T1569.001 Launchctl
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.1
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load
,launchctl unload
, and launchctl start
. Adversaries can use scripts or manually run the commands launchctl load -w “%s/Library/LaunchAgents/%s”
or /bin/launchctl load
to execute Launch Agents or Launch Daemons.23
Item | Value |
---|---|
ID | T1569.001 |
Sub-techniques | T1569.001, T1569.002 |
Tactics | TA0002 |
Platforms | macOS |
Permissions required | User, root |
Version | 1.1 |
Created | 10 March 2020 |
Last Modified | 15 October 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0584 | AppleJeus | AppleJeus has loaded a plist file using the launchctl command.6 |
S0274 | Calisto | Calisto uses launchctl to enable screen sharing on the victim’s machine.4 |
S0451 | LoudMiner | LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl . It also uses launchctl to unload all Launch Daemons when updating to a newer version of LoudMiner.5 |
S1048 | macOS.OSAMiner | macOS.OSAMiner has used launchctl to restart the Launch Agent.7 |
S0658 | XCSSET | XCSSET loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist .8 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1018 | User Account Management | Prevent users from installing their own launch agents or launch daemons. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Modification |
DS0009 | Process | Process Creation |
DS0019 | Service | Service Creation |
References
-
Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s ‘Komplex’ OS X Trojan. Retrieved July 8, 2017. ↩
-
Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. ↩
-
Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. ↩
-
Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. ↩
-
Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. ↩
-
Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022. ↩
-
Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. ↩