Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Launch Daemon

Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons [1]. These LaunchDaemons have property list files which point to the executables that will be launched [2].

Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories [3]. The daemon name may be disguised by using a name from a related operating system or benign software [4]. Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.

The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.

ID: T1160

Tactic: Persistence, Privilege Escalation

Platform:  macOS

Permissions Required:  Administrator

Effective Permissions:  root

Data Sources:  Process monitoring, File monitoring

Version: 1.0

Mitigation

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

Detection

Monitor Launch Daemon creation through additional plist files and utilities such as Objective-See's Knock Knock application.

References