Login
Download
Skills Development macOS Security Bypass Techniques Playbook

macOS Security Bypass Techniques Playbook

v20260506
macos-security-bypass
A comprehensive playbook detailing advanced techniques for bypassing core macOS security features, including TCC, Gatekeeper, SIP, and sandbox restrictions. This guide is essential for authorized red team operations and penetration testing targeting macOS endpoints, covering methods like direct database manipulation, extended attribute removal, and privilege escalation paths.
macOS Pentesting Security Exploitation TCC Gatekeeper SIP
Get Skill
252 downloads
Overview

SKILL: macOS Security Bypass — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert macOS security bypass techniques. Covers TCC bypass, Gatekeeper evasion, SIP restrictions, sandbox escape, and entitlement abuse. Base models miss version-specific bypass nuances and protection interaction effects.

0. RELATED ROUTING

Before going deep, consider loading:

Advanced Reference

Also load TCC_BYPASS_MATRIX.md when you need:

  • Per-macOS-version TCC bypass mapping
  • Protection-type-specific techniques (Camera, Microphone, FDA, Automation)
  • MDM/configuration profile abuse patterns

1. TCC (TRANSPARENCY, CONSENT, CONTROL) OVERVIEW

TCC is macOS's permission framework controlling access to sensitive resources (camera, microphone, contacts, full disk access, etc.).

1.1 TCC Database Locations

Database Path Controls Protection
User-level ~/Library/Application Support/com.apple.TCC/TCC.db Per-user consent decisions SIP-protected since Catalina
System-level /Library/Application Support/com.apple.TCC/TCC.db System-wide consent decisions SIP-protected
MDM-managed Via configuration profiles Push PPPC (Privacy Preferences Policy Control) Device management 
-- Query TCC database (requires FDA or SIP off)
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \
  "SELECT service, client, allowed FROM access;"

1.2 TCC Bypass Categories

Category Mechanism Typical Prerequisite
FDA app exploitation Piggyback on apps already granted Full Disk Access Write access to FDA app's bundle or plugin dir
Direct DB modification Edit TCC.db to grant consent SIP disabled or FDA
Inherited permissions Child process inherits parent's TCC grants Code execution in context of FDA-granted app
Automation abuse Apple Events / osascript to control TCC-granted app Automation permission (lower bar than direct TCC)
Mounting tricks Mount a crafted disk image containing modified TCC.db Local access, pre-Ventura
SQL injection in TCC Malformed bundle IDs triggering SQL injection in TCC subsystem CVE-2023-32364 and similar

1.3 Known TCC Bypass Patterns

Terminal / iTerm FDA inheritance: Terminal.app granted FDA → any command run inherits FDA → read any file.

# If Terminal has FDA, this reads protected files directly
cat ~/Library/Mail/V*/MailData/Envelope\ Index
cat ~/Library/Messages/chat.db

Finder automation: Automate Finder (lower permission bar) to access files in protected locations.

tell application "Finder"
  set f to POSIX file "/Users/target/Library/Mail/V9/MailData/Envelope Index"
  duplicate f to desktop
end tell

System Preferences / System Settings injection: Inject into a process that already has TCC permissions by writing to its Application Scripts folder.

MDM profile abuse: PPPC profiles can pre-approve TCC permissions. Rogue MDM enrollment or compromised MDM server → push PPPC payload.

2. GATEKEEPER BYPASS

Gatekeeper blocks unsigned or unnotarized apps from executing. Core enforcement depends on the com.apple.quarantine extended attribute.

2.1 Quarantine Attribute Removal

# Check quarantine attribute
xattr -l /path/to/app
# Output: com.apple.quarantine: 0083;...

# Remove quarantine (requires write access)
xattr -d com.apple.quarantine /path/to/app
# Recursive for app bundles
xattr -rd com.apple.quarantine /path/to/MyApp.app

2.2 Bypass Techniques

Technique How It Works macOS Version
xattr -d removal Remove quarantine before execution All (requires local access)
App translocation bypass Apps in certain locations skip translocation Pre-Catalina
Archive tools that strip quarantine Some unarchiver apps don't propagate quarantine Varies by tool
Unsigned code in signed bundle Notarized app bundles with unsigned nested helpers Pre-Ventura (CVE-2022-42821)
Safari auto-extract + open Downloaded ZIP auto-extracted, app opened before quarantine fully applied Safari-specific, patched
ACL abuse com.apple.quarantine can be blocked by ACLs set before download Requires pre-positioning
Disk image (DMG) tricks DMG mounted from network share may not carry quarantine Network share context
BOM (Bill of Materials) bypass Crafted BOM in pkg skips quarantine for extracted files CVE-2022-22616

2.3 Gatekeeper Check Flow

App launched
│
├── com.apple.quarantine attribute present?
│   ├── No → execute (no Gatekeeper check)
│   └── Yes ↓
│
├── Code signature valid?
│   ├── No → block
│   └── Yes ↓
│
├── Notarized (stapled ticket or online check)?
│   ├── No → block (Catalina+)
│   └── Yes → execute
│
└── User override? (right-click → Open → confirm)
    └── Bypasses Gatekeeper once for this app

3. SIP (SYSTEM INTEGRITY PROTECTION)

SIP restricts root from modifying protected system locations, loading unsigned kernel extensions, and debugging system processes.

3.1 SIP-Protected Locations

/System/
/usr/ (except /usr/local/)
/bin/
/sbin/
/var/ (selected subdirs)
/Applications/ (pre-installed Apple apps)

3.2 SIP Status & Configuration

csrutil status              # Check SIP status
csrutil disable             # Recovery Mode only
csrutil enable --without fs # Partial disable (risky)

3.3 Entitlements That Bypass SIP

Entitlement Effect
com.apple.rootless.install Write to SIP-protected paths
com.apple.rootless.install.heritable Child processes inherit SIP bypass
com.apple.security.cs.allow-unsigned-executable-memory JIT/unsigned code in memory
com.apple.private.security.clear-library-validation Load unsigned libraries

3.4 Historical SIP Bypasses

CVE macOS Technique
CVE-2021-30892 (Shrootless) Monterey pre-12.0.1 system_installd + post-install script in signed pkg
CVE-2022-22583 Monterey pre-12.2 packagekit + mount point manipulation
CVE-2022-46689 (MacDirtyCow) Ventura pre-13.1 Race condition on copy-on-write, overwrite SIP files
CVE-2023-32369 (Migraine) Ventura pre-13.4 Migration Assistant TCC/SIP bypass via systemmigrationd
CVE-2024-44243 Sequoia pre-15.2 StorageKit daemon exploitation

4. SANDBOX ESCAPE

macOS sandboxing (App Sandbox, via sandbox-exec or entitlements) restricts app access to filesystem, network, and IPC.

4.1 Office Sandbox Escape Patterns

Vector Description
Open/Save dialog abuse User grants file access via dialog → macro reads/writes beyond sandbox
~/Library/LaunchAgents/ persistence Some sandbox profiles allow writing LaunchAgent plists
Login Items manipulation Add login item pointing to payload outside sandbox
Shared container exploitation Multiple apps sharing the same App Group container

4.2 IPC-Based Escape

IPC Mechanism Escape Vector
XPC Services Connect to privileged XPC service with insufficient client validation
Mach Ports Obtain send right to privileged task port
Apple Events Automate unsandboxed app to perform actions
Distributed Notifications Signal unsandboxed helper to execute payload
Pasteboard Write payload to pasteboard, have unsandboxed app consume it

4.3 Browser Sandbox

  • Chromium: Multi-process model, renderer is sandboxed, browser process is not
  • Safari: WebContent process sandboxed, parent Safari process has more privileges
  • Exploit chain: renderer RCE → sandbox escape (via IPC bug to browser process) → system access

5. CODE SIGNING & ENTITLEMENTS

5.1 Inspecting Signatures and Entitlements

codesign -dv --verbose=4 /path/to/app       # Signature details
codesign -d --entitlements :- /path/to/app   # Dump entitlements
security cms -D -i /path/to/mobileprovision  # Provisioning profile

# Verify signature validity
codesign --verify --deep --strict /path/to/app
spctl --assess --type execute /path/to/app   # Gatekeeper assessment

5.2 Entitlement Abuse for Privilege Escalation

Entitlement Abuse Scenario
com.apple.security.cs.disable-library-validation Load attacker dylib into entitled process
com.apple.security.cs.allow-dyld-environment-variables DYLD_INSERT_LIBRARIES injection
com.apple.security.get-task-allow Attach debugger, inject code
com.apple.security.cs.debugger Debug any process
com.apple.private.apfs.revert-to-snapshot Revert APFS snapshots, bypass modifications

5.3 Hardened Runtime Bypass

Hardened Runtime prevents: DYLD env vars, debugging, unsigned memory execution. Bypasses:

  • Find entitled apps that weaken Hardened Runtime (disable-library-validation)
  • Exploit JIT-entitled apps (browsers, VMs) for unsigned code execution
  • Use get-task-allow entitled debug builds left in production

5.4 Library Validation Bypass

Library validation ensures only Apple-signed or same-team-signed dylibs load.

# Find apps with library validation disabled
codesign -d --entitlements :- /Applications/*.app/Contents/MacOS/* 2>/dev/null | \
  grep -l "disable-library-validation"

6. PERSISTENCE AFTER BYPASS

Method Location Survives Reboot Notes
LaunchAgent ~/Library/LaunchAgents/ Yes User-level, runs at login
LaunchDaemon /Library/LaunchDaemons/ Yes Root-level, runs at boot
Login Items ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/ Yes Visible in System Settings
Cron crontab -e Yes Often overlooked by defenders
Dylib hijack Writable dylib search path Yes Triggered when target app launches
Folder Action ~/Library/Scripts/Folder Action Scripts/ Yes Triggers on folder events

7. macOS SECURITY BYPASS DECISION TREE

Target is macOS endpoint
│
├── Need to execute untrusted binary?
│   ├── Quarantine attribute present?
│   │   ├── Yes → xattr -d com.apple.quarantine (§2.1)
│   │   └── No → execute directly
│   └── Gatekeeper still blocks?
│       ├── Signed but not notarized → right-click → Open override
│       └── Unsigned → embed in signed bundle or use archive tricks (§2.2)
│
├── Need access to TCC-protected resources?
│   ├── FDA-granted app available?
│   │   ├── Yes → exploit FDA app context (§1.3)
│   │   └── No ↓
│   ├── Automation permission obtainable?
│   │   ├── Yes → Apple Events to TCC-granted app (§1.3)
│   │   └── No ↓
│   ├── SIP disabled?
│   │   ├── Yes → direct TCC.db modification (§1.2)
│   │   └── No → check version-specific TCC bypass (→ TCC_BYPASS_MATRIX.md)
│   └── MDM present?
│       └── Compromised MDM → push PPPC profile (§1.3)
│
├── Need to bypass SIP?
│   ├── Check macOS version → historical SIP CVE? (§3.4)
│   ├── Find entitled Apple binary → piggyback SIP-bypass entitlement (§3.3)
│   └── Recovery Mode access? → csrutil disable (§3.2)
│
├── Need sandbox escape?
│   ├── Office macro context → dialog/LaunchAgent tricks (§4.1)
│   ├── XPC service with weak validation → IPC escape (§4.2)
│   └── Browser context → renderer → sandbox escape chain (§4.3)
│
├── Need to inject into signed process?
│   ├── disable-library-validation entitlement? → dylib injection
│   ├── allow-dyld-environment-variables? → DYLD_INSERT_LIBRARIES
│   ├── get-task-allow? → debugger attach
│   └── None → check macos-process-injection SKILL.md
│
└── Need persistence?
    └── Choose method by access level (§6)

8. QUICK REFERENCE: TOOL COMMANDS

# Enumerate TCC permissions
tccutil reset All                              # Reset all TCC (admin)
sqlite3 TCC.db "SELECT * FROM access;"         # Read TCC DB

# Gatekeeper status
spctl --status                                 # Gatekeeper enabled?
spctl --assess -v /path/to/app                 # Check app assessment

# SIP status
csrutil status

# Find interesting entitlements across system
find /System/Applications /Applications -name "*.app" -exec sh -c \
  'codesign -d --entitlements :- "$1" 2>/dev/null | grep -q "disable-library-validation" && echo "$1"' _ {} \;

# List loaded kexts (kernel extensions)
kextstat | grep -v com.apple

# Sandbox profile inspection
sandbox-exec -p "(version 1)(allow default)" /bin/ls  # Test sandbox rules
Info
Category Development
Name macos-security-bypass
Version v20260506
Size 8.92KB
Source yaklang/hack-skills
Updated At 2026-05-08
Language
简体中文
English