Матрица MITRE ATT&CK

Technique on mitre.org

T1569.001: Launchctl

Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s" or /bin/launchctl load to execute Launch Agents or Launch Daemons.

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor command-line execution of the `launchctl` command immediately followed by abnormal network connections.

ID	DS0022	Data source and component	File: File Modification	Description	Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Plist files are located in the root, system, and users `/Library/LaunchAgents` or `/Library/LaunchDaemons` folders. Launch Agent or Launch Daemon with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious.

ID	DS0019	Data source and component	Service: Service Creation	Description	Monitor for newly constructed services/daemons to execute commands or programs. Notes: This detection is to identify a creation of “user mode service” where the service file path is located in non-common service folder in windows. Analytic 1 - Create Service In Suspicious File Path `(source="WinEventLog:Security" EventCode="4697") OR (source="WinEventLog:System" EventCode="7045") Service_File_Name = ".exe" NOT (Service_File_Name IN ("C:\Windows\", "%windir%\", "C:\Program File", "C:\Programdata\", "%systemroot%\")) Service_Type = "user mode service"`

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed daemons that may abuse launchctl to execute commands or programs.

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor command-line execution of the `launchctl` command immediately followed by abnormal network connections.
DS0022	File: File Modification	Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Plist files are located in the root, system, and users `/Library/LaunchAgents` or `/Library/LaunchDaemons` folders. Launch Agent or Launch Daemon with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious.
DS0019	Service: Service Creation	Monitor for newly constructed services/daemons to execute commands or programs. Notes: This detection is to identify a creation of “user mode service” where the service file path is located in non-common service folder in windows. Analytic 1 - Create Service In Suspicious File Path `(source="WinEventLog:Security" EventCode="4697") OR (source="WinEventLog:System" EventCode="7045") Service_File_Name = ".exe" NOT (Service_File_Name IN ("C:\Windows\", "%windir%\", "C:\Program File", "C:\Programdata\", "%systemroot%\")) Service_Type = "user mode service"`
DS0009	Process: Process Creation	Monitor for newly executed daemons that may abuse launchctl to execute commands or programs.

Mitigation

ID	M1018	Name	User Account Management	Description	Prevent users from installing their own launch agents or launch daemons.

ID	Name	Description
M1018	User Account Management	Prevent users from installing their own launch agents or launch daemons.