System Services: Launchctl

ID Name
T1569.001 Launchctl
T1569.002 Service Execution

Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.[1]

Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s" or /bin/launchctl load to execute Launch Agents or Launch Daemons.[2][3]

ID: T1569.001
Sub-technique of:  T1569
Tactic: Execution
Platforms: macOS
Permissions Required: User, root
Version: 1.1
Created: 10 March 2020
Last Modified: 15 October 2021

Procedure Examples

ID Name Description
S0584 AppleJeus

AppleJeus has loaded a plist file using the launchctl command.[4]

S0274 Calisto

Calisto uses launchctl to enable screen sharing on the victim’s machine.[5]

S0451 LoudMiner

LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl. It also uses launchctl to unload all Launch Daemons when updating to a newer version of LoudMiner.[6]

S0658 XCSSET

XCSSET loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist.[7]

Mitigations

ID Mitigation Description
M1018 User Account Management

Prevent users from installing their own launch agents or launch daemons.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification
DS0009 Process Process Creation
DS0019 Service Service Creation

Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line launchctl command. Plist files are located in the root, system, and users /Library/LaunchAgents or /Library/LaunchDaemons folders.

Monitor command-line execution of the launchctl command immediately followed by abnormal network connections. Launch Agents or Launch Daemons with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious.

When removing Launch Agents or Launch Daemons ensure the services are unloaded prior to deleting plist files.

References