Create or Modify System Process: Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents [1] [2] [3]. These launch agents have property list files which point to the executables that will be launched [4].

Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories [5] [6]. The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in [7] [8]. They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).

ID: T1543.001
Sub-technique of:  T1543
Platforms: macOS
Permissions Required: Administrator, User
Data Sources: Command: Command Execution, File: File Creation, File: File Modification, Service: Service Creation, Service: Service Modification
Version: 1.0
Created: 17 January 2020
Last Modified: 25 March 2020

Procedure Examples

ID Name Description
S0482 Bundlore

Bundlore can persist via a LaunchAgent.[9]

S0274 Calisto

Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.[10]

S0369 CoinTicker

CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.[11]

S0492 CookieMiner

CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.[12]

S0235 CrossRAT

CrossRAT creates a Launch Agent on macOS.[13]

S0497 Dacls

Dacls can establish persistence via a LaunchAgent.[14][15]

S0281 Dok

Dok persists via a Launch Agent.[16]

S0277 FruitFly

FruitFly persists via a Launch Agent.[16]

S0276 Keydnap

Keydnap uses a Launch Agent to persist.[17]

S0162 Komplex

The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.[5]

S0282 MacSpy

MacSpy persists via a Launch Agent.[16]

S0198 NETWIRE

NETWIRE can use launch agents for persistence.[18]

S0352 OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.[19][20]

S0279 Proton

Proton persists via Launch Agent.[16]

S0595 ThiefQuest

ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.[21]

Mitigations

ID Mitigation Description
M1018 User Account Management

Restrict user's abilities to create Launch Agents with group policy.

Detection

Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.

References