> For the complete documentation index, see [llms.txt](https://angelica.gitbook.io/hacktricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://angelica.gitbook.io/hacktricks/macos-hardening/macos-security-and-privilege-escalation.md).
# macOS Security & Privilege Escalation
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
## Basic MacOS
If you are not familiar with macOS, you should start learning the basics of macOS:
* Special macOS **files & permissions:**
{% content-ref url="/pages/EzkDl4KZdNWg24x0Viu0" %}
[macOS Files, Folders, Binaries & Memory](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries.md)
{% endcontent-ref %}
* Common macOS **users**
{% content-ref url="/pages/651PwNIhEU8dgjshRsVJ" %}
[macOS Users & External Accounts](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
{% endcontent-ref %}
* **AppleFS**
{% content-ref url="/pages/kb9RhbjaGNNZmVZEEvr1" %}
[macOS AppleFS](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md)
{% endcontent-ref %}
* The **architecture** of the k**ernel**
{% content-ref url="/pages/JRLbrPkJ5ttDlNgC7ycH" %}
[macOS Kernel & System Extensions](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture.md)
{% endcontent-ref %}
* Common macOS n**etwork services & protocols**
{% content-ref url="/pages/rDbv5llT0l1sbg9KcOd5" %}
[macOS Network Services & Protocols](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
{% endcontent-ref %}
* **Opensource** macOS:
* To download a `tar.gz` change a URL such as [https://opensource.apple.com/**source**/dyld/](https://opensource.apple.com/source/dyld/) to [https://opensource.apple.com/**tarballs**/dyld/**dyld-852.2.tar.gz**](https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz)
### MacOS MDM
In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**:
{% content-ref url="/pages/0EjNAZmr9gQCuv9drsmi" %}
[macOS MDM](/hacktricks/macos-hardening/macos-red-teaming/macos-mdm.md)
{% endcontent-ref %}
### MacOS - Inspecting, Debugging and Fuzzing
{% content-ref url="/pages/YbEd1svnF1swSwF1EYeO" %}
[macOS Apps - Inspecting, debugging and Fuzzing](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md)
{% endcontent-ref %}
## MacOS Security Protections
{% content-ref url="/pages/ePoia8evjSJJ1coaZE6l" %}
[macOS Security Protections](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections.md)
{% endcontent-ref %}
## Attack Surface
### File Permissions
If a **process running as root writes** a file that can be controlled by a user, the user could abuse this to **escalate privileges**.\
This could occur in the following situations:
* File used was already created by a user (owned by the user)
* File used is writable by the user because of a group
* File used is inside a directory owned by the user (the user could create the file)
* File used is inside a directory owned by root but user has write access over it because of a group (the user could create the file)
Being able to **create a file** that is going to be **used by root**, allows a user to **take advantage of its content** or even create **symlinks/hardlinks** to point it to another place.
For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` installers**:
{% content-ref url="/pages/PgsAMulp2UwaWZrYczc9" %}
[macOS Installers Abuse](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md)
{% endcontent-ref %}
### File Extension & URL scheme app handlers
Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols
{% content-ref url="/pages/bJz5sfkgczerriY3kIrU" %}
[macOS File Extension & URL scheme app handlers](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
{% endcontent-ref %}
## macOS TCC / SIP Privilege Escalation
In macOS **applications and binaries can have permissions** to access folders or settings that make them more privileged than others.
Therefore, an attacker that wants to successfully compromise a macOS machine will need to **escalate its TCC privileges** (or even **bypass SIP**, depending on his needs).
These privileges are usually given in the form of **entitlements** the application is signed with, or the application might requested some accesses and after the **user approving them** they can be found in the **TCC databases**. Another way a process can obtain these privileges is by being a **child of a process** with those **privileges** as they are usually **inherited**.
Follow these links to find different was to [**escalate privileges in TCC**](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc.md#tcc-privesc-and-bypasses), to [**bypass TCC**](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md) and how in the past [**SIP has been bypassed**](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md#sip-bypasses).
## macOS Traditional Privilege Escalation
Of course from a red teams perspective you should be also interested in escalating to root. Check the following post for some hints:
{% content-ref url="/pages/lZrU40KP8RmCEK33JSUX" %}
[macOS Privilege Escalation](/hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md)
{% endcontent-ref %}
## macOS Compliance
*
## References
* [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS)
* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
* [**https://github.com/NicolasGrimonpont/Cheatsheet**](https://github.com/NicolasGrimonpont/Cheatsheet)
* [**https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ**](https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ)
* [**https://www.youtube.com/watch?v=vMGiplQtjTY**](https://www.youtube.com/watch?v=vMGiplQtjTY)
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://angelica.gitbook.io/hacktricks/macos-hardening/macos-security-and-privilege-escalation.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.