TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Cisco Talos Intelligence

Bad Apples: Weaponizing native macOS primitives for movement and execution

William Charles Gibson · 2026-04-21 · Read original ↗

ATT&CK techniques detected

25 predictions
T1059.002AppleScript
100%
“scripting ( ras, formerly known as remote apple events or rae ) was introduced to extend the capabilities of the applescript inter - process communication ( ipc ) framework across a network. by utilizing the electronic program - to - program communication ( “ eppc ” ) protocol, a…”
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
98%
“- in tftp plist activates the server in a single command : this serves “ / private / tftpboot ” on the standard tftp port ( udp 69 ). the tftp system plist does not provide the - w flag to the tftpd process. without it, the server only allows writes to files that already exist. a…”
T1572Protocol Tunneling
97%
“tcp port with pty allocation, and the attacker connects to it from a remote machine. on the target, the listener spawns an interactive bash session for each incoming connection with pty forwarding : from the attacking machine, connecting to the listener provides a fully interacti…”
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
96%
“git refuses pushes to a branch that is currently checked out on the remote. this setting overrides that behavior and updates the working tree on push, landing files on disk the moment the operation completes. first, a receiving repository is initialized on the target over ssh : o…”
T1543.001Launch Agent
95%
“file command handles the creation of the target file, ensuring that no pre - existing file is required : the payload resides entirely within the spotlight metadata, a location that remains largely unexamined by standard endpoint detection and response ( edr ) solutions. this crea…”
T1059.004Unix Shell
94%
“from static file analysis to the monitoring of process lineage, inter - process communication, and metadata anomalies, these " bad apples " can be identified and neutralized. as macos continues its expansion into the enterprise core, the documentation and detection of these nativ…”
T1021.002SMB/Windows Admin Shares
92%
“victim requires ssh access. the following command creates a shared directory, loads the smb daemon, and creates the share. with the share created, the next step is mounting it from the attacker machine. attempting this action with the mount command failed due to an authentication…”
T1548.006TCC Manipulation
91%
“mitigate the risks associated with native primitive abuse : - transparency, consent, and control ( tcc ) restrictions : the " automation " category within tcc is designed to regulate inter - application communication. by enforcing strict tcc policies via mobile device management …”
T1059.002AppleScript
90%
“the facilitation of inter - process communication ( ipc ) across a network. in a lateral movement context, ras is utilized to control remote applications by targeting the “ eppc : / / ” uri. this allows for the remote manipulation of the file system or the retrieval of sensitive …”
T1059.002AppleScript
88%
“bad apples : weaponizing native macos primitives for movement and execution - as macos adoption grows among developers and devops, it has become a high value target ; however, native " living - off - the - land " ( lotl ) techniques for the platform remain significantly under - d…”
T1059.002AppleScript
82%
“the - 10016 handler error. this restriction prevents the “ system events ” application from executing remote shell commands via do shell script, even when ras is globally enabled. to bypass this, a methodology was developed that treats “ terminal. app ” as an execution proxy. unl…”
T1570Lateral Tool Transfer
82%
“it is worth noting that macos prompts the user to approve the bash execution at login, which is a visible indicator of background activity. the plist contains no payload, only a reference to metadata, so static analysis of the launchagent would not reveal the malicious content. l…”
T1059.004Unix Shell
67%
“can be invoked directly over ssh. passing osascript the system info command over ssh returns critical environmental details : for arbitrary command execution, applescript ' s do shell script handler can be invoked over ssh. in the following example, do shell script is used to wri…”
T1572Protocol Tunneling
65%
“##nmptrapd daemon is then configured on the target to route all incoming traps to the handler and started in the foreground : on the sender, a script handles the encoding, chunking, and transmission. each chunk is sent as a separate snmp trap with a short delay between sends to a…”
T1055.001Dynamic-link Library Injection
62%
“mitigate the risks associated with native primitive abuse : - transparency, consent, and control ( tcc ) restrictions : the " automation " category within tcc is designed to regulate inter - application communication. by enforcing strict tcc policies via mobile device management …”
T1059Command and Scripting Interpreter
57%
“the - 10016 handler error. this restriction prevents the “ system events ” application from executing remote shell commands via do shell script, even when ras is globally enabled. to bypass this, a methodology was developed that treats “ terminal. app ” as an execution proxy. unl…”
T1059.004Unix Shell
56%
“bad apples : weaponizing native macos primitives for movement and execution - as macos adoption grows among developers and devops, it has become a high value target ; however, native " living - off - the - land " ( lotl ) techniques for the platform remain significantly under - d…”
T1106Native API
49%
“the traditional " security through obscurity " narrative surrounding the os has been rendered obsolete. mac endpoints, once relegated to creative departments, are now the primary workstations for developers, devops engineers, and system administrators. consequently, these machine…”
T1021.002SMB/Windows Admin Shares
45%
“it is worth noting that macos prompts the user to approve the bash execution at login, which is a visible indicator of background activity. the plist contains no payload, only a reference to metadata, so static analysis of the launchagent would not reveal the malicious content. l…”
T1059Command and Scripting Interpreter
40%
“scripting ( ras, formerly known as remote apple events or rae ) was introduced to extend the capabilities of the applescript inter - process communication ( ipc ) framework across a network. by utilizing the electronic program - to - program communication ( “ eppc ” ) protocol, a…”
T1105Ingress Tool Transfer
38%
“arbitrary tcp and udp connections, listen on ports, and pass data between them. the simplest pattern involves piping commands directly into a netcat listener. on the target, a listener is established that pipes incoming data directly to sh : from the attacking machine, a command …”
T1570Lateral Tool Transfer
36%
“arbitrary tcp and udp connections, listen on ports, and pass data between them. the simplest pattern involves piping commands directly into a netcat listener. on the target, a listener is established that pipes incoming data directly to sh : from the attacking machine, a command …”
T1059.004Unix Shell
36%
“the - 10016 handler error. this restriction prevents the “ system events ” application from executing remote shell commands via do shell script, even when ras is globally enabled. to bypass this, a methodology was developed that treats “ terminal. app ” as an execution proxy. unl…”
T1021Remote Services
31%
“data transfer channels. - application firewall and stealth mode : the built - in macos application firewall should be enabled and configured in " stealth mode. " this configuration ensures the device does not respond to unsolicited icmp or connection attempts on common ports, red…”
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
31%
“string data under custom oids, which can be repurposed as a data transfer channel. macos ships with the necessary net - snmp tools : snmptrap ( “ / usr / bin / snmptrap ” ) on the sender and snmptrapd ( “ / usr / sbin / snmptrapd ” ) on the receiver. the approach works by base64 …”

Summary

Cisco Talos documents several macOS living-off-the-land (LOTL) techniques, demonstrating that native pathways for movement and execution remain accessible to those who understand the underlying architecture.