Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include:
launchctl unload, and
launchctl start. Adversaries can use scripts or manually run the commands
launchctl load -w "%s/Library/LaunchAgents/%s" or
/bin/launchctl load to execute Launch Agents or Launch Daemons.
AppleJeus has loaded a plist file using the
Calisto uses launchctl to enable screen sharing on the victim’s machine.
LoudMiner launched the QEMU services in the
macOS.OSAMiner has used
XCSSET loads a system level launchdaemon using the
|M1018||User Account Management||
Prevent users from installing their own launch agents or launch daemons.
|ID||Data Source||Data Component||Detects|
Monitor command-line execution of the
Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Plist files are located in the root, system, and users
Monitor for newly executed daemons that may abuse launchctl to execute commands or programs.
Monitor for newly constructed services/daemons to execute commands or programs.