Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0948: Analytic 0948

Detects anomalous use of macOS XPC services for code execution. Monitors for processes invoking privileged XPC daemons with abnormal parameters, unexpected binaries communicating over NSXPCConnection, or helper tools executing code outside of their expected parent process lineage. Correlates process access attempts to system-level daemons, privilege escalations via XPC misconfigurations, and injection of malicious payloads through inter-process communication.

EnterpriseAN0948AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting unusual macOS use of XPC services, a legitimate inter-process communication mechanism that can also become a path for code execution when privileged helpers or daemons are misused. For leaders, the practical issue is whether endpoint monitoring can distinguish expected macOS helper activity from abnormal privileged service interaction before it becomes an incident-response blind spot.

Executive priority

Prioritize this where macOS endpoints are material to business operations, privileged user workflows, or compliance scope. The decision value is validating whether the organization has enough macOS endpoint telemetry and analyst playbooks to investigate suspicious privileged XPC activity, rather than assuming general endpoint logging covers it. This supports resilience, audit evidence for endpoint monitoring, and IR readiness for macOS-specific privilege and code-execution paths.

Technical view

For SOC and detection teams, validate visibility into macOS processes invoking privileged XPC daemons, unexpected binaries communicating via NSXPCConnection, helper tools executing outside expected parent process lineage, process access attempts to system-level daemons, possible privilege escalation through XPC misconfiguration, and payload injection through inter-process communication. Because no ATT&CK tactic or formal detection logic is supplied, implementation should be treated as a behavior-focused macOS detection engineering task requiring local baselining of legitimate helper tools and daemon communication patterns.

Likely telemetry

  • macOS endpoint process creation and parent-child process lineage
  • Process-to-process or IPC-related telemetry involving XPC or NSXPCConnection where available
  • Events showing interaction with privileged or system-level daemons
  • Helper tool execution metadata, including signer, path, parent process, and command parameters
  • Privilege escalation or authorization events associated with macOS helper services

Detection direction

  • Baseline normal privileged XPC daemon usage and helper tool parent-child relationships on managed macOS systems.
  • Tune for abnormal parameters, unexpected binaries communicating with privileged services, and helper execution outside expected lineage.
  • Correlate XPC-related anomalies with process access attempts, privilege changes, and suspicious code execution indicators instead of alerting on XPC activity alone.
  • Expect false positives from legitimate administrative tools, software updaters, security agents, and enterprise management utilities that use privileged helpers.
  • Validate whether the telemetry source actually exposes XPC/NSXPCConnection-relevant behavior; many environments may only see indirect evidence through process, daemon, and privilege events.

Mitigation priorities

  • Inventory business-critical macOS systems and confirm endpoint monitoring coverage for process lineage, privileged helper execution, and daemon interaction.
  • Harden and review privileged helper tools and service configurations where local policy allows, especially unexpected binaries or paths.
  • Restrict administrative privileges and manage authorization paths to reduce the value of abusing privileged XPC services.
  • Create IR triage guidance for suspicious macOS helper or daemon activity, including expected parent processes, binary locations, and change history.
  • Use detection testing and local baselining to produce compliance-ready evidence that macOS endpoint behavior is monitored, not just enrolled in tooling.
Analyst notes and limits

This object is a detection analytic for macOS only. The supplied description provides useful behavior themes, but there are no linked ATT&CK relationships, no tactic mapping, and no official detection logic. Treat this as guidance for coverage validation and detection design rather than a complete rule.

Assessment is limited to the official STIX fields, the external MITRE reference, and the supplied description. No active exploitation, adversary attribution, business impact, or guaranteed detection coverage is implied. Local macOS fleet configuration, EDR capability, and normal helper-service behavior are required to operationalize this analytic.

Official MITRE ATT&CK definition

Analytic 0948

Detects anomalous use of macOS XPC services for code execution. Monitors for processes invoking privileged XPC daemons with abnormal parameters, unexpected binaries communicating over NSXPCConnection, or helper tools executing code outside of their expected parent process lineage. Correlates process access attempts to system-level daemons, privilege escalations via XPC misconfigurations, and injection of malicious payloads through inter-process communication.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
223c9762948971fe...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 223c97629489…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0948
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use