Adversaries may abuse the <code>Launchd</code> daemon to perform task scheduling for initial or recurring execution of malicious code. The <code>launchd</code> daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).
An adversary may use the <code>launchd</code> daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. <code>launchd</code> can also be abused to run a process under the context of a specified account. Daemons, such as <code>launchd</code>, run with the permissions of the root user account, and will operate regardless of which user account is logged in.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1053.004 | Launchd |
| AC-3 | Access Enforcement | Protects | T1053.004 | Launchd |
| AC-5 | Separation of Duties | Protects | T1053.004 | Launchd |
| AC-6 | Least Privilege | Protects | T1053.004 | Launchd |
| CA-8 | Penetration Testing | Protects | T1053.004 | Launchd |
| CM-5 | Access Restrictions for Change | Protects | T1053.004 | Launchd |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1053.004 | Launchd |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1053.004 | Launchd |
| SI-4 | System Monitoring | Protects | T1053.004 | Launchd |
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1053.004 | Scheduled Task/Job: Launchd |