A few days ago, Cisco Talos published research that should concern anyone responsible for securing Mac fleets in the enterprise. Their report, titled “Bad Apples,” systematically demonstrates how attackers can weaponize native macOS primitives for execution and lateral movement without dropping a single custom binary.

cover

The timing is striking: over 45 percent of organizations now use macOS as a primary platform, yet detection capabilities for these techniques remain significantly underdeveloped compared to Windows. What makes this research particularly valuable is that it doesn’t rely on zero-days or exotic vulnerabilities. Instead, it shows how the same administrative features designed for DevOps convenience become potent attack vectors when repurposed.

The evolution from LOLBins to LOOBins

The concept of living off the land has been well-documented in the Windows ecosystem for years. The LOLBAS Project catalogued hundreds of binaries that can be abused for malicious purposes, from certutil to powershell.exe. Security teams built detection rules, threat hunters developed hunting playbooks, and EDR solutions learned to recognize the patterns. The same philosophy applies to Linux with GTFOBins. But macOS sat in an uncomfortable middle ground, neither fully Windows nor fully Unix, and attackers noticed.

The term LOOBins, short for “Living Off the Orchard,” was coined to describe native macOS binaries that can be abused for malicious activity. The name is intentionally parallel to LOLBins, signaling that the concept is the same even if the ecosystem differs. Unlike Windows where LOLBins typically abuse command-line utilities, macOS offers a richer set of native primitives including the Open Scripting Architecture, inter-process communication via Apple Events, and Spotlight metadata system. Each of these represents a pathway that security teams rarely monitor.

The enterprise blind spot is significant. According to research published on Infosecurity Magazine, nearly half of organizations now have macOS endpoints exposed in some capacity, yet detection rules for these platforms remain sparse. Attackers compound this knowledge gap by understanding that most endpoint detection and response solutions were built with Windows process trees in mind, leaving macOS-native IPC and automation mechanisms largely opaque to security telemetry.

The Cisco Talos research fills this gap by systematically validating which native macOS features can be weaponized and documenting exactly how they work. Their findings show that the attack surface on macOS is not just different from Windows, it’s broader in ways that many defenders don’t appreciate.

Native macOS primitives that become weapons

Understanding LOOBins requires understanding what makes macOS different. The operating system ships with a rich automation framework that predates modern containerization and DevOps practices, and this foundation creates opportunities that don’t exist on other platforms.

The Remote Application Scripting framework, formerly known as Remote Apple Events, allows one macOS machine to send commands to another across a network. It uses the eppc:// protocol and the AppleEventsD daemon to process high-level commands remotely. Essentially, it’s a way to programmatically control applications on a remote Mac, and it was designed for legitimate software deployment and administrative automation. The Talos research demonstrates how this can be repurposed as a software deployment tool using MITRE ATT&CK technique T1072.

The osascript utility provides access to AppleScript and JXA execution from the command line. While AppleScript is often dismissed as a beginner’s automation tool, it exposes powerful inter-process communication capabilities through Apple Events. When invoked from SSH, it can execute shell commands through the do shell script handler, providing a way to run arbitrary commands that may bypass detection mechanisms focused on traditional process spawning.

The nscurl utility is macOS’s native HTTP client, essentially a curl variant that ships with the operating system. Like its Unix counterpart, it can download payloads from arbitrary URLs, but it operates through a macOS-specific framework that may not be monitored by tools looking for Linux-style curl invocations.

The Spotlight metadata system stores file attributes including the Finder Comment field (kMDItemFinderComment) as extended attributes. This data is indexed and searchable by the operating system, but it’s typically ignored by security tools focused on file contents. The research shows how malicious payloads can be stored entirely in metadata, bypassing static file analysis entirely.

The LOOBins GitHub repository maintains a community-maintained catalog of these binaries with practical examples. Unlike the LOLBAS Project which has years of community contribution, LOOBins is still maturing, but it provides a starting point for understanding what’s available.

Execution and lateral movement techniques

The Talos research documents specific techniques across multiple categories that warrant detailed examination. Their companion research on hunting for LOLBins provides additional detection context.

Remote execution through Terminal.app proxy

Remote Application Scripting has intentional security restrictions that prevent certain operations. When attempting to execute shell commands through System Events, macOS returns a -10016 Handler Error, blocking the attack. But the research found a bypass: treating Terminal.app as an execution proxy. Since Terminal is designed for shell interaction, it accepts remote do script commands that would be blocked elsewhere.

The technique uses Base64 encoding to transport multi-line scripts as alphanumeric strings. First, a Remote Application Scripting command instructs the remote Terminal to decode the Base64 string into a temporary file and apply chmod +x. Second, a second command explicitly invokes the script through bash, ensuring proper shell context. This two-stage process bypasses AppleScript parsing limitations while maintaining payload integrity.

The attack flow operates entirely through Apple Events rather than spawning shell processes in the traditional sense. Most endpoint detection tooling has less visibility into IPC-driven actions than standard process trees, creating a significant detection gap.

Alternative execution via osascript over SSH

Beyond Remote Application Scripting, osascript can be invoked directly over SSH. This provides access to GUI automation and Finder manipulation through Apple Events rather than spawning shell processes. The telemetry difference is substantial: where a traditional attack spawns a bash or sh process visible in process trees, an osascript execution may only show the SSH session and the parent application activity.

The command osascript -e 'system info' returns critical environmental details when executed over SSH. For arbitrary command execution, the do shell script handler can create files, execute programs, or perform any operation available to the shell, all without creating the typical process artifacts that detection rules look for.

Data transfer using Finder metadata

One of the most interesting techniques involves storing payloads in Spotlight metadata rather than files. Remote Application Scripting can set the Finder Comment field (kMDItemFinderComment) on any file on a remote Mac through the eppc:// protocol. The comment can contain Base64-encoded payloads up to several kilobytes, creating a staging area that exists entirely outside normal file systems.

On the target, extraction is a single line: mdls reads the comment, base64 -D decodes it, and the result pipes to bash. The payload never touches the file system’s data fork, meaning traditional file scanning and static analysis tools miss it entirely.

This technique can be combined with a LaunchAgent for persistence. A plist in ~/Library/LaunchAgents that executes the extraction chain at user login runs the payload automatically each time the user logs in. The plist contains no malicious content, only references to metadata, so static analysis of the LaunchAgent would not reveal the attack. The one caveat: macOS prompts the user to approve bash execution at login, which is a visible indicator.

Lateral movement through built-in protocols

Once attackers achieve execution, they need to move their toolkit across the environment. Several native protocols were validated for tool transfer.

SMB-based transfer. macOS includes native SMB client and server functionality. An attacker with SSH access can configure a shared directory, load the SMB daemon, and create a share. From there, mounting the share provides access to the file as if it were local. The key insight is that this requires no additional tools or downloads; everything needed ships with the operating system.

Netcat-based transfer. The nc utility ships with macOS and can establish listeners that pipe data to shell commands. Combined with HTTP server capabilities for serving files, it creates an ad-hoc file transfer channel that uses only built-in tools.

Git-based transfer. With git ubiquitous on developer machines, the technique of initializing a repository on target and setting receive.denyCurrentBranch updateInstead allows pushing files directly to the remote. The operation uses SSH for transport, making it encrypted and authenticated by default.

TFTP transfer. The Trivial File Transfer Protocol operates over UDP without authentication. macOS includes both TFTP server and client. The server is not active by default but can be started through launchd. With root access, a single command activates the system’s built-in TFTP plist, serving files from /private/tftpboot. Without root, a user-level plist can activate the server on a non-standard port.

SNMP trap-based transfer. SNMP tools ship with macOS (snmptrap and snmptrapd). The technique Base64-encodes a file, splits it into chunks, and sends each chunk as an SNMP trap under a custom OID. The receiver reassembles chunks and decodes the file. This is entirely unencrypted and unauthenticated, but it operates over a protocol that most networks permit.

Socat tunnels. The socat utility can establish bidirectional data streams between endpoints, creating interactive shells without relying on SSH. The attack flow uses pty allocation to provide a proper terminal, and stderr forwarding gives the connecting client full terminal output. The key detection challenge: there are no sshd logs, PAM authentication events, or authorized_keys to monitor. Detection pipelines built around SSH telemetry would not catch this activity.

Indicators of compromise

Detecting LOOBins-based attacks requires shifting from network-focused alerts to process lineage analysis and metadata monitoring.

Process tree anomalies

Suspicious lineage patterns include: launchd -> AppleEventsD -> Terminal -> sh/bash sequence indicates Remote Application Scripting being used for execution. launchd -> osascript with Apple Events arguments suggests remote script execution. Any process spawning base64 -decode originating from GUI applications rather than command-line tools warrants investigation.

The process parent-child relationship tells a story that simple process monitoring misses. When Terminal or osascript spawns shell processes, it may indicate malicious scripts even if those individual processes would not trigger alerts.

Metadata monitoring

Frequent or unusual calls to mdls that query the kMDItemFinderComment attribute may indicate payload extraction. Writes to com.apple.metadata:kMDItemFinderComment represent explicit staging behavior. Most endpoint detection solutions don’t monitor extended attributes, creating a gap that LOOBins exploit.

Network indicators

Inbound TCP traffic on port 3031 (the eppc port) should be rare on most networks. Unusual TFTP or SNMP traffic on internal LAN segments, particularly to systems that shouldn’t be providing these services, represents potential unauthorized activity. That said, network indicators alone won’t catch the initial execution, which often operates over legitimate ports.

Command-line anomalies

The research identified several patterns worth monitoring: osascript executions containing of machine "eppc://..." arguments indicate remote application scripting. nscurl with external URLs, particularly to paste sites or known payload hosting, represents download activity. Base64 decoding activity that originates from GUI applications rather than the terminal suggests the metadata staging technique.

The IC3 FBI published guidance on living-off-the-land attacks that includes additional context for detecting these techniques. Their recommendations emphasize that monitoring should extend beyond the endpoints themselves to include authentication logs, network flow data, and cloud service logs.

Detection and hardening strategies

Shifting from detection to defense requires understanding what controls macOS provides and where they need to be supplemented.

Hardening recommendations

The built-in macOS security mechanisms can be configured to reduce the attack surface. Transparency, Consent, and Control (TCC) restrictions in the “Automation” category regulate inter-application communication. Enforcing strict TCC policies through Mobile Device Management blocks unauthorized Apple Events between applications, preventing scripts from controlling Terminal or Finder without user consent.

Remote Application Scripting and Remote Login (SSH) should be disabled by default across the fleet. Using MDM configuration profiles, specifically the com.apple.RemoteAppleEvents payload, ensures these services are only active on authorized administrative hosts. For systems that don’t need remote administration, turning these off eliminates entire technique categories.

Unnecessary network services should be explicitly disabled. The TFTP and SNMP daemons can be prevented through removing their launchd plists or using launchctl disable commands. This prevents their use as ad-hoc data transfer channels.

The macOS application firewall should be enabled and configured in Stealth Mode. This ensures the device doesn’t respond to unsolicited ICMP or connection attempts on common ports, reducing visibility during internal reconnaissance.

Detection tooling

For organizations with endpoint detection capabilities, several detection approaches apply. Process lineage monitoring catches unusual parent-child relationships. YARA-X rules can scan for suspicious command-line patterns. Sigma rules can detect the specific process trees associated with these techniques.

My recent article on threat hunting with YARA-X covers how to write rules for detecting these patterns. The memory-safe Rust-based engine handles complex patterns efficiently, making it practical for production scanning.

For macOS-specific detection, analyzing extended attributes requires tools that can parse Spotlight metadata. The Rud.is blog documented techniques for extracting indicators of compromise from macOS systems, including approaches that apply to these metadata-based techniques.

The Deepstrike analysis of living-off-the-land techniques provides additional context for understanding how detection differs across platforms.

I’ve also covered related topics like Signal notification forensics and Apple Watch forensics, demonstrating how deeply integrated Apple platforms are in enterprise environments.

Threat hunting

Proactively hunting for these techniques requires correlation across multiple data sources. Process execution logs combined with network connection logs can reveal the execution patterns. Extended attribute analysis supplements traditional file scanning. Authentication logs should include Remote Application Scripting connections even when traditional SSH isn’t involved.

The hunting mindset assumes that attackers are using these techniques already, or will be soon. Building detection before widespread exploitation matters more than reacting after.

Looking ahead: the 2026 threat landscape

The Talos research arrives as the threat landscape is already shifting. Trend Micro documented Atomic Stealer, a macOS-specific information stealer distributed through OpenClaw skills, demonstrating that criminal developers are paying attention to the platform.

What’s clear is that the macOS attack surface is both vast and nuanced. The same administrative convenience that makes Macs productive for developers creates pathways that attackers can exploit. Enterprise security teams need to extend their detection capabilities beyond Windows-focused monitoring to include these native primitives.

The fundamental reality is that visibility remains the most effective deterrent. Shifting focus from static file analysis to monitoring process lineage, inter-process communication, and metadata anomalies makes these techniques detectable. As macOS continues its enterprise expansion, understanding and documenting these native techniques must remain a priority for the security community.

I’ve written extensively about memory forensics and DFIR methodology on this blog, and LOOBins represent a natural evolution in endpoint threats. My iOS forensics guide and Apple Watch forensics articles demonstrate how deeply integrated these platforms are in enterprise environments. The techniques documented by Talos don’t involve exploits or sophisticated malware; they abuse functionality that’s been present in macOS for years. Defending against them requires understanding the platform at a depth that most security training doesn’t provide. Additional detection guidance is available from Kaspersky’s LotL detection analysis.

For those responsible for Mac security in enterprise environments, the immediate next step is to assess which of these services are enabled in your fleet, implement MDM policies to disable unnecessary ones, and develop detection rules for the process patterns that matter. The attackers are already studying these techniques. Your blue team should be too.