- Home
- Techniques
- Enterprise
- Create or Modify System Process
- Launch Daemon
Create or Modify System Process: Launch Daemon
Other sub-techniques of Create or Modify System Process (4)
ID | Name |
---|---|
T1543.001 | Launch Agent |
T1543.002 | Systemd Service |
T1543.003 | Windows Service |
T1543.004 | Launch Daemon |
Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons
and /Library/LaunchDaemons
[1]. These LaunchDaemons have property list files which point to the executables that will be launched [2].
Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories [3]. The daemon name may be disguised by using a name from a related operating system or benign software [4]. Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.
The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.
Procedure Examples
Name | Description |
---|---|
Bundlore | |
Dacls | |
LoudMiner |
LoudMiner added plist files in |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D can create a persistence file in the folder |
Mitigations
Mitigation | Description |
---|---|
User Account Management |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons. |
Detection
Monitor for launch daemon creation or modification through plist files and utilities such as Objective-See's KnockKnock application.
References
- Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.
- Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
- Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.
- Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.
- Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
- Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
- Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
- Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.