T1559.003 Splunk · SPL

Detect XPC Services in Splunk

Adversaries may abuse macOS XPC (Cross-Process Communication) services to execute malicious code with elevated privileges. XPC services provide privilege separation between application components, with helper daemons running as root under launchd. Applications communicate with these daemons using the low-level XPC C API or the NSXPCConnection API. When XPC services fail to properly validate client identity (via audit token checks) or sanitize input parameters, adversaries can send crafted messages to execute arbitrary code in the context of the privileged daemon. This technique has been exploited in the wild via CVE-2021-30724 targeting Apple's CVMServer (com.apple.cvmsServ), and is frequently combined with T1068 (Exploitation for Privilege Escalation) to achieve root-level code execution from an unprivileged user context.

MITRE ATT&CK

Tactic
Execution
Technique
T1559 Inter-Process Communication
Sub-technique
T1559.003 XPC Services
Canonical reference
https://attack.mitre.org/techniques/T1559/003/

SPL Detection Query

Splunk (SPL)
spl 
// T1559.003 - XPC Services Abuse (macOS via osquery)
// Requires osquery deployed on macOS with process_events and file_events tables enabled
(
  sourcetype="osquery:results" name="process_events"
    parent_path="/sbin/launchd"
    (path="*/bash" OR path="*/sh" OR path="*/zsh"
     OR path="*/python3" OR path="*/python"
     OR path="*/ruby" OR path="*/perl"
     OR path="*/osascript" OR path="*/curl" OR path="*/wget"
     OR path="*/nc" OR path="*/ncat" OR path="*/php")
)
OR
(
  sourcetype="osquery:results" name="file_events"
    (target_path="*/Library/PrivilegedHelperTools/*"
     OR target_path="*/Library/LaunchDaemons/*"
     OR target_path="*XPCServices*")
    (target_path="*.plist" OR target_path="*.dylib" OR target_path="*.xpc")
    action="CREATED"
    NOT (process_name="Installer" OR process_name="pkgd" OR process_name="softwareupdate"
         OR process_name="mdmclient" OR process_name="jamf" OR process_name="santa"
         OR process_name="osinstallersetupd")
)
| eval DetectionBranch=case(
    name="process_events" AND parent_path="/sbin/launchd", "launchd_spawned_interpreter",
    name="file_events" AND target_path LIKE "%PrivilegedHelperTools%", "privileged_helper_modification",
    name="file_events" AND target_path LIKE "%LaunchDaemons%", "launch_daemon_modification",
    name="file_events" AND target_path LIKE "%XPCServices%", "xpc_service_bundle_modification",
    true(), "unknown"
  )
| eval RiskScore=case(
    DetectionBranch="privileged_helper_modification", 85,
    DetectionBranch="launchd_spawned_interpreter"
      AND (path LIKE "%/bash" OR path LIKE "%/sh" OR path LIKE "%/zsh"), 75,
    DetectionBranch="launchd_spawned_interpreter", 65,
    DetectionBranch="launch_daemon_modification", 70,
    DetectionBranch="xpc_service_bundle_modification", 55,
    true(), 40
  )
| eval SuspiciousIndicator=coalesce(path, target_path)
| eval ActingProcess=coalesce(process_name, process_name)
| table _time, host, username, SuspiciousIndicator, cmdline, parent_path,
        target_path, DetectionBranch, RiskScore
| sort - RiskScore, - _time
high severity medium confidence

Detects XPC service abuse on macOS using osquery process_events and file_events tables forwarded to Splunk. Identifies launchd spawning unexpected scripting interpreters or shells (characteristic of XPC exploitation) and unauthorized modifications to XPC service directories, LaunchDaemon plists, and privileged helper tool paths. Risk scores range from 55–85 based on indicator specificity. Requires osquery deployed on macOS endpoints with process_events and file_events tables enabled in the osquery configuration.

Data Sources

Process: Process CreationFile: File Creationosquery process_events tableosquery file_events table

Required Sourcetypes

osquery:results

False Positives & Tuning

  • macOS software updates triggering launchd to spawn helper shells during system maintenance windows (softwareupdate, osinstallersetupd)
  • Legitimate application updates writing new XPC service bundles and plists to application directories via Installer.app
  • Enterprise MDM tooling (Jamf, Mosyle) managing privileged helper tools through sanctioned installation workflows
  • Developer workstations with Xcode and command-line developer tools where launchd frequently spawns compilation and signing helpers
  • Security and monitoring agents that register privileged helpers and may write files to LaunchDaemons during initial deployment
Download portable Sigma rule (.yml)

Other platforms for T1559.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1XPC Service and Privileged Helper Enumeration

    Expected signal: MDE DeviceProcessEvents: launchctl spawned multiple times with 'list' argument, parent = shell (bash/zsh). osquery process_events: launchctl and ls executions with enumeration arguments. File creation event for /tmp/df00tech_xpc_services.txt in MDE DeviceFileEvents and osquery file_events.

  2. Test 2Malicious LaunchDaemon XPC Service Registration

    Expected signal: MDE DeviceFileEvents: FileCreated for /Library/LaunchDaemons/com.df00tech.test.xpcservice.plist by the test process (InitiatingProcessFileName=cp or sudo). osquery file_events: target_path=/Library/LaunchDaemons/com.df00tech.test.xpcservice.plist, action=CREATED. MDE DeviceProcessEvents: launchd spawning /bin/sh with the touch/echo command. macOS Unified Log: launchd registering service label 'com.df00tech.test.xpcservice' and subsequent execution.

  3. Test 3Privileged Helper Tool Tampering Simulation

    Expected signal: MDE DeviceFileEvents: FileCreated action for /Library/PrivilegedHelperTools/com.df00tech.test.backdoor.helper, InitiatingProcessFileName=sudo or touch. osquery file_events: target_path=/Library/PrivilegedHelperTools/com.df00tech.test.backdoor.helper, action=CREATED, process_name=touch. macOS Unified Log: filesystem write event at the PrivilegedHelperTools path. codesign invocation captured in process events.

  4. Test 4XPC Client Connection Simulation via Python

    Expected signal: MDE DeviceProcessEvents: python3 spawned with inline script via shell. osquery process_events: python3 execution with cmdline containing 'subprocess', parent=bash/zsh. launchctl subprocess spawns visible as child process events. If this test is run from a launchd context (e.g., via a cron job registered with launchd), the 'launchd_spawned_interpreter' detection branch fires with python3 as the spawned interpreter.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1559.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1559Inter-Process Communication

Related Sub-techniques

T1559.001Component Object ModelT1559.002Dynamic Data Exchange

Related Techniques

T1559Inter-Process CommunicationT1068Exploitation for Privilege EscalationT1543.004Launch DaemonT1543.001Launch AgentT1574.006Dynamic Linker HijackingT1555.001KeychainT1548.004Elevated Execution with PromptT1548.001Setuid and SetgidT1078.003Local Accounts

Same Tactic: Execution

Popular Detections