{
	"id": "5bf96977-7ffa-437c-b03c-23d1d2a42690",
	"created_at": "2026-04-06T00:09:50.121261Z",
	"updated_at": "2026-04-10T03:20:28.288311Z",
	"deleted_at": null,
	"sha1_hash": "f409062eb66697b42a24d30befa54a58bd80a6e0",
	"title": "macOS MS Office Sandbox Brain Dump",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 178847,
	"plain_text": "macOS MS Office Sandbox Brain Dump\r\nBy Cedric Owens\r\nPublished: 2021-05-22 · Archived: 2026-04-05 17:04:07 UTC\r\nPress enter or click to view image in full size\r\nThis blog will take a look at some observations regarding what is still possible from the MS Office Sandbox on\r\nmacOS. This is a combination of insight from others as well as some tests that I have attempted. Hopefully this\r\nwill help readers better understand what is possible via remote sandboxed access gained through an MS Office\r\nmacro.\r\nBinaries\r\nWhat are some macOS binaries that can be executed from sandboxed MS Office macros? Below are some:\r\nosascript: You can prompt the user for credentials (ex: osascript -e ‘set popup to display dialog\r\n\\”Keychain Access wants to use the login keychain\\” \u0026 return \u0026 return \u0026 \\”Please enter the\r\nkeychain password\\” \u0026 return default answer \\”\\” with icon file\r\n\\”System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns\\” with\r\ntitle \\”Authentication Needed\\” with hidden answer’) , capture clipboard contents (ex: osascript -e\r\n‘return (the clipboard)’), grab system information (ex: osascript -e ‘return (system info)’), launch JXA\r\npayloads (ex: osascript file.js), etc.\r\ncurl: you can make web requests (GET, POST, etc.) and download files\r\nlaunchctl: In my testing I have been able to call launchctl, but have not been able to successfully load any\r\nplists. Some commands that did work when testing: “launchctl managername”, “launchctl managerpid”,\r\nhttps://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a\r\nPage 1 of 3\n\n“launchctl hostinfo”, “launchctl asuser \u003cuid\u003e \u003cbin_path\u003e \u003cargs\u003e” (Note: while this works, the sandbox\r\nstill prevents execution of binaries outside of the sandbox)\r\nifconfig: Can display local IP config info (ex: ifconfig -a)\r\ndscl: can run some dscl commands (ex: “dscl . list /Users”, “dscl /Local/Default read\r\nComputers/localhost IPAddress”, “dscl . ls /”, “dscl “/Active Directory/[domain]/All Domains” ls\r\n/users” (if your macOS host is joined directly to AD)\r\nscreencapture: Can grab screenshots (ex: “screencapture -x -t jpg out.jpg”): In this example command,\r\nyou can dump a screen shot to the sandbox’s default directory (ex:\r\n/Users/[username]/Library/Containers/com.microsoft.Word/Data)\r\nnc: Can use netcat to connect to ports on other hosts (ex: “nc -v 192.168.1.1 22”)\r\nssh: can run the ssh client but I have not been able to successfully complete a login to another host (I used\r\nthis command: “ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no\r\n[username]@[host]”)\r\npython: Can run the default python installation on macOS (up to this point 2.7 has been default though I\r\nexpect that to change in the near future, as scripting runtimes such as python, ruby, and perl are expected to\r\nbe removed from base macOS installs)\r\nenv: Can run the env command to list info\r\nDisk Access\r\nGet Cedric Owens’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAdam Chester wrote an excellent blog a while back, where he read the entitlements of macOS Office products and\r\nused that information to determine where files could be written to disk from a sandboxed MS Office macro. His\r\nblog can be found here:\r\nIn a nutshell, he found that files could be written to disk when the files were pre-pended with “~$” (ex:\r\n“~$test.zip”). This entitlement still is in place on current versions of MS Office on macOS (as of the date of this\r\nblog post), and in testing I am still able to drop files to disk as long as I use this naming convention.\r\nOne exception is if you want to drop files to the local sandbox directory\r\n(/Users/[user]/Library/Containers/com.microsoft.Word/Data). In that case the prepending “~$” to the beginning of\r\nthe filename is not needed and you can drop files as normal to this directory. One example of this is the MS Office\r\nMacro Payload Generator I wrote a while back for the Mythic C2 framework. Link:\r\nThe example above shows how you do not need the leading “~$” to drop or execute files local to the path above.\r\nOne other exception I have noticed in my testing: You can write files to /Users/\u003cuser\u003e/.Trash without needing\r\nto prepend “~$” to the filename. You can also cd into /Users/\u003cuser\u003e/.Trash from the MS Office Sandbox.\r\nHowever, you cannot perform an ls to list files there or execute any files in that directory. Additionally in\r\nmy testing I could only cat files from /Users/\u003cuser\u003e/.Trash if I wrote them there.\r\nhttps://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a\r\nPage 2 of 3\n\nSandbox Escape\r\npublished a technique for escaping the macOS MS Office Sandbox:\r\nIn a nutshell, this technique creates a .zshenv file (which runs a payload), zips it into a .zip file with “~$”\r\nprepended to the filename, uploads it to the user’s home directory, and creates a Login Item for that newly added\r\n.zip file containing the .zshenv file. When the system reboots the .zip file in the user’s home dir is extracted due to\r\nthe Login Item entry, which then drops the .zshenv file in the user’s home directory. Then, each time the user\r\nopens a new Terminal, .zshenv executes when then executes a command and control payload.\r\nSummary\r\nI hope you found the information above useful, especially from a defensive perspective in terms of understanding\r\nwhat is still possible even from sandboxed MS Office macros on macOS. A high fidelity detection that will find\r\nMS Office macro executions in general on macOS is searching for:\r\n[Any MS Office Product] → /bin/sh\r\nAny MS Office product that spawns a shell environment (/bin/sh, /bin/zsh, /bin/bash, etc.) should be considered\r\nmalicious. I recommend adding detection content (and if possible prevention content) for this activity, given how\r\nhigh fidelity it is.\r\nSource: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a\r\nhttps://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a"
	],
	"report_names": [
		"macos-ms-office-sandbox-brain-dump-4509b5fed49a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434190,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f409062eb66697b42a24d30befa54a58bd80a6e0.pdf",
		"text": "https://archive.orkl.eu/f409062eb66697b42a24d30befa54a58bd80a6e0.txt",
		"img": "https://archive.orkl.eu/f409062eb66697b42a24d30befa54a58bd80a6e0.jpg"
	}
}