Skip to content

Latest commit

 

History

History
48 lines (27 loc) · 2.23 KB

T1053.004.md

File metadata and controls

48 lines (27 loc) · 2.23 KB

T1053.004 - Launchd

Adversaries may abuse the Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).

An adversary may use the launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd can also be abused to run a process under the context of a specified account. Daemons, such as launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in.

Atomic Tests


Atomic Test #1 - Event Monitor Daemon Persistence

This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.

Supported Platforms: macOS

Inputs:

Name Description Type Default Value
script_location evil plist location path $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist
script_destination Path where to move the evil plist path /etc/emond.d/rules/atomicredteam_T1053_004.plist
empty_file Random name of the empty file used to trigger emond service string randomflag

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}

Cleanup Commands:

sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}