sigmamediumHunting

Launch Agent/Daemon Execution Via Launchctl

Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.

MITRE ATT&CK

privilege-escalationexecutionpersistence

Detection Query

selection:
  Image|endswith: /launchctl
  CommandLine|contains:
    - submit
    - load
    - start
condition: selection

Author

Pratinav Chandra

Created

2024-05-13

Data Sources

macosProcess Creation Events

Platforms

macos

References

Tags

attack.privilege-escalationattack.executionattack.persistenceattack.t1569.001attack.t1543.001attack.t1543.004

Raw Content

title: Launch Agent/Daemon Execution Via Launchctl
id: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
status: test
description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
    - https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
    - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
    - https://www.loobins.io/binaries/launchctl/
author: Pratinav Chandra
date: 2024-05-13
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1569.001
    - attack.t1543.001
    - attack.t1543.004
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/launchctl'
        CommandLine|contains:
            - 'submit'
            - 'load'
            - 'start'
    condition: selection
falsepositives:
    - Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.
level: medium