Description
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
Adversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. Masquerading). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)
Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)
Platforms
Mitigations (2)
User Account ManagementM1018
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.
AuditM1047
Use auditing tools capable of detecting folder permissions abuse opportunities on systems, especially reviewing changes made to folders by third-party software.
Associated Software (10)
| ID | Name | Type | Context |
|---|---|---|---|
| S1219 | REPTILE | Malware | The [REPTILE](https://attack.mitre.org/software/S1219) launcher can daemonize a process.(Citation: Google Cloud Mandiant UNC3886 2024) |
| S0690 | Green Lambert | Malware | [Green Lambert](https://attack.mitre.org/software/S0690) can add a plist file in the `Library/LaunchDaemons` to establish persistence.(Citation: Objec... |
| S1105 | COATHANGER | Malware | [COATHANGER](https://attack.mitre.org/software/S1105) will create a daemon for timed check-ins with command and control infrastructure.(Citation: NCSC... |
| S0595 | ThiefQuest | Malware | When running with root privileges after a [Launch Agent](https://attack.mitre.org/techniques/T1543/001) is installed, [ThiefQuest](https://attack.mitr... |
| S0451 | LoudMiner | Malware | [LoudMiner](https://attack.mitre.org/software/S0451) adds plist files with the naming format <code>com.[random_name].plist</code> in the <code>/Librar... |
| S0352 | OSX_OCEANLOTUS.D | Malware | If running with <code>root</code> permissions, [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can create a persistence file in the folder... |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) can persist via a LaunchDaemon.(Citation: MacKeeper Bundlore Apr 2019) |
| S0497 | Dacls | Malware | [Dacls](https://attack.mitre.org/software/S0497) can establish persistence via a Launch Daemon.(Citation: SentinelOne Lazarus macOS July 2020)(Citatio... |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to... |
| S0584 | AppleJeus | Malware | [AppleJeus](https://attack.mitre.org/software/S0584) has placed a plist file within the <code>LaunchDaemons</code> folder and launched it manually.(Ci... |
References
- Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.
- Bradley Kemp. (2021, May 10). LaunchDaemon Hijacking: privilege escalation and persistence via insecure folder permissions. Retrieved July 26, 2021.
- Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.
- Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021.
- Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
- Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024.
- Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.
Frequently Asked Questions
What is T1543.004 (Launch Daemon)?
T1543.004 is a MITRE ATT&CK technique named 'Launch Daemon'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework use...
How can T1543.004 be detected?
Detection of T1543.004 (Launch Daemon) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1543.004?
There are 2 documented mitigations for T1543.004. Key mitigations include: User Account Management, Audit.
Which threat groups use T1543.004?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.