Scheduled Task/Job: Launchd
Adversaries may abuse the
Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The
launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in
/Library/LaunchDaemons . These LaunchDaemons have property list files which point to the executables that will be launched .
An adversary may use the
launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence.
launchd can also be abused to run a process under the context of a specified account. Daemons, such as
launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in.
Audit logging for
|M1018||User Account Management||
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.
Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.
Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.