Create or Modify System Process: Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents [1] [2] [3]. These launch agents have property list files which point to the executables that will be launched [4].

Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories [5] [6]. The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in [7] [8]. They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).

ID: T1543.001
Sub-technique of:  T1543
Platforms: macOS
Permissions Required: Administrator, User
Data Sources: Command: Command Execution, File: File Creation, File: File Modification, Service: Service Creation, Service: Service Modification
Version: 1.0
Created: 17 January 2020
Last Modified: 25 March 2020

Procedure Examples

ID Name Description
S0482 Bundlore

Bundlore can persist via a LaunchAgent.[9]

S0274 Calisto

Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.[10]

S0369 CoinTicker

CoinTicker creates user launch agents named .espl.plist and[random string].plist to establish persistence.[11]

S0492 CookieMiner

CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.[12]

S0235 CrossRAT

CrossRAT creates a Launch Agent on macOS.[13]

S0497 Dacls

Dacls can establish persistence via a LaunchAgent.[14][15]

S0281 Dok

Dok persists via a Launch Agent.[16]

S0277 FruitFly

FruitFly persists via a Launch Agent.[16]

S0276 Keydnap

Keydnap uses a Launch Agent to persist.[17]

S0162 Komplex

The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/ with launchctl load -w ~/Library/LaunchAgents/[5]

S0282 MacSpy

MacSpy persists via a Launch Agent.[16]


NETWIRE can use launch agents for persistence.[18]


OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.[19][20]

S0279 Proton

Proton persists via Launch Agent.[16]

S0595 ThiefQuest

ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.[21]


ID Mitigation Description
M1018 User Account Management

Restrict user's abilities to create Launch Agents with group policy.


Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.