Intelligence Center
The article details how threat actors can leverage native macOS binaries and protocols (Living-off-the-Land) to execute code, move laterally, and transfer tools while evading traditional security telemetry. By abusing Remote Application Scripting (RAS), Spotlight metadata, and built-in networking utilities, attackers can orchestrate fleet-wide compromises that bypass standard SSH-centric monitoring.
Authors: William Charles Gibson, Ryan Conry
Source:
Cisco Talos
- filename~/Library/LaunchAgents/com.user.update.plistMalicious LaunchAgent plist used for persistence to extract and execute payloads from Finder comments at login.
- md545077cf4716b9091d2a554d03caca964MD5 hash of the payload transferred and reassembled via SNMP traps.
- urleppc://Remote Apple Events protocol URI scheme abused for lateral movement and remote execution.
Key Takeaways
- Adversaries can bypass macOS security controls by weaponizing native features like Remote Application Scripting (RAS) and Spotlight metadata.
- Spotlight metadata (Finder comments) can be abused to stage payloads, evading static file analysis.
- Native protocols like SMB, Netcat, Git, TFTP, and SNMP can be repurposed for lateral tool transfer outside standard SSH telemetry.
- Defenders must shift focus from static file scanning to monitoring process lineage, IPC anomalies, and enforcing MDM policies.
Affected Systems
- macOS
Attack Chain
The attacker initiates lateral movement by leveraging Remote Application Scripting (RAE) via the eppc:// protocol or osascript over SSH. To evade static analysis, payloads are base64-encoded and staged within Spotlight metadata (Finder comments). Execution is triggered by proxying commands through Terminal.app or extracting the metadata via mdls and piping it to bash, with persistence established via LaunchAgents. Finally, the attacker transfers additional tools using native protocols like socat, SMB, Git, TFTP, or by chunking data over SNMP traps.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: OCSF
The article provides high-level behavioral detection concepts mapped to the Open Cybersecurity Schema Framework (OCSF), focusing on process lineage and metadata anomalies, but does not provide ready-to-use query syntax.
Detection Engineering Assessment
EDR Visibility: Medium — Standard EDRs often lack deep visibility into Apple Events (IPC) and Spotlight metadata modifications, though they can catch the resulting shell executions and process lineages. Network Visibility: Medium — Traffic over eppc (port 3031), TFTP (port 69), and SNMP (port 162) can be monitored, but SSH-tunneled activity or standard SMB/Git traffic blends in with legitimate developer behavior. Detection Difficulty: Hard — The techniques rely entirely on native, legitimate administrative tools and IPC mechanisms, making it difficult to distinguish malicious activity from normal DevOps or sysadmin automation without high false positives.
Required Log Sources
- Process Execution Logs
- Network Flow Logs
- File System Events (FSEvents)
- macOS Unified Log (AppleEventsD)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for process trees where launchd spawns AppleEventsD, which then spawns Terminal, followed by shell execution. | Process Execution Logs | Execution | Low |
| Monitor for frequent or unusual command-line executions of mdls querying kMDItemFinderComment or writes to com.apple.metadata:kMDItemFinderComment. | Process Execution Logs / File System Events | Defense Evasion | Medium |
| Detect base64 decode commands originating from GUI applications or osascript executions containing eppc:// URIs. | Process Execution Logs | Execution | Low |
| Identify inbound TCP connections on port 3031 (eppc) originating from non-administrative IP ranges. | Network Flow Logs | Lateral Movement | Medium |
Control Gaps
- Lack of IPC (Apple Events) monitoring
- Blind spots in Spotlight metadata/extended attribute scanning
- Over-reliance on SSH telemetry for remote shell detection
Key Behavioral Indicators
- Process lineage: launchd -> AppleEventsD -> Terminal -> sh/bash
- osascript arguments containing 'eppc://'
- mdls querying kMDItemFinderComment piped to base64 or bash
False Positive Assessment
- Medium
Recommendations
Immediate Mitigation
- Disable Remote Apple Events (RAE) and Remote Login (SSH) on non-administrative hosts via MDM.
- Disable unnecessary network-facing services like tftpd and snmpd using launchctl.
Infrastructure Hardening
- Enforce strict TCC (Transparency, Consent, and Control) policies via MDM to block unauthorized Apple Events between applications.
- Enable the built-in macOS application firewall and configure it in 'Stealth Mode'.
User Protection
- Deploy EDR solutions capable of monitoring macOS process lineage and inter-process communication (IPC).
Security Awareness
- Educate security operations teams on macOS-specific LOTL techniques and the limitations of traditional file-based scanning.
MITRE ATT&CK Mapping
- T1072 - Software Deployment Tools
- T1021.005 - Remote Services: VNC / Mac Screen Sharing
- T1570 - Lateral Tool Transfer
- T1564.004 - Hide Artifacts: NTFS File Attributes / Extended Attributes
- T1059.002 - Command and Scripting Interpreter: AppleScript
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1543.001 - Create or Modify System Process: Launch Agent
Additional IOCs
- Ips:
15[.]157[.]66[.]164- Target IP address used in Remote Apple Event direct execution test.10[.]0[.]0[.]2- Target IPv4 address shown in osascript system info output.
- File Hashes:
45077cf4716b9091d2a554d03caca964(MD5) - MD5 hash of the payload transferred and reassembled via SNMP traps.
- File Paths:
~/Library/LaunchAgents/com.user.update.plist- LaunchAgent plist used for persistence./tmp/com.user.tftp.plist- User-created plist to load an unprivileged TFTP server./private/tftpboot/payload.sh- Payload file path used during TFTP transfer./usr/local/bin/trap_handler.sh- Script used to handle and reassemble incoming SNMP traps./tmp/snmp_transfers/- Directory used to store chunked SNMP transfer data.
- Command Lines:
- Purpose: Execute base64 payload via Terminal proxy over Remote Apple Events to bypass execution restrictions. | Tools:
osascript,base64| Stage: Execution - Purpose: Extract and execute a payload hidden in a file's Spotlight metadata (Finder comment). | Tools:
mdls,base64,bash| Stage: Execution |mdls -name kMDItemFinderComment -raw - Purpose: Establish an interactive reverse shell listener on the target without using SSH. | Tools:
socat,bash| Stage: Execution |socat tcp-listen:5555,reuseaddr,fork exec: - Purpose: Mount a remote SMB share without requiring GUI interaction. | Tools:
osascript| Stage: Lateral Movement |osascript -e 'mount volume "smb:// - Purpose: Start the built-in TFTP server for file transfer. | Tools:
launchctl| Stage: Lateral Movement |sudo launchctl load -w /System/Library/LaunchDaemons/tftp.plist
- Purpose: Execute base64 payload via Terminal proxy over Remote Apple Events to bypass execution restrictions. | Tools:
- Other:
1.3.6.1.4.1.99999- Custom SNMP OID used for data transfer.com.apple.metadata:kMDItemFinderComment- Spotlight metadata extended attribute.