ID | Name |
---|---|
T1543.001 | Launch Agent |
T1543.002 | Systemd Service |
T1543.003 | Windows Service |
T1543.004 | Launch Daemon |
T1543.005 | Container Service |
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents
, /Library/LaunchAgents
, and ~/Library/LaunchAgents
.[1][2] [3] Property list files use the Label
, ProgramArguments
, and RunAtLoad
keys to identify the Launch Agent's name, executable location, and execution time.[4] Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
Launch Agents can also be executed using the Launchctl command.
Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad
or KeepAlive
keys set to true
.[5][6] The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.[7][8]
ID | Name | Description |
---|---|---|
S0482 | Bundlore | |
S0274 | Calisto |
Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.[10] |
S0369 | CoinTicker |
CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.[11] |
S0492 | CookieMiner |
CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.[12] |
S0235 | CrossRAT | |
S0497 | Dacls | |
S0281 | Dok |
Dok installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format |
S0277 | FruitFly | |
S0690 | Green Lambert |
Green Lambert can create a Launch Agent with the |
S0276 | Keydnap | |
S0162 | Komplex |
The Komplex trojan creates a persistent launch agent called with |
S1016 | MacMa |
MacMa installs a |
S1048 | macOS.OSAMiner |
macOS.OSAMiner has placed a Stripped Payloads with a |
S0282 | MacSpy | |
S0198 | NETWIRE | |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D can create a persistence file in the folder |
S0279 | Proton | |
S0595 | ThiefQuest |
ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the |
ID | Mitigation | Description |
---|---|---|
M1022 | Restrict File and Directory Permissions |
Set group policies to restrict file permissions to the |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Ensure Launch Agent's |
DS0022 | File | File Creation |
Monitor for newly constructed files that may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. |
File Modification |
Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications. |
||
DS0019 | Service | Service Creation |
Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. |
Service Modification |
Monitor for changes made to launch agents to repeatedly execute malicious payloads as part of persistence. |