Description
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
Launch Agents can also be executed using the Launchctl command.
Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X)
Platforms
Mitigations (1)
Restrict File and Directory PermissionsM1022
Set group policies to restrict file permissions to the ~/launchagents folder.(Citation: piazza launch agent mitigation)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has established persistence using [InvisibleFerret](https://attack.mitre.org/software/S1... |
Associated Software (21)
| ID | Name | Type | Context |
|---|---|---|---|
| S0274 | Calisto | Malware | [Calisto](https://attack.mitre.org/software/S0274) adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.(Citation: Securelis... |
| S0279 | Proton | Malware | [Proton](https://attack.mitre.org/software/S0279) persists via Launch Agent.(Citation: objsee mac malware 2017) |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has established persistence on macOS via a LaunchAgent by writing a plist under `/library/LaunchA... |
| S0282 | MacSpy | Malware | [MacSpy](https://attack.mitre.org/software/S0282) persists via a Launch Agent.(Citation: objsee mac malware 2017) |
| S0235 | CrossRAT | Malware | [CrossRAT](https://attack.mitre.org/software/S0235) creates a Launch Agent on macOS.(Citation: Lookout Dark Caracal Jan 2018) |
| S0281 | Dok | Malware | [Dok](https://attack.mitre.org/software/S0281) installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist... |
| S0497 | Dacls | Malware | [Dacls](https://attack.mitre.org/software/S0497) can establish persistence via a LaunchAgent.(Citation: SentinelOne Lazarus macOS July 2020)(Citation:... |
| S1016 | MacMa | Malware | [MacMa](https://attack.mitre.org/software/S1016) installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` v... |
| S0352 | OSX_OCEANLOTUS.D | Malware | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can create a persistence file in the folder <code>/Library/LaunchAgents</code>.(Citation: ... |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) can persist via a LaunchAgent.(Citation: MacKeeper Bundlore Apr 2019) |
| S0595 | ThiefQuest | Malware | [ThiefQuest](https://attack.mitre.org/software/S0595) installs a launch item using an embedded encrypted launch agent property list template. The plis... |
| S1048 | macOS.OSAMiner | Malware | [macOS.OSAMiner](https://attack.mitre.org/software/S1048) has placed a [Stripped Payloads](https://attack.mitre.org/techniques/T1027/008) with a `plis... |
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has established persistence using LaunchAgents on macOS that run on Startup using a file na... |
| S0369 | CoinTicker | Malware | [CoinTicker](https://attack.mitre.org/software/S0369) creates user launch agents named .espl.plist and com.apple.[random string].plist to establish pe... |
| S0690 | Green Lambert | Malware | [Green Lambert](https://attack.mitre.org/software/S0690) can create a [Launch Agent](https://attack.mitre.org/techniques/T1543/001) with the `RunAtLoa... |
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) can achieve persistence by creating launch agents to repeatedly execute malicious payloads.(... |
| S0492 | CookieMiner | Malware | [CookieMiner](https://attack.mitre.org/software/S0492) has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mi... |
| S0277 | FruitFly | Malware | [FruitFly](https://attack.mitre.org/software/S0277) persists via a Launch Agent.(Citation: objsee mac malware 2017) |
| S0162 | Komplex | Malware | The [Komplex](https://attack.mitre.org/software/S0162) trojan creates a persistent launch agent called with <code>$HOME/Library/LaunchAgents/com.appl... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) can use launch agents for persistence.(Citation: Red Canary NETWIRE January 2020) |
References
- Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.
- Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
- Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
- Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024.
- Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
- Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.
Frequently Asked Questions
What is T1543.001 (Launch Agent)?
T1543.001 is a MITRE ATT&CK technique named 'Launch Agent'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters fo...
How can T1543.001 be detected?
Detection of T1543.001 (Launch Agent) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1543.001?
There are 1 documented mitigations for T1543.001. Key mitigations include: Restrict File and Directory Permissions.
Which threat groups use T1543.001?
Known threat groups using T1543.001 include: Contagious Interview.