T1559.003: XPC Services

Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service C API or the high level NSXPCConnection API in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.[1][2]

Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.[3][4] This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct Exploitation for Privilege Escalation.

EnterpriseT1559.003Sub-techniqueObject v1.1 Modified Apr 15, 2025, 19:58 UTC (UTC+00:00)

XPC Services matters because it is a macOS execution path where applications communicate with privileged helper services, sometimes running as root. If an application’s XPC handler accepts unsafe requests, an adversary may be able to pass malicious content through that trusted IPC channel for local code execution, potentially including privilege-escalation conditions when client validation or input sanitization is weak.

Executive priority

For leaders, this is a macOS application security and endpoint resilience issue rather than a generic malware indicator. Priority should go to identifying business-critical macOS applications that use privileged helpers or XPC services, confirming secure development review for those components, and ensuring SOC/IR teams can investigate suspicious local execution paths involving application-to-daemon communication. It is relevant to vulnerability management and compliance evidence because the ATT&CK object explicitly ties risk to improper XPC validation and sanitization, with Application Developer Guidance listed as the mitigation path.

Technical view

This is a macOS execution sub-technique under Inter-Process Communication. SOC and IR teams should validate visibility into local process execution involving applications, XPC service daemons, and privileged helper tools, especially where a non-privileged app communicates with a service running with elevated privileges. Detection content should be aligned to DET0335, but the supplied ATT&CK object does not include detection logic, so teams must test locally against known legitimate XPC behavior and application-specific baselines. Engineering review should focus on XPC protocol definitions, client validation, and sanitization of parameters handled by privileged services.

Likely telemetry

macOS endpoint process execution events, including parent/child process context where available
Activity involving XPC service daemons and third-party privileged helper tools
Application logs or diagnostic logs that record XPC request handling, errors, or unexpected inputs
Inventory of macOS applications that define XPC services or install privileged helper components
Vulnerability and code-review evidence for applications using XPC services, especially privileged handlers

Detection direction

Use DET0335 as the ATT&CK relationship anchor, but validate the actual analytic logic in the local macOS environment because the official detection field is not provided.
Baseline normal XPC activity for approved macOS applications and privileged helper tools; high-volume legitimate IPC can otherwise create false positives.
Prioritize investigation of unusual execution or request patterns where application-controlled input reaches an elevated XPC service daemon.
Correlate endpoint process telemetry with application inventory so analysts can distinguish expected vendor/helper behavior from unexpected or newly introduced XPC components.
Treat weak or missing telemetry around macOS privileged helper tools as a coverage gap for this technique.

Mitigation priorities

Apply M1013 Application Developer Guidance to software that implements XPC services, especially privileged service handlers.
Require secure design review of XPC protocol definitions, client validation, and input sanitization before deployment of macOS applications with privileged helpers.
Include XPC service abuse scenarios in SDLC, code review, and vulnerability management workflows for internally developed or heavily customized macOS software.
For incident readiness, document which macOS applications use privileged XPC services so responders can quickly assess whether suspicious execution is expected or abuse of trusted IPC.

Analyst notes and limits

The business value is in validating macOS-specific execution coverage and application security controls around privileged IPC. This technique is most material where organizations operate managed macOS fleets, develop macOS software, or rely on third-party applications with privileged helper tools.

The supplied ATT&CK object provides no official detection text and no procedure examples. Relationship context identifies DET0335 and M1013, but detailed detection logic and implementation measures are not included here. Local application inventory, endpoint telemetry, and code-review evidence are required to assess actual exposure or coverage.

Official MITRE ATT&CK definition

XPC Services

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1559	Inter-Process Communication	This object subtechnique of Inter-Process Communication.

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0335: Detect Abuse of XPC Services (T1559.003) Enterprise subtechnique of · Technique T1559: Inter-Process Communication Enterprise mitigates · Mitigation M1013: Application Developer Guidance Enterprise

Mitigations

Mitigation direction

M1013: Application Developer Guidance

Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures: Preventing SQL Injection (Secure Coding Practice):

- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries. - Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.

Cross-Site Scripting (XSS) Mitigation:

- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page. - Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users’ browsers.

Secure API Design:

- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses. - Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.

Static Code Analysis in the Build Pipeline:

- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process. - Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.

Threat Modeling in the Design Phase:

- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design. - Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.

**Tools for Implementation**:

- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code. - Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities. - Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Oct 12, 2021, 06:45 UTC (UTC+00:00)
Modified: Apr 15, 2025, 19:58 UTC (UTC+00:00)
Raw hash: b221076bd04cba7f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Apr 15, 2025, 19:58 UTC (UTC+00:00)	Current bundle	`b221076bd04c…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
creatingXPCservices

Apple. (2016, September 9). Creating XPC Services. Retrieved April 19, 2022.
Open source URL
[2]
Designing Daemons Apple Dev

Apple. (n.d.). Retrieved October 12, 2021.
Open source URL
[3]
CVMServer Vuln

Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability in macOS and iOS. Retrieved October 12, 2021.
Open source URL
[4]
Learn XPC Exploitation

Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved October 12, 2021.
Open source URL
[5]
mitre-attack T1559.003
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use