More than 45% of organizations now use macOS in enterprise environments, and attackers are increasingly weaponizing the operating system's own features to run code, move laterally and evade detection, Cisco Talos warns in research published on 21 April.
Native macOS tools repurposed for remote execution: RAS, Terminal and AppleScript
Cisco Talos documents a range of built-in capabilities that adversaries can turn to operational advantage. Remote Application Scripting (RAS), intended for administrative automation, can be abused to issue instructions across processes and systems using Apple's inter-process communication (IPC) framework, allowing command execution without triggering conventional shell-based monitoring.
Where RAS-based restrictions exist, attackers may use Terminal as a proxy: encoding payloads in Base64 and deploying them in stages so complex scripts run while avoiding detection tied to standard command-line activity. Beyond RAS, the research notes that AppleScript can be executed over SSH to interact with the graphical user interface, and tools such as socat can provide remote shells "without relying on SSH logging or authentication trails."
Spotlight metadata and Finder comments as covert storage
Talos highlights an unconventional persistence and delivery technique: embedding malicious code inside Finder comments. These comments are stored as Spotlight metadata rather than in the file contents, which lets payloads evade static analysis tools that scan files directly. The embedded data can be extracted, decoded and executed with a single command, turning a benign-looking file attribute into a delivery channel.
The tradecraft leverages the fact that metadata activity—Apple Events and other IPC—often sits outside traditional endpoint detection rules, reducing visibility into attacker behavior.
Lateral movement and file transfer using legitimate protocols
The research lists multiple native protocols and services that adversaries can use to move laterally or exchange files while blending into normal traffic. Examples provided by Talos include:
- Server Message Block (SMB) for mounting remote shares
- Netcat for direct command execution and file delivery
- Git repositories for pushing payloads to target systems
- Trivial File Transfer Protocol (TFTP) and Simple Network Management Protocol (SNMP) for covert data exchange
Because these methods rely on legitimate services, they can bypass network monitoring that focuses on SSH or recognizes only known malicious traffic patterns.
Detection gaps and recommended defensive shifts
Cisco Talos identifies gaps in visibility and detection where attackers rely on legitimate system binaries, IPC and metadata instead of traditional malware. To close those gaps, Talos recommends a set of defensive changes rooted in behavioral and configuration controls: shift detection strategies toward process lineage analysis; monitor unusual metadata activity; and restrict administrative services through mobile device management (MDM) policies.
Further advice includes disabling unnecessary services and enforcing stricter controls over inter-application communication. These actions seek to reduce the available attack surface that depends on legitimate macOS features rather than on clearly malicious binaries or network patterns.
What this means for security teams, procurement leaders, and end users
Security teams — Talos' findings suggest they should prioritize tooling and rules that capture IPC, Apple Events and metadata changes, and adopt process-lineage approaches that flag abnormal parent-child relationships rather than relying solely on command-line signatures.
Procurement leaders and enterprise administrators should consider tightening MDM configurations and explicitly disabling unneeded services on managed Macs to prevent abuse of administrative automation and inter-application channels.
End users matter as well: because Macs are "widely used by developers and DevOps professionals, often holding sensitive credentials, cloud access and source code," Talos' research implies that compromises of developer workstations could expose high-value assets, making device configuration and metadata monitoring organizational priorities.
Cisco Talos' research, published on 21 April, reframes a basic operational risk: when endpoints provide flexible automation and rich metadata, defenders must expand visibility beyond files and shells to the interactions that live between applications. The question enterprises now face is concrete and technical — will detection and MDM controls evolve fast enough to catch attacks that never look like malware?
Original story: https://www.infosecurity-magazine.com/news/macos-lotl-techniques-enterprise/
