notifyutil

The notifyutil binary is a command-line interface to the notify(3) API and notifyd(8) daemon, which manages Darwin notifications on macOS. This utility enables posting notifications, monitoring system-wide notification keys, and manipulating state values associated with notification keys. While designed for legitimate inter-process communication (IPC), notifyutil can be abused by threat actors to monitor system events (like screen lock, network changes, timezone updates), establish covert communication channels between processes, or gather intelligence about system state changes without triggering traditional security monitoring.

Author: Brendan Chamberlain (@infosecB) Created: 2025-01-24

Discovery Collection Command and Control Defense Evasion Privilege Escalation monitoring surveillance system-events ipc covert-channel c2 network exfiltration-timing geolocation reconnaissance authentication privilege-escalation enumeration

Paths

/usr/bin/notifyutil

Example Use Cases

Monitor system events for reconnaissance

An attacker can register for system notification keys to detect when the user locks their screen, changes network state, or other system events without using more easily detected APIs. The following example monitors for screen lock events.

notifyutil -w com.apple.screenIsLocked

Discovery Collection monitoring surveillance system-events

Establish covert inter-process communication channel

Threat actors can use Darwin notifications as a covert IPC mechanism to coordinate between malicious processes. By posting and monitoring custom notification keys with associated state values, malware components can exchange commands and data without using traditional IPC methods that may be monitored.

# Sender process
notifyutil -p com.example.hidden.channel -s com.example.hidden.channel 1337

# Receiver process in another terminal/process
notifyutil -1 com.example.hidden.channel -g com.example.hidden.channel

Command and Control Defense Evasion ipc covert-channel c2

Monitor network state changes for data exfiltration timing

An attacker can monitor for network configuration changes to determine optimal timing for data exfiltration. This allows malware to detect when the system connects to networks and adjust behavior accordingly.

notifyutil -w com.apple.system.config.network_change

Discovery Collection network monitoring exfiltration-timing

Monitor timezone changes for geolocation tracking

Monitoring timezone change notifications can help an attacker track when a target device moves between geographic locations or when users travel, providing intelligence about the target's physical location and movement patterns.

notifyutil -w com.apple.system.timezone

Collection Discovery geolocation monitoring reconnaissance

Monitor login/logout events for privilege escalation timing

By monitoring authentication-related notification keys, an attacker can detect login and logout events to time privilege escalation attempts or other malicious activities when defenses may be weakened during authentication transitions.

notifyutil -w com.apple.loginwindow.logout -w com.apple.springboard.attemptactivationend

Discovery Privilege Escalation authentication monitoring privilege-escalation

Query system notification state values for reconnaissance

Threat actors can query state values of system notification keys to gather information about the current system configuration without executing more suspicious commands.

notifyutil -g com.apple.system.timezone
notifyutil -g com.apple.loginwindow.logout
notifyutil -g com.apple.screenIsLocked

Discovery reconnaissance enumeration

Detections

Monitor notifyutil execution with suspicious notification keys
Detect notifyutil monitoring non-standard or custom notification keys (keys not starting with com.apple)
Monitor long-running notifyutil processes (using -w flag for sustained monitoring)
Detect notifyutil usage in conjunction with known malware indicators or suspicious parent processes

Resources

Acknowledgements

Research and testing conducted for LOOBins project