Skip to main content

Overview

macOS presents a unique attack surface combining Unix foundations with Apple-specific security frameworks including TCC, SIP, Gatekeeper, and XProtect. Understanding these mechanisms is essential for both offensive security assessments and hardening.
This content is for authorized penetration testing and security research. Always obtain written permission before assessing any macOS system.

macOS Fundamentals

Files and Permissions

macOS uses a hybrid permission model combining POSIX permissions, ACLs, and extended attributes including quarantine flags.

AppleFS (APFS)

Apple File System provides snapshots, clones, encryption, and space sharing — all relevant to forensics and privilege escalation.

XNU Kernel Architecture

The XNU kernel combines Mach microkernel with BSD layer, providing the foundation for all macOS security controls.

Network Protocols

macOS supports Apple-specific protocols including Bonjour/mDNS, AirDrop, and AirPlay, each with its own attack surface.

macOS MDM (Mobile Device Management)

In enterprise environments, macOS systems are almost always managed by an MDM solution. From an attacker’s perspective:
  • JAMF Pro: jamf checkJSSConnection — check MDM connectivity
  • Kandji — cloud-native MDM used in many modern enterprises
An MDM can:
  • Install/remove applications and profiles
  • Create local admin accounts
  • Set firmware passwords and change FileVault keys
  • Query device state and execute scripts

MDM as a C2

A rogue MDM can be used as a command-and-control channel: 
# Enroll a device in your own MDM
# Requires: CSR signed by a vendor (try https://mdmcert.download/)
# Run your own MDM: https://github.com/micromdm/micromdm

# After enrollment, the device trusts the MDM's SSL cert as a CA
# You can now sign arbitrary payloads

# Deliver mobileconfig enrollment file
# pkg file containing the mobileconfig → downloaded from Safari → auto-decompressed

Attack Surface

File Permission Vulnerabilities

If a process running as root writes a file that can be controlled by a user, privilege escalation is possible in these scenarios:
  • The file was already created/owned by the user
  • The file is writable by the user via group membership
  • The file is inside a directory owned by the user
  • The file is in a directory where the user has group write access

File Extension and URL Scheme Handlers

Unusual applications registered as handlers for file extensions or URL schemes can be abused — different applications can register to open specific protocols, creating potential for social engineering and sandbox escapes.

macOS TCC / SIP Privilege Escalation

macOS applications and binaries have granular permissions (entitlements) that control access to sensitive features:
  • TCC (Transparency, Consent, and Control) — manages app access to: Full Disk, Camera, Microphone, Contacts, Location, Photos
  • SIP (System Integrity Protection) — prevents even root from modifying system files and processes
A successful macOS compromise typically requires either escalating TCC privileges, bypassing SIP, or both. Most modern attacks chain multiple vulnerabilities to achieve this.

How TCC Privileges are Granted

  1. Entitlements — signed into the application at build time
  2. User consent — user approves via system prompt, stored in TCC databases
  3. Inheritance — child processes may inherit parent’s TCC privileges

TCC Database Locations

# User TCC database
~/Library/Application Support/com.apple.TCC/TCC.db

# System TCC database (requires FDA)
/Library/Application Support/com.apple.TCC/TCC.db

Traditional macOS Privilege Escalation

Beyond TCC/SIP, classic Unix privilege escalation techniques apply. Most Linux privesc methods work on macOS too, with macOS-specific additions:
  • Sudo PATH hijacking (macOS preserves user PATH for sudo)
  • Dock impersonation / social engineering for password capture
  • LaunchDaemon and LaunchAgent plist abuse
  • Authorization plugin injection
  • Vulnerable .pkg installer abuse

macOS Compliance Resources

For hardening against CIS and NIST standards:

References

Build docs developers (and LLMs) love

Get started for freeTalk to us