Register to stream ATT&CKcon 2.0 October 29-30

Launch Daemon

Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons [1]. These LaunchDaemons have property list files which point to the executables that will be launched [2].

Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories [3]. The daemon name may be disguised by using a name from a related operating system or benign software [4]. Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.

The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.

ID: T1160
Tactic: Persistence, Privilege Escalation
Platform: macOS
Permissions Required: Administrator
Effective Permissions: root
Data Sources: Process monitoring, File monitoring
Version: 1.0

Mitigations

Mitigation Description
User Account Management Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

Examples

Name Description
OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons. [5]

Detection

Monitor Launch Daemon creation through additional plist files and utilities such as Objective-See's Knock Knock application.

References