T1053.004 Launchd Mappings

Adversaries may abuse the <code>Launchd</code> daemon to perform task scheduling for initial or recurring execution of malicious code. The <code>launchd</code> daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).

An adversary may use the <code>launchd</code> daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. <code>launchd</code> can also be abused to run a process under the context of a specified account. Daemons, such as <code>launchd</code>, run with the permissions of the root user account, and will operate regardless of which user account is logged in.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1053.004 Launchd
AC-3 Access Enforcement Protects T1053.004 Launchd
AC-5 Separation of Duties Protects T1053.004 Launchd
AC-6 Least Privilege Protects T1053.004 Launchd
CA-8 Penetration Testing Protects T1053.004 Launchd
CM-5 Access Restrictions for Change Protects T1053.004 Launchd
IA-2 Identification and Authentication (organizational Users) Protects T1053.004 Launchd
RA-5 Vulnerability Monitoring and Scanning Protects T1053.004 Launchd
SI-4 System Monitoring Protects T1053.004 Launchd
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053.004 Scheduled Task/Job: Launchd