Adversaries may abuse theLaunchddaemon to perform task scheduling for initial or recurring execution of malicious code. Thelaunchddaemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in/System/Library/LaunchDaemonsand/Library/LaunchDaemons(Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).An adversary may use the
launchddaemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence.launchdcan also be abused to run a process under the context of a specified account. Daemons, such aslaunchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in.
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
Supported Platforms: macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| script_location | evil plist location | path | $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist |
| script_destination | Path where to move the evil plist | path | /etc/emond.d/rules/atomicredteam_T1053_004.plist |
| empty_file | Random name of the empty file used to trigger emond service | string | randomflag |
sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}