T1543.001 Launch Agent
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in
~/Library/LaunchAgents. Property list files use the
ProgramArguments , and
RunAtLoad keys to identify the Launch Agent’s name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
Launch Agents can also be executed using the Launchctl command.
Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the
KeepAlive keys set to
true. The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.
|Bundlore can persist via a LaunchAgent.
|Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.
|CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.
|CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.
|CrossRAT creates a Launch Agent on macOS.
|Dacls can establish persistence via a LaunchAgent.
|Dok installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format
|FruitFly persists via a Launch Agent.
|Green Lambert can create a Launch Agent with the
RunAtLoad key-value pair set to
true, ensuring the
com.apple.GrowlHelper.plist file runs every time a user logs in.
|Keydnap uses a Launch Agent to persist.
|The Komplex trojan creates a persistent launch agent called with
launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.
|MacMa installs a
com.apple.softwareupdate.plist file in the
/LaunchAgents folder with the
RunAtLoad value set to
true. Upon user login, MacMa is executed from
/var/root/.local/softwareupdate with root privileges. Some variations also include the
LimitLoadToSessionType key with the value
Aqua, ensuring the MacMa only runs when there is a logged in GUI user.
|macOS.OSAMiner has placed a Stripped Payloads with a
plist extension in the Launch Agent‘s folder.
|MacSpy persists via a Launch Agent.
|NETWIRE can use launch agents for persistence.
|OSX_OCEANLOTUS.D can create a persistence file in the folder
|Proton persists via Launch Agent.
|ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the
~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the