Security firm XM Cyber found a macOS technique that can let standard user accounts disable some enterprise security tools without administrator credentials.
The research focuses on trusted macOS communication channels
The research focuses on trusted macOS communication channelsResearchers disclosed the findings ahead of a planned Black Hat Arsenal presentation in August, where they’ll demonstrate an open-source tool called XPC Hunter. XM Cyber reported successful attacks against CrowdStrike Falcon and Kandji on macOS.
The firm’s reported technique isn’t a remote attack. Researchers said attackers must first gain access to a standard user account on the target Mac.
Requiring access to an existing account limits the attack’s reach, but it doesn’t make the research insignificant. Attackers who gain access to a Mac often try to disable monitoring tools before moving deeper into a system or network.