Common Information
| Type | Value |
|---|---|
| Value |
XPC Services - T1559.003 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev) Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-08-13 | 22 | Objective-See: Blog | ||
| Details | Website | 2023-10-13 | 7 | Don’t Talk All at Once! Elevating Privileges on macOS by Audit Token Spoofing | ||
| Details | Website | 2023-04-23 | 6 | Introducing my new macOS Security Tool: Mergen. | ||
| Details | Website | 2023-04-06 | 32 | Gatekeeping in macOS: Keeping adversaries off our Apples | ||
| Details | Website | 2021-12-21 | 15 | Sandbox escape + privilege escalation in StorePrivilegedTaskService | ||
| Details | Website | 2021-09-14 | 5 | The Recent iOS 0-Click, CVE-2021-30860, Sounds Familiar. An Unreleased Write-up: One Year Later - ZecOps Blog | ||
| Details | Website | 2021-01-28 | 17 | A Look at iMessage in iOS 14 | ||
| Details | Website | 2021-01-11 | 5 | CVE-2020-9971 Abusing XPC Service mechanism to elevate privilege in macOS/iOS | ||
| Details | Website | 2020-03-28 | 3 | Learn XPC exploitation - Part 1: Broken cryptography |