T1543.001 Launch Agent
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents
, /Library/LaunchAgents
, and ~/Library/LaunchAgents
.14 7 Property list files use the Label
, ProgramArguments
, and RunAtLoad
keys to identify the Launch Agent’s name, executable location, and execution time.8 Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
Launch Agents can also be executed using the Launchctl command.
Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad
or KeepAlive
keys set to true
.25 The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.63
Item | Value |
---|---|
ID | T1543.001 |
Sub-techniques | T1543.001, T1543.002, T1543.003, T1543.004 |
Tactics | TA0003, TA0004 |
Platforms | macOS |
Permissions required | Administrator, User |
Version | 1.4 |
Created | 17 January 2020 |
Last Modified | 21 April 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0482 | Bundlore | Bundlore can persist via a LaunchAgent.20 |
S0274 | Calisto | Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.10 |
S0369 | CoinTicker | CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.25 |
S0492 | CookieMiner | CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.21 |
S0235 | CrossRAT | CrossRAT creates a Launch Agent on macOS.28 |
S0497 | Dacls | Dacls can establish persistence via a LaunchAgent.2324 |
S0281 | Dok | Dok installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format com.random.name.plist .1314 |
S0277 | FruitFly | FruitFly persists via a Launch Agent.13 |
S0690 | Green Lambert | Green Lambert can create a Launch Agent with the RunAtLoad key-value pair set to true , ensuring the com.apple.GrowlHelper.plist file runs every time a user logs in.1516 |
S0276 | Keydnap | Keydnap uses a Launch Agent to persist.22 |
S0162 | Komplex | The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist .2 |
S1016 | MacMa | MacMa installs a com.apple.softwareupdate.plist file in the /LaunchAgents folder with the RunAtLoad value set to true . Upon user login, MacMa is executed from /var/root/.local/softwareupdate with root privileges. Some variations also include the LimitLoadToSessionType key with the value Aqua , ensuring the MacMa only runs when there is a logged in GUI user.1819 |
S1048 | macOS.OSAMiner | macOS.OSAMiner has placed a Stripped Payloads with a plist extension in the Launch Agent‘s folder. 27 |
S0282 | MacSpy | MacSpy persists via a Launch Agent.13 |
S0198 | NETWIRE | NETWIRE can use launch agents for persistence.26 |
S0352 | OSX_OCEANLOTUS.D | OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents .1112 |
S0279 | Proton | Proton persists via Launch Agent.13 |
S0595 | ThiefQuest | ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.17 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1022 | Restrict File and Directory Permissions | Set group policies to restrict file permissions to the ~/launchagents folder.9 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Creation |
DS0019 | Service | Service Creation |
References
-
Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017. ↩
-
Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s ‘Komplex’ OS X Trojan. Retrieved July 8, 2017. ↩↩
-
Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. ↩
-
Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017. ↩
-
Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. ↩
-
Patrick Wardle. (2016, February 29). Let’s Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017. ↩
-
Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017. ↩
-
Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017. ↩
-
Antonio Piazza (4n7m4n). (2021, November 23). Defeating Malicious Launch Persistence. Retrieved April 19, 2022. ↩
-
Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. ↩
-
Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. ↩
-
Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. ↩
-
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. ↩↩↩↩
-
Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021. ↩
-
Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. ↩
-
Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022. ↩
-
Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021. ↩
-
M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. ↩
-
Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022. ↩
-
Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. ↩
-
Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. ↩
-
Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018. ↩
-
Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. ↩
-
Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020. ↩
-
Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. ↩
-
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. ↩
-
Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022. ↩
-
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. ↩