Merge PR #4782 from @pratinavchandra - Add `Launch Agent/Daemon Execu…

…tion Via Launchctl` new: Launch Agent/Daemon Execution Via Launchctl --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
SigmaHQ · May 13, 2024 · 2837671 · 2837671
1 parent bd454b6
commit 2837671
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml b/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml
@@ -0,0 +1,32 @@
+title: Launch Agent/Daemon Execution Via Launchctl
+id: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
+status: experimental
+description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
+    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+    - https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
+    - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
+    - https://www.loobins.io/binaries/launchctl/
+author: Pratinav Chandra
+date: 2024/05/13
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1569.001
+    - attack.t1543.001
+    - attack.t1543.004
+logsource:
+    category: process_creation
+    product: macos
+detection:
+    selection:
+        Image|endswith: '/launchctl'
+        CommandLine|contains:
+            - 'submit'
+            - 'load'
+            - 'start'
+    condition: selection
+falsepositives:
+    - Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.
+level: medium