T1543.004: Launch Daemon
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.
Adversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. Masquerading). When the Launch Daemon is executed, the program inherits administrative permissions.
Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Some legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the |
|---|
| ID | DS0019 | Data source and component | Service: Service Creation | Description | Monitor for newly constructed services may create or modify Launch Daemons to execute malicious payloads as part of persistence. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that may create or modify Launch Daemons to execute malicious payloads as part of persistence. |
|---|
| ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for new files added to the |
|---|
| ID | DS0022 | Data source and component | File: File Modification | Description | Monitor files for changes that may create or modify Launch Daemons to execute malicious payloads as part of persistence. |
|---|
| ID | DS0019 | Data source and component | Service: Service Modification | Description | Monitor services for changes made to Launch Daemons to execute malicious payloads as part of persistence. |
|---|
Mitigation
| ID | M1018 | Name | User Account Management | Description | Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons. |
|---|
| ID | M1047 | Name | Audit | Description | Use auditing tools capable of detecting folder permissions abuse opportunities on systems, especially reviewing changes made to folders by third-party software. |
|---|