Scheduled Task/Job: Launchd

Adversaries may abuse the Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons [1]. These LaunchDaemons have property list files which point to the executables that will be launched [2].

An adversary may use the launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd can also be abused to run a process under the context of a specified account. Daemons, such as launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in.

ID: T1053.004
Sub-technique of:  T1053
Tactics: Execution, Persistence, Privilege Escalation
Platforms: macOS
Permissions Required: root
Data Sources: File monitoring, Process command-line parameters, Process monitoring
Version: 1.0
Created: 03 December 2019
Last Modified: 23 March 2020

Mitigations

Mitigation Description
Audit

Audit logging for launchd events in MacOS can be reviewed or centrally collected using multiple options, such as syslog, OpenBSM, or OSquery.

User Account Management

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

Detection

Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.

Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

References