Launchctl

Information

• Name: Launchctl

• ID: T1569.001

• Tactics: TA0002

• Technique: T1569

Introduction

Launchctl (T1569.001) is a sub-technique within MITRE ATT&CK's Execution tactic, specifically categorized under System Services (T1569). Launchctl is a built-in macOS utility used to manage LaunchDaemons and LaunchAgents, which are responsible for initiating system-level and user-level services, respectively. Attackers frequently exploit launchctl to execute malicious scripts or binaries persistently or to escalate privileges by configuring malicious tasks that run automatically at system startup or user login.

Deep Dive Into Technique

Launchctl is a command-line utility native to macOS, used to control and manage LaunchDaemons and LaunchAgents, which are plist-based configuration files located in specific directories:

• System-level LaunchDaemons:

  • /Library/LaunchDaemons/

  • /System/Library/LaunchDaemons/

• User-level LaunchAgents:

  • /Library/LaunchAgents/

  • ~/Library/LaunchAgents/

Attackers leverage launchctl by placing malicious plist files into these directories or modifying existing legitimate plist files. Common execution methods include:

• Creating new plist files containing paths to malicious scripts or binaries.

• Modifying existing plist files to execute additional malicious payloads.

• Using launchctl load commands to register the malicious plist files immediately.

• Ensuring persistence by configuring plist files to execute payloads at system boot or user login.

• Manipulating plist entries to escalate privileges by running scripts or binaries as root through LaunchDaemons.

Attackers may use the following commands to interact with launchctl:

• Load a malicious plist:

  Copy

  launchctl load /Library/LaunchDaemons/com.example.malicious.plist

• Unload an existing plist (for stealth or disabling security tools):

  Copy

  launchctl unload /Library/LaunchDaemons/com.apple.security.plist

• List currently loaded services:

  Copy

  launchctl list

When this Technique is Usually Used

Attackers typically utilize launchctl at various stages of an attack lifecycle, including:

• Persistence:

  • Ensuring malicious scripts or binaries execute automatically upon system reboot or user login.

  • Maintaining long-term foothold within compromised systems.

• Privilege Escalation:

  • Leveraging LaunchDaemons to execute payloads with root privileges, bypassing normal user restrictions.

• Execution:

  • Immediate execution of malicious payloads or scripts through launchctl commands.

• Defense Evasion:

  • Disabling or unloading legitimate security tools or monitoring agents to reduce detection risks.

Scenarios where launchctl is commonly employed include:

• Initial compromise: Attackers may quickly establish persistence after initial access.

• Post-exploitation: Attackers maintain persistence or escalate privileges after gaining initial foothold.

• Lateral movement: Attackers deploying malicious agents or scripts to facilitate movement to other systems within macOS environments.

How this Technique is Usually Detected

Detection methods for launchctl abuse include:

• Monitoring filesystem events:

  • Identify unexpected creation or modification of plist files in sensitive directories:

    • /Library/LaunchDaemons/

    • /Library/LaunchAgents/

    • ~/Library/LaunchAgents/

• Analyzing command-line audit logs:

  • Detect suspicious execution of launchctl load or launchctl unload commands.

  • Monitor for unusual interactions with launchctl by uncommon or unauthorized users.

• Endpoint Detection and Response (EDR) tools:

  • Detect anomalous processes spawned by launchd (parent process of launchctl-managed services).

  • Alert on suspicious plist file creations or modifications and execution behaviors.

• Reviewing system logs:

  • /var/log/system.log and audit logs for launchctl-related entries.

  • macOS unified logging (log command) can provide detailed events related to launchctl usage.

Specific Indicators of Compromise (IoCs):

• Presence of unknown or suspicious plist files in LaunchDaemons or LaunchAgents directories.

• Unexpected processes running persistently after reboot or login.

• Unusual launchctl commands executed from users or contexts that normally do not use this utility.

Why it is Important to Detect This Technique

Detecting malicious use of launchctl is crucial due to several potential impacts:

• Persistent access:

  • Attackers can maintain long-term footholds, complicating remediation efforts.

  • Persistent threats lead to extended data exfiltration, espionage, or sabotage activities.

• Privilege escalation risks:

  • Exploitation of LaunchDaemons can grant attackers root-level privileges, significantly increasing the severity of an intrusion.

  • Elevated privileges allow attackers to disable security controls, install rootkits, or deeply embed malware.

• Defense evasion:

  • Attackers can unload or disable security monitoring tools, significantly reducing visibility and response capabilities.

  • Early detection prevents attackers from establishing stealthy persistence mechanisms.

• Operational disruption:

  • Malicious launchctl configurations can affect system stability, causing performance degradation or service outages.

  • Compromised LaunchDaemons can disrupt critical system services, leading to downtime or data loss.

Early detection and response reduce the attacker's dwell time, limit damage, and prevent deeper compromise of sensitive systems and networks.

Examples

Real-world examples demonstrating malicious use of launchctl include:

• OSX.Dok malware:

  • Attackers used launchctl to load malicious LaunchAgents, establishing persistent access.

  • Malware installed fake root certificates and intercepted HTTPS traffic.

  • Impact: Credential theft, sensitive data exfiltration, and compromised network security.

• OSX/Linker malware:

  • Leveraged launchctl to persistently execute malicious payloads upon user login.

  • Malware delivered second-stage payloads that collected sensitive information and communicated with command-and-control (C2) servers.

  • Impact: Persistent backdoor access, data exfiltration, and compromised user privacy.

• Shlayer malware:

  • Utilized launchctl to register LaunchAgents executing malicious scripts downloading additional payloads.

  • Malware spread via malicious advertisements and fake software updates.

  • Impact: Installation of adware, spyware, and further malware distribution.

• XCSSET malware:

  • Injected malicious LaunchAgents via launchctl commands to persistently execute payloads.

  • Targeted developers' systems, stealing credentials, sensitive files, and injecting malicious code into software projects.

  • Impact: Data theft, compromised development environments, and potential supply chain attacks.

These examples highlight the critical role of launchctl in macOS-based attacks, underscoring the importance of robust monitoring and detection mechanisms to identify and mitigate threats effectively.