TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Quarkslab

Intego X9: Why your macOS antivirus should not trust PIDs

Mathieu Farrell · 2026-02-25 · Read original ↗

ATT&CK techniques detected

18 predictions
T1559.003XPC Services
95%
“/ systemextensions / 3717fa1c - d89c - 4c76 - a29f - 094115bb4113 / com. intego. app. netbarrier. firewall. extension. systemextension / contents / macos / com. intego. app. netbarrier. firewall. extension reverse engineering of the xpc communication mechanism now that the initia…”
T1543.004Launch Daemon
94%
“##os. apple ' s official documentation describes how launchd and / library / launchdaemons / are used to install and manage system - wide jobs. daemons identification from looking at / library / launchdaemons / after analyzing the configured daemons we will compare that list agai…”
T1559.003XPC Services
92%
“##ds [ i ], strerror ( errno ) ) ; } else { printf ( " [ * ] killed pid % d \ n ", pids [ i ] ) ; } } } return 0 ; } / / compilation of the exploit : / / ` clang - framework foundation - o exploit exploit. m ` figure 21 - method - gettrustedfiles : triggered remotely by our explo…”
T1559.003XPC Services
91%
“##ceptnewconnection :. the access control logic for the xpc service is implemented by class ntgcodesigningverifier, primarily within the verifyxpcconnection : error : method. in essence, the routine is responsible for deciding whether an incoming xpc client may connect. the ntgco…”
T1559.003XPC Services
90%
“##ction :. error message implying that the pid is used to check the validity of the authentication : warning - code signing verification - use process identifier to check xpc connection : % d code signing verification - unable to identify guest for pid ( % d ) using audit token, …”
T1559.003XPC Services
77%
“methods of this binary in a graph form. figure 14 - list of exposed methods for binary virusbarriers. the methods exposed by the other binaries are provided in the appendix. once the methods have been enumerated ( via protocol _ t and nsxpcinterface analysis ), observation and pr…”
T1559.003XPC Services
69%
“this design transforms low level mach message exchanges into high level remote method invocations. an nsxpcinterface represents the contract between a client and its xpc service. it describes which methods are available, what argument and return types they accept, and which class…”
T1559.003XPC Services
65%
“method responsible for handling incoming client connections. by identifying where and how this method is invoked, we can understand how the xpc service validates new connections. figure 2 - filter on method listener : shouldacceptnewconnection :. we can therefore identify that me…”
T1083File and Directory Discovery
53%
“/ ( dir ) - netbarrierd ( binary ) - netbarrierm ( binary ) - personal backup. bundle / contents / macos / ( dir ) - personal backup script scheduler ( binary ) - taskmanager / ( dir ) - taskmanagerdaemon ( binary ) - virusbarrier. bundle / contents / macos / virusbarrier. app / …”
T1057Process Discovery
52%
“/ macos / ( dir ) - virusbarrierl ( binary ) - virusbarrierd ( binary ) - virusbarriers ( binary ) - privilegedhelpertools / com. intego. washingmachine. service. app / contents / macos / ( dir ) - com. intego. washingmachine. service ( binary ) analyzing ps output the command ps…”
T1055.001Dynamic-link Library Injection
51%
“##ec | posix _ spawn _ start _ suspended ) ; if ( posix _ spawnattr _ setflags ( & attr, flags )! = 0 ) { fprintf ( stderr, " [! ] posix _ spawnattr _ setflags failed : % s \ n ", strerror ( errno ) ) ; } } } / / triggering ` posix _ spawn ( ) `. pid _ t spawnedpid = - 1 ; int sp…”
T1055.001Dynamic-link Library Injection
48%
“extract the paths and represented this in the form of a tree : - / library / ( dir ) - intego / ( dir ) - integod ( binary ) - taskmanager / ( dir ) - taskmanagerdaemon ( binary ) - contentbarrier. bundle / contents / macos / contentbarrier daemon. app / contents / macos / ( dir …”
T1055.001Dynamic-link Library Injection
43%
“( ) ` ). static const int kracecount = 2 ; / / path of the binary ( invoked ) validating the signature check. static const char kvalidpath [ ] = " / library / intego / virusbarrier. bundle / contents / macos / virusbarrier. app / contents / macos / virusbarrier " ; / / targeted m…”
T1053.005Scheduled Task
37%
“00. 40 / library / intego / netupdated. bundle / contents / macos / com. intego. netupdated 0 259?? 0 : 00. 01 / library / privilegedhelpertools / com. intego. washingmachine. service. app / contents / macos / com. intego. washingmachine. service 0 260?? 0 : 00. 36 / library / in…”
T1055.001Dynamic-link Library Injection
36%
“##ve } ) ; } ) ; after loading the hook script with frida, we can see that accessing the trusted files ( fichiers de confiance ) tab in the gui correctly triggers the hooked method ( gettrustedfiles : ). figure 20 - normal triggering of method - gettrustedfiles :. pid reuse attac…”
T1559.003XPC Services
35%
“##entifiers and encoding their arguments and return values. the protocols defined and exposed by a service can be discovered by locating calls to the method interfacewithprotocol :. the method interfacewithprotocol : is a method of nsxpcinterface that creates and returns a new in…”
T1559.003XPC Services
32%
“intego x9 : why your macos antivirus should not trust pids introduction today ' s post dives into a practical reverse engineering exercise focused on intego ( for macos ). we will first use static analysis with ghidra to inspect how a privileged process exposes mach services via …”
T1518.001Security Software Discovery
30%
“/ macos / ( dir ) - virusbarrierl ( binary ) - virusbarrierd ( binary ) - virusbarriers ( binary ) - privilegedhelpertools / com. intego. washingmachine. service. app / contents / macos / ( dir ) - com. intego. washingmachine. service ( binary ) analyzing ps output the command ps…”

Summary

This blog post dives into the most common classes of macOS Local Privilege Escalation vulnerabilities, from time-of-check to time-of-use (TOCTOU) Race Conditions and insecure XPC communications to a range of implementation and configuration oversights. We will explore how attackers can exploit these weaknesses to escalate privileges, and highlight real-world examples to illustrate recurring patterns.