MITRE ATT&CK Technique
Execution T1559.003
Description

Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev) Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).

Supported Platforms
macOS
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2021-10-12T06:45:36.763Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries can provide malicious content to an XPC service '
                'daemon for local code execution. macOS uses XPC services for '
                'basic inter-process communication between various processes, '
                'such as between the XPC Service daemon and third-party '
                'application privileged helper tools. Applications can send '
                'messages to the XPC Service daemon, which runs as root, using '
                'the low-level XPC Service <code>C API</code> or the high '
                'level <code>NSXPCConnection API</code> in order to handle '
                'tasks that require elevated privileges (such as network '
                'connections). Applications are responsible for providing the '
                'protocol definition which serves as a blueprint of the XPC '
                'services. Developers typically use XPC Services to provide '
                'applications stability and privilege separation between the '
                'application client and the daemon.(Citation: '
                'creatingXPCservices)(Citation: Designing Daemons Apple Dev)\n'
                '\n'
                'Adversaries can abuse XPC services to execute malicious '
                'content. Requests for malicious execution can be passed '
                "through the application's XPC Services handler.(Citation: "
                'CVMServer Vuln)(Citation: Learn XPC Exploitation) This may '
                'also include identifying and abusing improper XPC client '
                'validation and/or poor sanitization of input parameters to '
                'conduct [Exploitation for Privilege '
                'Escalation](https://attack.mitre.org/techniques/T1068).',
 'external_references': [{'external_id': 'T1559.003',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1559/003'},
                         {'description': 'Apple. (2016, September 9). Creating '
                                         'XPC Services. Retrieved April 19, '
                                         '2022.',
                          'source_name': 'creatingXPCservices',
                          'url': 'https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1'},
                         {'description': 'Apple. (n.d.). Retrieved October 12, '
                                         '2021.',
                          'source_name': 'Designing Daemons Apple Dev',
                          'url': 'https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html'},
                         {'description': 'Mickey Jin. (2021, June 3). '
                                         'CVE-2021-30724: CVMServer '
                                         'Vulnerability in macOS and iOS. '
                                         'Retrieved October 12, 2021.',
                          'source_name': 'CVMServer Vuln',
                          'url': 'https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html'},
                         {'description': 'Wojciech Reguła. (2020, June 29). '
                                         'Learn XPC exploitation. Retrieved '
                                         'October 12, 2021.',
                          'source_name': 'Learn XPC Exploitation',
                          'url': 'https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/'}],
 'id': 'attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'execution'}],
 'modified': '2025-04-15T19:58:47.031Z',
 'name': 'XPC Services',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Csaba Fitzl @theevilbit of Kandji'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['macOS'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About