Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Launchctl

Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made [1]. Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute "arg" "arg" "arg". Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges.

Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.

ID: T1152

Tactic: Defense Evasion, Execution, Persistence

Platform:  macOS

Permissions Required:  User, Administrator

Data Sources:  File monitoring, Process monitoring, Process command-line parameters

Supports Remote:  No

Defense Bypassed:  Application whitelisting, Process whitelisting, Whitelisting by file name or path

Version: 1.0

Examples

NameDescription
Calisto

Calisto uses launchctl to enable screen sharing on the victim’s machine.[2]

Mitigation

Prevent users from installing their own launch agents or launch daemons and instead require them to be pushed out by group policy.

Detection

Knock Knock can be used to detect persistent programs such as those installed via launchctl as launch agents or launch daemons. Additionally, every launch agent or launch daemon must have a corresponding plist file on disk somewhere which can be monitored. Monitor process execution from launchctl/launchd for unusual or unknown processes.

References