Detects creation or modification of user-level Launch Agents in monitored directories using .plist files with suspicious ProgramArguments or RunAtLoad keys. Correlates file write activity with execution of launchctl or unsigned binaries invoked at login.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | launchctl load or boot-time plist registration |
| File Creation (DC0039) | fs:fsusage | write or chmod to ~/Library/LaunchAgents/*.plist |
| File Modification (DC0061) | fs:fsusage | modification of existing LaunchAgents plist |
| Service Creation (DC0060) | macos:osquery | detection of new launch agents with suspicious paths or unsigned binaries |
| Field | Description |
|---|---|
| PlistDirectoryList | Monitored directories (e.g., `/Library/LaunchAgents`, `~/Library/LaunchAgents`) for plist drops |
| PlistKeyMonitor | Monitored keys such as `RunAtLoad`, `KeepAlive`, or `ProgramArguments` for policy alignment |
| ExecutablePathPattern | Patterns used to detect execution from non-standard or suspicious locations like `/tmp`, `/var`, or `/Users/Shared` |
| UnsignedBinaryAlert | Raise alerts if the binary referenced in the Launch Agent is unsigned or unverified |
| UserContextScope | List of users whose LaunchAgents are considered high-sensitivity (e.g., admins) |