TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Quarkslab

Intego X9: When your macOS antivirus becomes your enemy

Mathieu Farrell · 2026-02-09 · Read original ↗

ATT&CK techniques detected

9 predictions
T1068Exploitation for Privilege Escalation
95%
“intego x9 : when your macos antivirus becomes your enemy author ' s note this article is part of a series of blog posts dedicated to identify vulnerabilities in third - party macos applications. the goal is to document real - world flaws and explain the techniques used to discove…”
T1068Exploitation for Privilege Escalation
84%
“sudo ). the command proceeds to execute the tool _ helper binary, which resides inside the integologreporter. app bundle. figure 2 - security _ authtrampoline documentation. to understand how authorizationexecutewithprivileges ( ) works, we invite you to read patrick wardle ' s a…”
T1490Inhibit System Recovery
61%
“that spans from antivirus, firewall, parental control, system - cleaning to optimization tools, backup solutions, and privacy / vpn utilities. in this article i present the results of research outlining identification and exploitation of several vulnerabilities that enabled compr…”
T1068Exploitation for Privilege Escalation
53%
“vulnerabilities were discovered and disclosed to the vendor, though only two will be discussed in detail in this blog post, the others will be published later : intego log reporter local privilege escalation ( as root ) intego personal backup local privilege escalation ( as root …”
T1059.004Unix Shell
50%
“##porter. app /... / integologreporter function : appdelegate : : buildreport : ( ) as shown in the output of the ps command below, the vulnerable script is running as root. command : ps aux | grep idiagnose output : root 662 0, 0 0, 0 408507968 2832 s000 s + 7 : 35 0 : 00. 00 / …”
T1556.003Pluggable Authentication Modules
45%
“. we created a second backup task and performed a comparison ( diff ) with the original to identify any data changes. to make the differences easier to spot, we deliberately modified the source and destination paths. our analysis indicates that, aside from the expected changes in…”
T1068Exploitation for Privilege Escalation
42%
“- type d | while ifs = read - r d ; do settingsfile = " $ { d } / notificationstore. json " if [ - f " $ { settingsfile } " ] ; then filename = $ ( basename " $ { d } " ) / bin / cp " $ { settingsfile } " " $ { notifications _ directory } / firefox - $ { filename } - notification…”
T1204.002Malicious File
41%
“exploit the race condition. these threads create directories and symbolic links in the / tmp directory at the precise moment when the script is running. this timing flaw allows files to be copied into arbitrary target directories ( here, / etc / sudoers. d / was chosen as a targe…”
T1074.001Local Data Staging
36%
“filesystem that standard users cannot reach. the elevated access enables intego log reporter to retrieve system logs, configuration files, and diagnostic information from protected directories, providing deeper visibility for analysis and troubleshooting purposes. the information…”

Summary

This blog post dives into the most common classes of macOS Local Privilege Escalation vulnerabilities, from time-of-check to time-of-use (TOCTOU) Race Conditions and insecure XPC communications to a range of implementation and configuration oversights. We will explore how attackers can exploit these weaknesses to escalate privileges, and highlight real-world examples to illustrate recurring patterns.