Description
Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service C API or the high level NSXPCConnection API in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct Exploitation for Privilege Escalation.
Platforms
Mitigations (1)
Application Developer GuidanceM1013
Enable the Hardened Runtime capability when developing applications. Do not include the com.apple.security.get-task-allow entitlement with the value set to any variation of true.
References
- Apple. (2016, September 9). Creating XPC Services. Retrieved April 19, 2022.
- Apple. (n.d.). Retrieved October 12, 2021.
- Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability in macOS and iOS. Retrieved October 12, 2021.
- Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved October 12, 2021.
Frequently Asked Questions
What is T1559.003 (XPC Services)?
T1559.003 is a MITRE ATT&CK technique named 'XPC Services'. It belongs to the Execution tactic(s). Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between th...
How can T1559.003 be detected?
Detection of T1559.003 (XPC Services) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1559.003?
There are 1 documented mitigations for T1559.003. Key mitigations include: Application Developer Guidance.
Which threat groups use T1559.003?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.