Scheduled Task/Job: Launchd
Other sub-techniques of Scheduled Task/Job (7)
This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself.
Adversaries may abuse the Launchd
daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd
daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons
and /Library/LaunchDaemons
(Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).
An adversary may use the launchd
daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd
can also be abused to run a process under the context of a specified account. Daemons, such as launchd
, run with the permissions of the root user account, and will operate regardless of which user account is logged in.
Контрмеры |
|
Контрмера | Описание |
---|---|
Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Launch Daemon Mitigation |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons. |
Обнаружение
Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.