Create or Modify System Process: Launch Daemon

Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.[1][2][3]

Adversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. Masquerading). When the Launch Daemon is executed, the program inherits administrative permissions.[4][5]

Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.[6][7]

ID: T1543.004
Sub-technique of:  T1543
Platforms: macOS
Permissions Required: Administrator
Effective Permissions: Administrator, root
Version: 1.2
Created: 17 January 2020
Last Modified: 30 March 2023

Procedure Examples

ID Name Description
S0584 AppleJeus

AppleJeus has placed a plist file within the LaunchDaemons folder and launched it manually.[8][9]

S0482 Bundlore

Bundlore can persist via a LaunchDaemon.[10]

S1105 COATHANGER

COATHANGER will create a daemon for timed check-ins with command and control infrastructure.[11]

S0497 Dacls

Dacls can establish persistence via a Launch Daemon.[12][13]

S0690 Green Lambert

Green Lambert can add a plist file in the Library/LaunchDaemons to establish persistence.[14][15]

S0451 LoudMiner

LoudMiner adds plist files with the naming format com.[random_name].plist in the /Library/LaunchDaemons folder with the RunAtLoad and KeepAlive keys set to true.[16]

S0352 OSX_OCEANLOTUS.D

If running with root permissions, OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.[17][18]

S0595 ThiefQuest

When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the /Library/LaunchDaemons/ folder with the RunAtLoad key set to true establishing persistence as a Launch Daemon. [19]

S0658 XCSSET

XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.[20]

Mitigations

ID Mitigation Description
M1047 Audit

Use auditing tools capable of detecting folder permissions abuse opportunities on systems, especially reviewing changes made to folders by third-party software.

M1018 User Account Management

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Some legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present. [3]

DS0022 File File Creation

Monitor for new files added to the /Library/LaunchDaemons/ folder. The System LaunchDaemons are protected by SIP.

File Modification

Monitor files for changes that may create or modify Launch Daemons to execute malicious payloads as part of persistence.

DS0009 Process Process Creation

Monitor for newly executed processes that may create or modify Launch Daemons to execute malicious payloads as part of persistence.

DS0019 Service Service Creation

Monitor for newly constructed services may create or modify Launch Daemons to execute malicious payloads as part of persistence.

Service Modification

Monitor services for changes made to Launch Daemons to execute malicious payloads as part of persistence.

References