Skip to content

Latest commit

 

History

History
50 lines (35 loc) · 2.29 KB

T1159.md

File metadata and controls

50 lines (35 loc) · 2.29 KB

T1159 - Launch Agent

Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).

Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories (Citation: Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).

Atomic Tests


Atomic Test #1 - Launch Agent

Create a plist and execute it

Supported Platforms: macOS

Run it with these steps!

  1. Create file - .client

  2. osascript -e 'tell app "Finder" to display dialog "Hello World"'

  3. Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist

KeepAlive Label com.client.client ProgramArguments /Users//.client RunAtLoad NSUIElement 1
  1. launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist