Skip to content

Files

Latest commit

author
CircleCI Atomic Red Team doc generator
Sep 29, 2020
910a2a7 · Sep 29, 2020

History

History
56 lines (32 loc) · 2.62 KB

T1543.004.md

File metadata and controls

56 lines (32 loc) · 2.62 KB

T1543.004 - Launch Daemon

Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).

Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.

The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.

Atomic Tests


Atomic Test #1 - Launch Daemon

Utilize LaunchDaemon to launch Hello World

Supported Platforms: macOS

Inputs:

Name Description Type Default Value
plist_filename filename string com.atomicredteam.plist
path_malicious_plist Name of file to store in cron folder string $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}

Dependencies: Run with bash!

Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
Check Prereq Commands:
if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; 
Get Prereq Commands:
echo "The plist file doesn't exist. Check the path and try again."; exit 1;