title: XPC Services (T1559.003)
id: df00tech-t1559-003
status: experimental
description: "Adversaries may abuse macOS XPC (Cross-Process Communication) services to execute malicious code with elevated privileges. XPC services provide privilege separation between application components, with helper daemons running as root under launchd. Applications communicate with these daemons using the low-level XPC C API or the NSXPCConnection API. When XPC services fail to properly validate client identity (via audit token checks) or sanitize input parameters, adversaries can send crafted messages to execute arbitrary code in the context of the privileged daemon. This technique has been exploited in the wild via CVE-2021-30724 targeting Apple's CVMServer (com.apple.cvmsServ), and is frequently combined with T1068 (Exploitation for Privilege Escalation) to achieve root-level code execution from an unprivileged user context."
references:
  - https://attack.mitre.org/techniques/T1559/003/
  - https://df00tech.com/detections/T1559.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1559.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "macOS software updates and package installers (Installer.app, pkgd, softwareupdate) writing new XPC service plists and helper binaries during legitimate installation"
  - "Enterprise MDM solutions (Jamf, Mosyle, Kandji) deploying or updating privileged helper tools as part of endpoint configuration management"
  - "Developer workstations where Xcode, xcode-select, and related tooling cause launchd to spawn shells during build processes, codesigning, and notarization tasks"
  - Legitimate application daemons that are architecturally designed to spawn sh or bash as part of their maintenance functionality invoked via XPC
  - "Security agents and EDR tools (CrowdStrike, SentinelOne, Jamf Protect) that install and register their own privileged helpers and may spawn shells during health checks"
level: high