Register to stream ATT&CKcon 2.0 October 29-30

Launch Agent

Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents [1] [2] [3]. These launch agents have property list files which point to the executables that will be launched [4].

Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories [5] [6]. The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in [7] [8]. They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).

ID: T1159
Tactic: Persistence
Platform: macOS
Permissions Required: User, Administrator
Data Sources: File monitoring, Process monitoring
Version: 1.0

Procedure Examples

Name Description
Calisto Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. [11]
CoinTicker CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence. [13]
CrossRAT CrossRAT creates a Launch Agent on macOS.
Dok Dok persists via a Launch Agent. [9]
FruitFly FruitFly persists via a Launch Agent. [9]
Keydnap Keydnap uses a Launch Agent to persist. [10]
Komplex The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist. [5]
MacSpy MacSpy persists via a Launch Agent. [9]
OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents. [12]
Proton Proton persists via a Launch Agent. [9]

Mitigations

Mitigation Description
User Account Management Restrict user's abilities to create Launch Agents with group policy.

Detection

Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.

References