T1569.001 - Launchctl

Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)

Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w “%s/Library/LaunchAgents/%s” or /bin/launchctl load to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)

Atomic Tests

Atomic Test #1 - LaunchctlUtilize launchctl

Supported Platforms: macos#### Attack Commands: Run with bash

launchctl submit -l evil -- /System/Applications/Calculator.app/Contents/MacOS/Calculator

Invoke-AtomicTest T1569.001 -TestNumbers 1

Cleanup:

launchctl remove evil

Invoke-AtomicTest T1569.001 -TestNumbers 1 -Cleanup

Detection

Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line launchctl command. Plist files are located in the root, system, and users /Library/LaunchAgents or /Library/LaunchDaemons folders.

Monitor command-line execution of the launchctl command immediately followed by abnormal network connections. Launch Agents or Launch Daemons with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious.

When removing Launch Agents or Launch Daemons ensure the services are unloaded prior to deleting plist files.