2.3 KiB
T1159 - Launch Agent
Description from ATT&CK
Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in/System/Library/LaunchAgents,/Library/LaunchAgents, and$HOME/Library/LaunchAgents(Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories (Citation: Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Atomic Tests
Atomic Test #1 - Launch Agent
Create a plist and execute it
Supported Platforms: macOS
Run it with these steps!
-
Create file - .client
-
osascript -e 'tell app "Finder" to display dialog "Hello World"'
-
Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist
- launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist