Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include:
launchctl unload, and
launchctl start. Adversaries can use scripts or manually run the commands
launchctl load -w "%s/Library/LaunchAgents/%s" or
/bin/launchctl load to execute Launch Agents or Launch Daemons.
|M1018||User Account Management||
Prevent users from installing their own launch agents or launch daemons.
|ID||Data Source||Data Component|
Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line
launchctl command. Plist files are located in the root, system, and users
Monitor command-line execution of the
launchctl command immediately followed by abnormal network connections. Launch Agents or Launch Daemons with executable paths pointing to
/Shared folders locations are potentially suspicious.