Try it using Invoke-Atomic

Scheduled Task/Job: Launchd

Description from ATT&CK

This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself.

Adversaries may abuse the <code>Launchd</code> daemon to perform task scheduling for initial or recurring execution of malicious code. The <code>launchd</code> daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).

An adversary may use the <code>launchd</code> daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. <code>launchd</code> can also be abused to run a process under the context of a specified account. Daemons, such as <code>launchd</code>, run with the permissions of the root user account, and will operate regardless of which user account is logged in. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Event Monitor Daemon Persistence

This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.

Supported Platforms: macos

auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e

Inputs:

Name Description Type Default Value
script_location evil plist location path $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist
script_destination Path where to move the evil plist path /etc/emond.d/rules/atomicredteam_T1053_004.plist
empty_file Random name of the empty file used to trigger emond service string randomflag

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
3
sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}

Cleanup Commands:

1
2
3
sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}

source