Launch Agent/Daemon Execution Via Launchctl

 1title: Launch Agent/Daemon Execution Via Launchctl
 2id: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
 3status: test
 4description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
 7    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
 8    - https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
 9    - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
10    - https://www.loobins.io/binaries/launchctl/
11author: Pratinav Chandra
12date: 2024-05-13
13tags:
14    - attack.privilege-escalation
15    - attack.execution
16    - attack.persistence
17    - attack.t1569.001
18    - attack.t1543.001
19    - attack.t1543.004
20logsource:
21    category: process_creation
22    product: macos
23detection:
24    selection:
25        Image|endswith: '/launchctl'
26        CommandLine|contains:
27            - 'submit'
28            - 'load'
29            - 'start'
30    condition: selection
31falsepositives:
32    - Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.
33level: medium

References

• atomic-red-team/atomics/T1569.001/T1569.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• 20 Common Tools & Techniques Used by macOS Threat Actors & Malware - SentinelLabs

  

  Threat hunting on macOS? These are the tools malware most often leverages, with ITW examples, MITRE behavioral indicators and links to further research.

  
  Read More

• Mac cryptocurrency trading application rebranded, bundled with malware

  

  ESET researchers uncover websites distributing malicious cryptocurrency trading applications for Mac, with the malware used to steal information such as browser cookies, cryptocurrency wallets and screen captures.

  
  Read More

• New MacOS Backdoor Linked to OceanLotus Found

  

  We identified a MacOS backdoor that we believe is the latest version of a threat used by OceanLotus, a group responsible for launching targeted attacks against human rights organizations, media organizations, research institutes, and more.

  
  Read More

• launchctl

  

  Interact with LaunchAgents and LaunchDaemons.

  
  Read More

Related rules

• Potential Persistence Via PlistBuddy
• AWS IAM S3Browser LoginProfile Creation
• AWS IAM S3Browser Templated S3 Bucket Policy Creation
• AWS IAM S3Browser User or AccessKey Creation
• ChromeLoader Malware Execution