Common Information
| Type | Value |
|---|---|
| Value |
Launch Daemon - T1160 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root. The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation. Detection: Monitor Launch Daemon creation through additional plist files and utilities such as Objective-See's Knock Knock application. Platforms: macOS Data Sources: Process Monitoring, File monitoring Effective Permissions: root Permissions Required: Administrator |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-10-08 | 0 | Mastering Mobile Device Management with Jamf: tips for admins | ||
| Details | Website | 2024-10-02 | 7 | วิธีการลง Wiresharkใน Mac M1,M2,M3 | ||
| Details | Website | 2024-09-17 | 2 | macOS Sequoia | What’s New in Privacy and Security for Enterprise? | ||
| Details | Website | 2024-08-13 | 22 | Objective-See: Blog | ||
| Details | Website | 2024-01-01 | 113 | The Mac Malware of 2023 👾 | ||
| Details | Website | 2023-10-13 | 7 | Don’t Talk All at Once! Elevating Privileges on macOS by Audit Token Spoofing | ||
| Details | Website | 2023-03-01 | 138 | Hunting for Honkbox | Multistage macOS Cryptominer May Still Be Hiding | ||
| Details | Website | 2023-02-28 | 19 | Investigating MacOS with Osquery | ||
| Details | Website | 2023-02-23 | 80 | Beware of macOS cryptojacking malware. | ||
| Details | Website | 2023-01-01 | 123 | The Mac Malware of 2022 👾 | ||
| Details | Website | 2022-11-16 | 21 | Pilfered Keys Free App Infected by Malware Steals Keychain Data | ||
| Details | Website | 2022-11-16 | 20 | Pilfered Keys Free App Infected by Malware Steals Keychain Data | ||
| Details | Website | 2022-10-05 | 29 | SafeBreach Coverage for US-CERT Alert (AA22-277A) – Use of Impacket and CovalentStealer to Steal Sensitive Data | ||
| Details | Website | 2022-07-19 | 22 | I see what you did there: A look at the CloudMensis macOS spyware | WeLiveSecurity | ||
| Details | Website | 2022-05-06 | 9 | How CrowdStrike Analyzes macOS Malware to Optimize Automated Detection | ||
| Details | Website | 2022-02-21 | 24 | Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network | ||
| Details | Website | 2022-01-01 | 55 | The Mac Malware of 2021 👾 | ||
| Details | Website | 2021-12-22 | 17 | Where's the Interpreter!? (CVE-2021-30853) | ||
| Details | Website | 2021-12-21 | 15 | Sandbox escape + privilege escalation in StorePrivilegedTaskService | ||
| Details | Website | 2021-11-14 | 17 | What does APT Activity Look Like on MacOS? | ||
| Details | Website | 2021-08-11 | 302 | Massive New AdLoad Campaign Goes Entirely Undetected By Apple's XProtect - SentinelLabs | ||
| Details | Website | 2021-06-04 | 9 | OSX/Hydromac | ||
| Details | Website | 2021-06-03 | 8 | OSX/Hydromac: A new macOS malware leaked from a Flashcards app | ||
| Details | Website | 2021-01-01 | 60 | The Mac Malware of 2020 👾 | ||
| Details | Website | 2020-12-10 | 3 | Detecting SSH Activity via Process Monitoring |