{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/launchdaemon/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS","Python","PyTorch"],"_cs_severities":["medium"],"_cs_tags":["persistence","macos","python","launchagent","launchdaemon"],"_cs_type":"advisory","_cs_vendors":["Apple","Python Software Foundation","Meta Platforms"],"content_html":"\u003cp\u003eThis alert focuses on detecting suspicious persistence mechanisms on macOS systems where a Python process is observed creating or modifying LaunchAgent or LaunchDaemon plist files for the first time. Attackers achieving Python code execution, whether through malicious scripts, compromised dependencies, or model file deserialization vulnerabilities such as pickle or PyTorch \u003ccode\u003e__reduce__\u003c/code\u003e, may drop plist files to establish persistence. These LaunchAgents and LaunchDaemons are designed to configure programs to run automatically at login or boot, ensuring the attacker's payload survives reboots and user logouts. This activity is often a strong indicator of compromise because legitimate Python processes rarely need to create persistence mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the macOS system through various means, such as exploiting a vulnerability in an application, social engineering, or phishing.\u003c/li\u003e\n\u003cli\u003eCode Execution: Once inside, the attacker achieves code execution, often leveraging Python through malicious scripts, compromised dependencies (e.g., via pip), or model file deserialization.\u003c/li\u003e\n\u003cli\u003ePersistence Preparation: The attacker crafts a malicious LaunchAgent or LaunchDaemon plist file.  This file contains configurations to automatically run a specified program at login or boot.\u003c/li\u003e\n\u003cli\u003eFile Creation/Modification: The malicious Python script creates or modifies a plist file in either \u003ccode\u003e/Library/LaunchAgents/\u003c/code\u003e, \u003ccode\u003e~/Library/LaunchAgents/\u003c/code\u003e, or \u003ccode\u003e/Library/LaunchDaemons/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePersistence Installation: The system recognizes the new or modified plist file and schedules the specified program to run automatically.\u003c/li\u003e\n\u003cli\u003ePayload Execution:  At the next login or boot, the system executes the program specified in the plist file, initiating the attacker's payload.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The executed payload establishes a connection to a command-and-control server, allowing the attacker to remotely control the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to persistent access to the compromised macOS system, enabling attackers to maintain their foothold even after reboots or user logouts. This can lead to data theft, installation of malware, or further lateral movement within the network. The impact extends to potential data breaches, system compromise, and reputational damage. While the specific number of victims is unknown, the threat affects any macOS system susceptible to malicious Python scripts or compromised dependencies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation and file-creation logging to capture the events required for the rules below (references \u0026quot;process_creation\u0026quot; and \u0026quot;file_event\u0026quot; log sources).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;macOS Suspicious LaunchAgent/Daemon Creation by Python\u0026quot; to your SIEM and tune for your environment to detect the behavior (references the Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any persistence events involving Python creating LaunchDaemons by reviewing persistence event fields such as \u003ccode\u003ePersistence.runatload\u003c/code\u003e, \u003ccode\u003ePersistence.keepalive\u003c/code\u003e, \u003ccode\u003ePersistence.args\u003c/code\u003e, \u003ccode\u003ePersistence.path\u003c/code\u003e to understand the plist configuration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T14:27:00Z","date_published":"2024-07-03T14:27:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-macos-python-launchagent/","summary":"Detection of the first-time a Python process creates or modifies a LaunchAgent or LaunchDaemon plist file on a given macOS host, which is indicative of persistence attempts via malicious scripts, compromised dependencies, or model file deserialization.","title":"First Time Python Created a LaunchAgent or LaunchDaemon","url":"https://feed.craftedsignal.io/briefs/2024-07-macos-python-launchagent/"}],"language":"en","title":"CraftedSignal Threat Feed - Launchdaemon","version":"https://jsonfeed.org/version/1.1"}