T1543.004 - Create or Modify System Process: Launch Daemon

Description from ATT&CK

Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists) Adversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection) Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)

Atomic Tests

Atomic Test #1 - Launch Daemon
Atomic Test #2 - Launch Daemon - Users Directory

Atomic Test #1 - Launch Daemon

Utilize LaunchDaemon to launch

1	Hello World

Supported Platforms: macOS

auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf

Inputs:

Attack Commands: Run with

1
bash

! Elevation Required (e.g. root or admin)

sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}

Cleanup Commands:

sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
sudo rm /Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt

Dependencies: Run with

1
bash

Description: The shared library must exist on disk at specified location (#{path_malicious_plist})

Check Prereq Commands:

if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

echo "The plist file doesn't exist. Check the path and try again."; exit 1;

Atomic Test #2 - Launch Daemon - Users Directory

Utilize LaunchDaemon in /Users directory to touch temporary file in /tmp

Supported Platforms: macOS

auto_generated_guid: 6f899f9d-8a8e-4143-89a5-26fc2c3ec438

Inputs:

Attack Commands: Run with

1
bash

! Elevation Required (e.g. root or admin)

sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename}

Cleanup Commands:

sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename}
sudo rm ~/Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt

Dependencies: Run with

1
bash

Description: The shared library must exist on disk at specified location (#{path_malicious_plist})

Check Prereq Commands:

if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

echo "The plist file doesn't exist. Check the path and try again."; exit 1;

T1543.004 - Create or Modify System Process: Launch Daemon

Description from ATT&CK

Atomic Tests

Atomic Test #1 - Launch Daemon

Inputs:

Attack Commands: Run with `1 bash`! Elevation Required (e.g. root or admin)

Cleanup Commands:

Dependencies: Run with `1 bash`!

Description: The shared library must exist on disk at specified location (#{path_malicious_plist})

Check Prereq Commands:

Get Prereq Commands:

Atomic Test #2 - Launch Daemon - Users Directory

Inputs:

Attack Commands: Run with `1 bash`! Elevation Required (e.g. root or admin)

Cleanup Commands:

Dependencies: Run with `1 bash`!

Description: The shared library must exist on disk at specified location (#{path_malicious_plist})

Check Prereq Commands:

Get Prereq Commands:

T1543.004 - Create or Modify System Process: Launch Daemon

Description from ATT&CK

Atomic Tests

Atomic Test #1 - Launch Daemon

Inputs:

Attack Commands: Run with 1 bash ! Elevation Required (e.g. root or admin)

Cleanup Commands:

Dependencies: Run with 1 bash !

Description: The shared library must exist on disk at specified location (#{path_malicious_plist})

Check Prereq Commands:

Get Prereq Commands:

Atomic Test #2 - Launch Daemon - Users Directory

Inputs:

Attack Commands: Run with 1 bash ! Elevation Required (e.g. root or admin)

Cleanup Commands:

Dependencies: Run with 1 bash !

Description: The shared library must exist on disk at specified location (#{path_malicious_plist})

Check Prereq Commands:

Get Prereq Commands:

Attack Commands: Run with `1 bash`! Elevation Required (e.g. root or admin)

Dependencies: Run with `1 bash`!

Attack Commands: Run with `1 bash`! Elevation Required (e.g. root or admin)

Dependencies: Run with `1 bash`!