Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in
~/Library/LaunchAgents.  Property list files use the
ProgramArguments , and
RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
Launch Agents can also be executed using the Launchctl command.
Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the
KeepAlive keys set to
true. The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.
ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component|
Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.
Ensure Launch Agent's
ProgramArguments key pointing to executables located in the
/shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the
RunAtLoad key set to
true are in alignment with policy.