macOS XPC Trust Cache Persistence Enables Non-Privileged EDR Unload on Falcon and Kandji

The attack begins with discovery of privileged XPC methods lacking proper client validation, followed by injection of a malicious NIB into a signed binary. Execution of the legitimate component leaves its trust entry in the kernel cache, allowing the attacker-controlled payload to inherit that trust and invoke the sensitive XPC endpoints. This unloads the Endpoint Security extension and clears MDM guards entirely from user space. Evidence includes successful demonstration against Falcon, Kandji CVE-2026-39118, and one unnamed EDR vendor, with CrowdStrike issuing a bounty and sensor updates. The technique exploits documented XPC surfaces that predate recent Apple mitigations rather than zero-days.

Living-off-the-land chains like this expose a persistent gap: vendors rely on Apple’s code-signing model while attackers reuse the same trust primitives across multiple endpoint products. Prior XPC research from 2019-2023 mapped similar surfaces in system daemons, yet enterprise agents continued exposing unauthenticated methods for management features. The persistence of the trust cache after process exit is the novel link that turns known primitives into reliable EDR bypasses affecting both corporate fleets and consumer devices.

CrowdStrike added detections across supported macOS versions; Kandji shipped a patch. Apple has not commented on broader XPC validation changes. XPC Hunter will be released to map remaining surfaces before Black Hat US 2026, likely surfacing additional agents with equivalent exposure.

Next steps include vendor-wide audits of XPC authorization and potential kernel changes to flush trust entries on process termination. Without those, similar chains will reappear against remaining EDRs and MDM agents within the next two release cycles.