System Services: Launchctl
Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like Launch Agents and Launch Daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Running a command from launchctl is as simple as
launchctl submit -l . Adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.
|User Account Management||
Prevent users from installing their own launch agents or launch daemons.
KnockKnock can be used to detect persistent programs such as those installed via launchctl as launch agents or launch daemons. Additionally, every launch agent or launch daemon must have a corresponding plist file on disk which can be monitored. Monitor process execution from launchctl/launchd for unusual or unknown processes.