1. Home
  2. Techniques
  3. Enterprise
  4. Create or Modify System Process
  5. Launch Agent

Create or Modify System Process: Launch Agent

ID Name
T1543.001 Launch Agent
T1543.002 Systemd Service
T1543.003 Windows Service
T1543.004 Launch Daemon

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.[1][2] [3] Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.[4] Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

Launch Agents can also be executed using the Launchctl command.

Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.[5][6] The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.[7][8]

ID: T1543.001
Sub-technique of:  T1543
Platforms: macOS
Permissions Required: Administrator, User
Version: 1.3
Created: 17 January 2020
Last Modified: 03 November 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
S0482 Bundlore

Bundlore can persist via a LaunchAgent.[9]
S0274 Calisto

Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.[10]
S0369 CoinTicker

CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.[11]

S0492 CookieMiner

CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.[12]
S0235 CrossRAT

CrossRAT creates a Launch Agent on macOS.[13]
S0497 Dacls

Dacls can establish persistence via a LaunchAgent.[14][15]
S0281 Dok

Dok installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format com.random.name.plist.[16][17]
S0277 FruitFly

FruitFly persists via a Launch Agent.[16]
S0276 Keydnap

Keydnap uses a Launch Agent to persist.[18]
S0162 Komplex

The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.[5]
S0282 MacSpy

MacSpy persists via a Launch Agent.[16]
S0198 NETWIRE

NETWIRE can use launch agents for persistence.[19]
S0352 OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.[20][21]
S0279 Proton

Proton persists via Launch Agent.[16]
S0595 ThiefQuest

ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.[22]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
File Modification
DS0019 Service Service Creation
Service Modification

Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.

Ensure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy.

References

  1. Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.
  2. Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
  3. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
  4. Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.
  5. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  6. Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
  7. Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.
  8. Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.
  9. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  10. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  11. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  1. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  2. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  3. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  4. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  5. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  6. Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.
  7. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
  8. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  9. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  10. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  11. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.