Detect XPC Services in Microsoft Sentinel
Adversaries may abuse macOS XPC (Cross-Process Communication) services to execute malicious code with elevated privileges. XPC services provide privilege separation between application components, with helper daemons running as root under launchd. Applications communicate with these daemons using the low-level XPC C API or the NSXPCConnection API. When XPC services fail to properly validate client identity (via audit token checks) or sanitize input parameters, adversaries can send crafted messages to execute arbitrary code in the context of the privileged daemon. This technique has been exploited in the wild via CVE-2021-30724 targeting Apple's CVMServer (com.apple.cvmsServ), and is frequently combined with T1068 (Exploitation for Privilege Escalation) to achieve root-level code execution from an unprivileged user context.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1559 Inter-Process Communication
- Sub-technique
- T1559.003 XPC Services
- Canonical reference
- https://attack.mitre.org/techniques/T1559/003/
KQL Detection Query
// T1559.003 - XPC Services Abuse Detection (macOS via MDE)
let SuspiciousInterpreters = dynamic([
"bash", "sh", "zsh", "python3", "python", "ruby", "perl",
"osascript", "curl", "wget", "nc", "ncat", "php"
]);
let XPCServicePaths = dynamic([
"/Library/PrivilegedHelperTools",
"/Library/LaunchDaemons",
"XPCServices",
"/System/Library/XPCServices"
]);
let LegitInstallers = dynamic([
"Installer", "pkgd", "softwareupdate", "mdmclient",
"osinstallersetupd", "jamf", "santa", "falcond"
]);
// Branch 1: launchd spawning unexpected scripting interpreters
// (XPC exploitation causes launchd to spawn code in the daemon's context)
let Branch1 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "launchd"
| where FileName has_any (SuspiciousInterpreters)
| extend DetectionBranch = "launchd_spawned_interpreter"
| extend RiskReason = strcat("launchd spawned interpreter: ", FileName, " — potential XPC service exploitation")
| extend ProcessCommandLine = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
FolderPath, DetectionBranch, RiskReason;
// Branch 2: New/modified files in XPC service and privileged helper directories
let Branch2 = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (XPCServicePaths)
| where FileName endswith ".plist" or FileName endswith ".dylib" or FileName endswith ".xpc"
| where not(InitiatingProcessFileName has_any (LegitInstallers))
| extend DetectionBranch = "xpc_service_file_modification"
| extend RiskReason = strcat("XPC service file modified by ", InitiatingProcessFileName, ": ", FolderPath, "/", FileName)
| extend ProcessCommandLine = ""
| project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
FolderPath, DetectionBranch, RiskReason;
// Branch 3: Any process (not just launchd) writing to PrivilegedHelperTools
let Branch3 = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has "/Library/PrivilegedHelperTools"
| where ActionType in ("FileCreated", "FileModified", "FileDeleted")
| where not(InitiatingProcessFileName has_any (LegitInstallers))
| extend DetectionBranch = "privileged_helper_modification"
| extend RiskReason = strcat("PrivilegedHelperTools modified by: ", InitiatingProcessFileName)
| extend ProcessCommandLine = ""
| project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
FolderPath, DetectionBranch, RiskReason;
union Branch1, Branch2, Branch3
| sort by Timestamp descDetects XPC service abuse on macOS endpoints monitored by Microsoft Defender for Endpoint. Uses three detection branches: (1) launchd spawning unexpected scripting interpreters or shells — this is the signature of XPC exploitation where a privileged daemon executes attacker-controlled code; (2) unauthorized file creation or modification in XPC service directories and privileged helper paths by non-installer processes; (3) any modification to /Library/PrivilegedHelperTools/, which has near-zero legitimate write activity outside of software installation. Requires MDE agent on macOS endpoints.
Data Sources
Required Tables
False Positives & Tuning
- macOS software updates and package installers (Installer.app, pkgd, softwareupdate) writing new XPC service plists and helper binaries during legitimate installation
- Enterprise MDM solutions (Jamf, Mosyle, Kandji) deploying or updating privileged helper tools as part of endpoint configuration management
- Developer workstations where Xcode, xcode-select, and related tooling cause launchd to spawn shells during build processes, codesigning, and notarization tasks
- Legitimate application daemons that are architecturally designed to spawn sh or bash as part of their maintenance functionality invoked via XPC
- Security agents and EDR tools (CrowdStrike, SentinelOne, Jamf Protect) that install and register their own privileged helpers and may spawn shells during health checks
Other platforms for T1559.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1XPC Service and Privileged Helper Enumeration
Expected signal: MDE DeviceProcessEvents: launchctl spawned multiple times with 'list' argument, parent = shell (bash/zsh). osquery process_events: launchctl and ls executions with enumeration arguments. File creation event for /tmp/df00tech_xpc_services.txt in MDE DeviceFileEvents and osquery file_events.
- Test 2Malicious LaunchDaemon XPC Service Registration
Expected signal: MDE DeviceFileEvents: FileCreated for /Library/LaunchDaemons/com.df00tech.test.xpcservice.plist by the test process (InitiatingProcessFileName=cp or sudo). osquery file_events: target_path=/Library/LaunchDaemons/com.df00tech.test.xpcservice.plist, action=CREATED. MDE DeviceProcessEvents: launchd spawning /bin/sh with the touch/echo command. macOS Unified Log: launchd registering service label 'com.df00tech.test.xpcservice' and subsequent execution.
- Test 3Privileged Helper Tool Tampering Simulation
Expected signal: MDE DeviceFileEvents: FileCreated action for /Library/PrivilegedHelperTools/com.df00tech.test.backdoor.helper, InitiatingProcessFileName=sudo or touch. osquery file_events: target_path=/Library/PrivilegedHelperTools/com.df00tech.test.backdoor.helper, action=CREATED, process_name=touch. macOS Unified Log: filesystem write event at the PrivilegedHelperTools path. codesign invocation captured in process events.
- Test 4XPC Client Connection Simulation via Python
Expected signal: MDE DeviceProcessEvents: python3 spawned with inline script via shell. osquery process_events: python3 execution with cmdline containing 'subprocess', parent=bash/zsh. launchctl subprocess spawns visible as child process events. If this test is run from a launchd context (e.g., via a cron job registered with launchd), the 'launchd_spawned_interpreter' detection branch fires with python3 as the spawned interpreter.
References (10)
- https://attack.mitre.org/techniques/T1559/003/
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
- https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
- https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
- https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/
- https://developer.apple.com/documentation/xpc
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.003/T1559.003.md
- https://www.uptycs.com/blog/macos-privilege-escalation-via-xpc-services
- https://objective-see.org/blog/blog_0x4C.html
Unlock Pro Content
Get the full detection package for T1559.003 including response playbook, investigation guide, and atomic red team tests.