Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in/System/Library/LaunchDaemonsand/Library/LaunchDaemons(Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.
The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.
Utilize LaunchDaemon to launch Hello World
Supported Platforms: macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| plist_filename | filename | string | com.atomicredteam.plist |
| path_malicious_plist | Name of file to store in cron folder | string | $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist |
sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; echo "The plist file doesn't exist. Check the path and try again."; exit 1;