Launch Daemon

Information

• Name: Launch Daemon

• ID: T1543.004

• Tactics: TA0003, TA0004

• Technique: T1543

Introduction

Launch Daemon (T1543.004) is a persistence sub-technique within the MITRE ATT&CK framework, specifically categorized under the "Create or Modify System Process" technique (T1543). Attackers leverage Launch Daemons on macOS systems to establish persistence by configuring scripts or binaries to execute automatically at system startup or at scheduled intervals. Launch Daemons run with elevated privileges, typically as root, making this method particularly attractive for adversaries seeking to maintain long-term access to compromised systems.

Deep Dive Into Technique

Launch Daemons are system-level services on macOS that run in the background independently of user logins. These daemons are managed by the launchd process, which is responsible for loading and maintaining system-wide and user-specific services.

Technical aspects of Launch Daemons include:

• Configuration Files:

  • Launch Daemons are defined by property list files (plist files) stored in specific directories:

    • /Library/LaunchDaemons/ (system-wide)

    • /System/Library/LaunchDaemons/ (system-critical, typically protected by System Integrity Protection)

  • These plist files specify the executable or script to run, execution intervals, triggers, and environment variables.

• Privileges and Execution Context:

  • Launch Daemons typically execute as root, granting attackers significant privileges if exploited.

  • Malicious actors often place custom plist files in /Library/LaunchDaemons/ to ensure persistence across reboots.

• Execution Triggers:

  • Daemons can be configured to execute at system startup, at specific time intervals, or upon certain system events.

  • Attackers may configure daemons to execute malicious payloads regularly or upon specific events to maintain persistence and stealth.

• Common Tools and Commands:

  • Attackers may use standard macOS command-line utilities such as launchctl to load, unload, or manage malicious daemons.

  • Malicious payloads often include scripts, binaries, or obfuscated commands.

When this Technique is Usually Used

Attackers typically leverage Launch Daemons in various stages of the attack lifecycle, particularly during:

• Persistence Stage:

  • Establishing long-term access to compromised macOS systems.

  • Ensuring that malicious payloads survive system reboots.

• Privilege Escalation and Lateral Movement:

  • Launch Daemons execute as root, providing attackers with elevated privileges and facilitating further exploitation or lateral movement.

• Command and Control (C2) Operations:

  • Regularly executing scripts or binaries to maintain communication with attacker-controlled servers.

• Data Exfiltration and Reconnaissance:

  • Periodically executing scripts that collect sensitive data, system information, or credentials.

How this Technique is Usually Detected

Detection of malicious Launch Daemons can be achieved through various methods and tools:

• File System Monitoring:

  • Monitor creation or modification of plist files in /Library/LaunchDaemons/ and /System/Library/LaunchDaemons/.

  • Tools such as Endpoint Detection and Response (EDR) solutions, File Integrity Monitoring (FIM), or auditd logging can detect suspicious file writes.

• Process Execution Monitoring:

  • Monitor processes spawned by launchd, especially those running as root or with unusual parameters.

  • Tools such as macOS built-in utilities (e.g., Activity Monitor, ps, launchctl list) or advanced endpoint security solutions.

• Behavioral Analysis:

  • Identify anomalous behaviors such as unexpected network connections, unusual scheduled tasks, or suspicious file accesses.

  • Employ behavioral analytics or machine learning-driven threat detection platforms.

• Logging and Auditing:

  • Review system logs, particularly /var/log/system.log or unified logging (log show) for anomalies related to launchd or plist files.

  • Examine audit records (auditd) for suspicious launchctl commands or file modifications.

• Indicators of Compromise (IoCs):

  • Unexpected or unusual plist files in /Library/LaunchDaemons/.

  • Suspicious executable files or scripts referenced by plist files.

  • Unusual network connections or C2 communication patterns initiated by launchd-managed processes.

Why it is Important to Detect This Technique

Early detection of malicious Launch Daemons is critical due to several potential impacts:

• Persistent Access:

  • Attackers gain continuous, privileged access to compromised systems, enabling prolonged espionage, data theft, or sabotage.

• Privilege Escalation:

  • Daemons typically run as root, allowing attackers to escalate privileges, bypass security controls, and perform further exploitation.

• Stealth and Evasion:

  • Malicious daemons can quietly execute payloads in the background, making detection challenging without proper monitoring.

• Data Exfiltration:

  • Attackers can regularly harvest sensitive data, credentials, or intellectual property, causing severe financial or reputational damage.

• System Stability and Security Risks:

  • Unauthorized daemons can introduce instability, degrade performance, or lead to further security vulnerabilities.

Detecting malicious Launch Daemons promptly allows security teams to mitigate threats before attackers cause significant harm or establish deeper footholds within the network.

Examples

Real-world examples and attack scenarios involving Launch Daemons include:

• OSX/Shlayer Malware:

  • Shlayer has used Launch Daemons to persistently execute malicious payloads, often disguised as legitimate software updates or installers.

  • Attackers create malicious plist files in /Library/LaunchDaemons/ to execute scripts that download additional malware or adware.

• FruitFly Malware:

  • FruitFly malware leveraged Launch Daemons to maintain persistence and execute remote commands on infected macOS systems.

  • It performed surveillance, keystroke logging, webcam access, and data exfiltration.

• OSX.Dok Malware:

  • OSX.Dok malware created malicious Launch Daemons to establish persistence and install man-in-the-middle proxies to intercept encrypted traffic.

  • Attackers used this persistence mechanism to continuously monitor and exfiltrate sensitive user data.

• OceanLotus (APT32):

  • The OceanLotus group utilized Launch Daemons to persistently execute backdoors and maintain access on compromised macOS endpoints.

  • Attackers installed malicious plist files referencing custom binaries designed for espionage and data exfiltration.

In each scenario, attackers leveraged Launch Daemons' privileged execution and persistence capabilities to maintain long-term stealthy access, conduct espionage, and exfiltrate sensitive information, underscoring the importance of monitoring and detecting this sub-technique.