR "Process Name" ILIKE '%zsh' OR "Process Name" ILIKE '%python%'
        OR "Process Name" ILIKE '%ruby' OR "Process Name" ILIKE '%perl'
        OR "Process Name" ILIKE '%osascript' OR "Process Name" ILIKE '%curl'
        OR "Process Name" ILIKE '%wget' OR "Process Name" ILIKE '%ncat'
        OR "Process Name" ILIKE '%/nc' OR "Process Name" ILIKE '%php'
      ) THEN 'launchd_spawned_interpreter'
    WHEN "File Path" ILIKE '%PrivilegedHelperTools%' THEN 'privileged_helper_modification'
    WHEN "File Path" ILIKE '%LaunchDaemons%' THEN 'launch_daemon_modification'
    WHEN "File Path" ILIKE '%XPCServices%' THEN 'xpc_service_bundle_modification'
    ELSE 'unknown'
  END AS DetectionBranch,
  CASE
    WHEN "File Path" ILIKE '%PrivilegedHelperTools%' THEN 85
    WHEN "Parent Process Name" ILIKE '%launchd%' THEN 75
    WHEN "File Path" ILIKE '%LaunchDaemons%' THEN 70
    WHEN "File Path" ILIKE '%XPCServices%' THEN 55
    ELSE 40
  END AS RiskScore
FROM events
WHERE (
  (
    "Parent Process Name" ILIKE '%launchd%'
    AND (
      "Process Name" ILIKE '%bash' OR "Process Name" ILIKE '%/sh'
      OR "Process Name" ILIKE '%zsh' OR "Process Name" ILIKE '%python%'
      OR "Process Name" ILIKE '%ruby' OR "Process Name" ILIKE '%perl'
      OR "Process Name" ILIKE '%osascript' OR "Process Name" ILIKE '%curl'
      OR "Process Name" ILIKE '%wget' OR "Process Name" ILIKE '%ncat'
      OR "Process Name" ILIKE '%/nc' OR "Process Name" ILIKE '%php'
    )
  )
  OR
  (
    (
      "File Path" ILIKE '%Library/PrivilegedHelperTools%'
      OR "File Path" ILIKE '%Library/LaunchDaemons%'
      OR "File Path" ILIKE '%XPCServices%'
    )
    AND (
      "File Path" ILIKE '%.plist'
      OR "File Path" ILIKE '%.dylib'
      OR "File Path" ILIKE '%.xpc'
    )
    AND NOT (
      "Process Name" ILIKE '%Installer%'
      OR "Process Name" ILIKE '%pkgd%'
      OR "Process Name" ILIKE '%softwareupdate%'
      OR "Process Name" ILIKE '%mdmclient%'
      OR "Process Name" ILIKE '%jamf%'
      OR "Process Name" ILIKE '%santa%'
      OR "Process Name" ILIKE '%osinstallersetupd%'
      OR "Process Name" ILIKE '%falcond%'
    )
  )
)
LAST 24 HOURS
ORDER BY RiskScore DESC, starttime DESC

high severity medium confidence

IBM QRadar AQL query detecting T1559.003 XPC Services abuse on macOS endpoints. Queries the events table against macOS endpoint telemetry forwarded to QRadar via osquery, CarbonBlack, or syslog-based agents. Identifies launchd spawning scripting interpreters and unauthorized XPC service directory modifications, assigning branch-specific risk scores. Requires macOS endpoint log source configured with normalized Process Name, Parent Process Name, File Path, and Command Line custom event properties.

Data Sources

IBM QRadar SIEMosquery QRadar DSM integrationmacOS endpoint agents forwarding via syslog to QRadar (CarbonBlack, CrowdStrike, Cortex XDR)

Required Tables

events

False Positives & Tuning

Developer toolchain setup (Xcode, Homebrew, MacPorts) where launchd legitimately invokes bash or sh to run post-install daemon scripts or environment bootstrapping operations during application installation
Enterprise MDM enrollment workflows (Jamf Pro, Kandji, Mosyle) that deploy LaunchDaemon plists or helper bundles during device onboarding where the MDM agent's internal process name does not match the exclusion list entries
macOS Rosetta 2 initialization on Apple Silicon Macs where the translation layer spawns python3 or shell helpers under launchd during first-run application asset validation or JIT compilation setup

Download portable Sigma rule (.yml)

Other platforms for T1559.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1XPC Service and Privileged Helper Enumeration
Expected signal: MDE DeviceProcessEvents: launchctl spawned multiple times with 'list' argument, parent = shell (bash/zsh). osquery process_events: launchctl and ls executions with enumeration arguments. File creation event for /tmp/df00tech_xpc_services.txt in MDE DeviceFileEvents and osquery file_events.
Test 2Malicious LaunchDaemon XPC Service Registration
Expected signal: MDE DeviceFileEvents: FileCreated for /Library/LaunchDaemons/com.df00tech.test.xpcservice.plist by the test process (InitiatingProcessFileName=cp or sudo). osquery file_events: target_path=/Library/LaunchDaemons/com.df00tech.test.xpcservice.plist, action=CREATED. MDE DeviceProcessEvents: launchd spawning /bin/sh with the touch/echo command. macOS Unified Log: launchd registering service label 'com.df00tech.test.xpcservice' and subsequent execution.
Test 3Privileged Helper Tool Tampering Simulation
Expected signal: MDE DeviceFileEvents: FileCreated action for /Library/PrivilegedHelperTools/com.df00tech.test.backdoor.helper, InitiatingProcessFileName=sudo or touch. osquery file_events: target_path=/Library/PrivilegedHelperTools/com.df00tech.test.backdoor.helper, action=CREATED, process_name=touch. macOS Unified Log: filesystem write event at the PrivilegedHelperTools path. codesign invocation captured in process events.
Test 4XPC Client Connection Simulation via Python
Expected signal: MDE DeviceProcessEvents: python3 spawned with inline script via shell. osquery process_events: python3 execution with cmdline containing 'subprocess', parent=bash/zsh. launchctl subprocess spawns visible as child process events. If this test is run from a launchd context (e.g., via a cron job registered with launchd), the 'launchd_spawned_interpreter' detection branch fires with python3 as the spawned interpreter.

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1559.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect XPC Services in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1559.003

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Execution

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1559.003

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox