DET0335: Detect Abuse of XPC Services (T1559.003)
DET0335 is a detection strategy for abuse of macOS XPC Services, where malicious input to an XPC service or privileged helper can lead to local code execut...
Analyst context for executives and security teams
DET0335 is a detection strategy for abuse of macOS XPC Services, where malicious input to an XPC service or privileged helper can lead to local code execution. The business issue is not just endpoint malware detection: privileged inter-process communication can become a path from a user context into higher-privilege execution, affecting workstation integrity, incident containment, and evidence quality for macOS fleets.
Executive priority
Security leaders should treat this as a macOS endpoint resilience and privileged execution control question. Ask whether the organization has enough visibility into XPC service activity, privileged helper tools, and unusual process relationships to support incident response and compliance evidence. Because the supplied ATT&CK object has no official detection text, priority should be based on local macOS exposure, business-critical user populations, and the maturity of endpoint telemetry rather than assumed coverage.
Technical view
The related ATT&CK technique is T1559.003, XPC Services, under Execution on macOS. SOC and detection engineering teams should validate whether endpoint telemetry can show applications communicating with XPC service daemons or privileged helper tools, especially when those services run with elevated privileges. Detection content should focus on abnormal process lineage, unexpected clients invoking privileged helpers, suspicious child process creation, service configuration or helper changes, and deviations from known-good application behavior. IR teams should be prepared to preserve macOS endpoint logs and process/service artifacts because the detection strategy object itself does not provide a canonical analytic.
Likely telemetry
- macOS endpoint detection and response process events
- Process lineage and parent/child process creation data
- XPC service or privileged helper tool activity where available
- Application-to-service communication indicators where collected
- Service/helper installation, modification, or configuration events
Detection direction
- Map coverage specifically to macOS execution behavior for T1559.003 rather than assuming generic process monitoring is sufficient.
- Baseline legitimate XPC service and privileged helper usage for managed applications to reduce false positives.
- Look for unusual clients interacting with privileged helpers, unexpected helper binaries, abnormal execution paths, or uncommon child processes spawned from service-related components.
- Correlate service/helper changes with process execution and code-signing context to distinguish software updates from suspicious activity.
- Document blind spots where XPC interactions, privileged helper activity, or macOS unified logs are not centrally collected.
Mitigation priorities
- Inventory macOS applications and privileged helper tools that use XPC services, prioritizing business-critical and high-risk user groups.
- Enforce least privilege and strong application control practices where applicable to reduce opportunities for untrusted code to interact with elevated components.
- Maintain endpoint logging and EDR coverage sufficient to reconstruct process lineage and service/helper changes during IR.
- Review software deployment and update processes so legitimate helper changes are expected and auditable.
- Use tabletop or detection validation exercises to confirm SOC procedures for suspected privileged execution on macOS.
Analyst notes and limits
This take is derived from DET0335 and its relationship to T1559.003 XPC Services. The detection strategy object has no official description, detection text, platforms, or tactics of its own; macOS and execution context come from the related ATT&CK technique. Local baselining is essential because XPC services are a normal macOS mechanism used by legitimate applications.
The supplied fields do not include a MITRE-provided analytic, data sources, mitigations, examples, attribution, or evidence of active exploitation. Recommendations are therefore defensive validation directions, not claims of guaranteed detection or coverage.
Detect Abuse of XPC Services (T1559.003)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1559.003 | XPC Services Sub-technique | This object detects XPC Services. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b71bb0b45e0d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0335Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.