← Back to Explore
T1543.001
Launch Agent
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac ...
macOS
10
Detections
3
Sources
1
Threat Actors
BY SOURCE
6elastic2sigma2splunk_escu
PROCEDURES (4)
Process Creation Monitoring4 detections
Auto-extracted: 4 detections for process creation monitoring
Authentication Monitoring2 detections
Auto-extracted: 2 detections for authentication monitoring
Suspicious2 detections
Auto-extracted: 2 detections for suspicious
Privilege2 detections
Auto-extracted: 2 detections for privilege
THREAT ACTORS (1)
DETECTIONS (10)
Creation of Hidden Launch Agent or Daemon
elasticmedium
First Time Python Created a LaunchAgent or LaunchDaemon
elasticmedium
Launch Agent/Daemon Execution Via Launchctl
sigmamedium
Launch Service Creation and Immediate Loading
elasticlow
Persistence via a Hidden Plist Filename
elastichigh
Persistence via Suspicious Launch Agent or Launch Daemon
elastichigh
Potential Persistence Via PlistBuddy
sigmahigh
Suspicious Hidden Child Process of Launchd
elasticmedium
Suspicious PlistBuddy Usage
splunk_escu
Suspicious PlistBuddy Usage via OSquery
splunk_escu