Abusing Forgotten Shells and Interpreters for Covert Execution on MacOS

Hxr1

2 min read

MacOS gets a lot of attention for its security features, and rightfully so. Between Gatekeeper, SIP, TCC, and XProtect, it has layers upon layers designed to stop malware and alert users to anything suspicious. But while defenders are focused on flashy system popups, notarization warnings, and TCC prompts, there's a whole world of preinstalled binaries quietly waiting to be used. Or abused.

This post explores some of the lesser-known, often-overlooked shells and interpreters that still exist on modern macOS systems like Ventura and Sequoia. They're there for legacy compatibility, but they still work and they can still run commands. Sometimes that's all an attacker (or red teamer) needs.

Why These Are Interesting

  • They're already installed no need to drop anything
  • They usually fly under the radar of security tooling
  • They're often ignored in detection rules
  • They're functional enough to stage or trigger payloads

These aren't fancy persistence mechanisms or novel execution chains. They're just tools that have been there for decades, quietly doing what they were built to do: run commands.

Let's Try Them Out

Here are a few that are still present on a modern macOS install as of Sequoia.

/bin/ksh

Still going strong. You can use ksh just like sh or bash, and it's often overlooked.

/bin/tcsh

Old school C shell. Still works. Still useful.

/bin/csh

Another C shell variant. Very similar to tcsh.

/usr/bin/expect

Meant for scripting interactive tools, but it works great for shell commands too.

/usr/bin/awk

You don't usually think of awk as a command runner, but it's got system() built in. Quiet and handy.

/usr/libexec/osascript

This one's a bit more Apple-flavored. It's a lower-level backend version of the more commonly used /usr/bin/osascript, which is the public-facing CLI for running AppleScript.

So what's the difference?

  • /usr/bin/osascript is the standard binary everyone uses and is often monitored or logged by security tools.
  • /usr/libexec/osascript is what /usr/bin/osascript wraps under the hood. It's less frequently used directly and may bypass some superficial logging layers.

In practice, both run the same AppleScript commands. But if you're trying to stay low-profile, using the backend version directly gives you just a bit more obscurity.. It's like the backend for AppleScript. You can use it to run commands without popping open an AppleScript editor.

/bin/ksh -c 'echo "[ksh] OK: $(whoami)"'

/bin/tcsh -c 'echo "[tcsh] OK: `whoami`"'

/bin/csh -c 'echo "[csh] OK: `whoami`"'

/usr/bin/awk 'BEGIN { cmd = "whoami"; cmd | getline out; close(cmd); print "[awk] OK: " out }'

expect -c 'spawn bash; send "whoami\n"'

/usr/libexec/osascript -e 'do shell script "whoami"'

Final Thoughts

You don’t always need persistence or an exploit to run code. Sometimes, you just need the right forgotten tool that no one’s watching. These binaries are still sitting on disk, still executable, and still working in 2025. They’re not fancy but that’s the point. They’re boring, and boring is quiet.

So the next time you need to launch something and want to stay off the beaten path, consider swapping bash for ksh, or hiding your logic in awk. Chances are, nobody’s looking.

Thanks for reading.