System Services: Утилита launchctl
Other sub-techniques of System Services (2)
ID | Название |
---|---|
.001 | Утилита launchctl |
.002 | Диспетчер управления службами |
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load
,launchctl unload
, and launchctl start
. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s"
or /bin/launchctl load
to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)
Примеры процедур |
|
Название | Описание |
---|---|
LoudMiner |
LoudMiner launched the QEMU services in the |
AppleJeus |
AppleJeus has loaded a plist file using the |
macOS.OSAMiner |
macOS.OSAMiner has used `launchctl` to restart the Launch Agent.(Citation: SentinelLabs reversing run-only applescripts 2021) |
XCSSET |
XCSSET loads a system level launchdaemon using the |
Calisto |
Calisto uses launchctl to enable screen sharing on the victim’s machine.(Citation: Securelist Calisto July 2018) |
Контрмеры |
|
Контрмера | Описание |
---|---|
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Обнаружение
Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line launchctl
command. Plist files are located in the root, system, and users /Library/LaunchAgents
or /Library/LaunchDaemons
folders.
Monitor command-line execution of the launchctl
command immediately followed by abnormal network connections. Launch Agents or Launch Daemons with executable paths pointing to /tmp
and /Shared
folders locations are potentially suspicious.
When removing Launch Agents or Launch Daemons ensure the services are unloaded prior to deleting plist files.
Ссылки
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- SS64. (n.d.). launchctl. Retrieved March 28, 2020.
- Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
- Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
- Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
- Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
- Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.