Bad Apples: Weaponizing native macOS primitives for movement and execution

This research analyzes macOS living-off-the-land techniques, demonstrating how native features—Remote Application Scripting (eppc/RAE), AppleEvents/osascript, Finder comments (Spotlight metadata), socat, netcat, SMB, SCP/SFTP, Git, TFTP, and SNMP traps—can be repurposed for remote code execution, lateral movement, stealthy payload staging, persistence (LaunchAgents), and file transfer. The report details practical bypasses and implementation patterns (Base64 encoded payloads via Terminal.app, metadata staging and extraction, non-SSH shells and file transfer channels), maps detection opportunities (process lineage, metadata access, eppc traffic), and provides defensive recommendations such as tightening TCC/MDM policies, disabling unnecessary services, and monitoring IPC and metadata anomalies.