T1569.001 Launchctl
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.1
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w “%s/Library/LaunchAgents/%s” or /bin/launchctl load to execute Launch Agents or Launch Daemons.23
| Item | Value |
|---|---|
| ID | T1569.001 |
| Sub-techniques | T1569.001, T1569.002 |
| Tactics | TA0002 |
| Platforms | macOS |
| Permissions required | User, root |
| Version | 1.1 |
| Created | 10 March 2020 |
| Last Modified | 15 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0584 | AppleJeus | AppleJeus has loaded a plist file using the launchctl command.6 |
| S0274 | Calisto | Calisto uses launchctl to enable screen sharing on the victim’s machine.4 |
| S0451 | LoudMiner | LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl. It also uses launchctl to unload all Launch Daemons when updating to a newer version of LoudMiner.5 |
| S1048 | macOS.OSAMiner | macOS.OSAMiner has used launchctl to restart the Launch Agent.7 |
| S0658 | XCSSET | XCSSET loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist.8 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management | Prevent users from installing their own launch agents or launch daemons. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Modification |
| DS0009 | Process | Process Creation |
| DS0019 | Service | Service Creation |
References
-
Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s ‘Komplex’ OS X Trojan. Retrieved July 8, 2017. ↩
-
Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. ↩
-
Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. ↩
-
Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. ↩
-
Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. ↩
-
Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022. ↩
-
Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. ↩