T1543.001 - Launch Agent#
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent’s name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
Launch Agents can also be executed using the Launchctl command.
Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X)
Atomic Tests#
Atomic Test #1 - Launch Agent#
Create a plist and execute it
Supported Platforms: macos
Elevation Required (e.g. root or admin)
Dependencies: Run with bash!#
Check Prereq Commands:#
if [ -f $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist ]; then exit 0; else exit 1; fi;
Get Prereq Commands:#
echo "The shared library doesn't exist. Check the path"; exit 1;
Invoke-AtomicTest T1543.001 -TestNumbers 1 -GetPreReqs
Attack Commands: Run with bash#
if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;
sudo cp $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist ~/Library/LaunchAgents/com.atomicredteam.plist
sudo launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist
Invoke-AtomicTest T1543.001 -TestNumbers 1
Cleanup:#
sudo launchctl unload ~/Library/LaunchAgents/com.atomicredteam.plist
sudo rm ~/Library/LaunchAgents/com.atomicredteam.plist
Invoke-AtomicTest T1543.001 -TestNumbers 1 -Cleanup
Atomic Test #2 - Event Monitor Daemon PersistenceThis test adds persistence via a plist to execute via the macOS Event Monitor Daemon.#
Supported Platforms: macos
Elevation Required (e.g. root or admin)#### Attack Commands: Run with bash
sudo cp $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist /etc/emond.d/rules/atomicredteam_T1543_001.plist
sudo touch /private/var/db/emondClients/randomflag
Invoke-AtomicTest T1543.001 -TestNumbers 2
Cleanup:#
sudo rm /etc/emond.d/rules/atomicredteam_T1543_001.plist
sudo rm /private/var/db/emondClients/randomflag```
Invoke-AtomicTest T1543.001 -TestNumbers 2 -Cleanup
Detection#
Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.
Ensure Launch Agent’s ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy.