Launch Agent

Information

• Name: Launch Agent

• ID: T1543.001

• Tactics: TA0003, TA0004

• Technique: T1543

Introduction

Launch Agent (T1543.001) is a sub-technique within the MITRE ATT&CK framework under the broader Persistence technique T1543: Create or Modify System Process. This sub-technique specifically targets macOS systems, leveraging Launch Agents to establish persistence. Launch Agents are configuration files used by macOS to automate the execution of scripts, executables, or programs upon user login or system startup. Attackers exploit this functionality by creating or modifying Launch Agent files to achieve persistent execution of malicious payloads, ensuring continued access and control over compromised systems.

Deep Dive Into Technique

Launch Agents in macOS are managed by the launchd service, which is the primary mechanism for scheduling and managing system and user-level tasks. Launch Agents are defined using property list (.plist) files, which specify execution parameters such as the executable path, arguments, environment variables, and scheduling details.

Technical details include:

• Plist File Locations: Launch Agents can be located in:

  • User-specific directories: ~/Library/LaunchAgents/

  • System-wide directories: /Library/LaunchAgents/, /System/Library/LaunchAgents/

• Plist File Structure: A typical Launch Agent plist file contains keys such as:

  • Label: Unique identifier for the Launch Agent.

  • ProgramArguments: Array of command-line arguments and executable paths.

  • RunAtLoad: Boolean value indicating whether the program runs immediately upon loading.

  • StartInterval: Numeric value specifying intervals (in seconds) between executions.

  • KeepAlive: Boolean or dictionary specifying conditions to restart the program upon termination.

• Execution Methods: Attackers may leverage Launch Agents to:

  • Execute scripts or binaries at user login or system boot.

  • Periodically execute malicious payloads at defined intervals.

  • Maintain persistence by automatically restarting payloads if terminated.

• Privilege Levels: Launch Agents run with the privileges of the user account under which they are loaded. Thus, attackers may combine this sub-technique with privilege escalation techniques if higher-level privileges are required.

When this Technique is Usually Used

Attackers typically employ the Launch Agent sub-technique in various scenarios, including:

• Initial Persistence:

  • After initial compromise via phishing, malicious downloads, or exploitation of vulnerabilities, attackers create Launch Agents to maintain persistence on the compromised system.

• Post-Exploitation Persistence:

  • After successful lateral movement or privilege escalation, attackers set up Launch Agents to ensure continued access to macOS hosts.

• Long-Term Surveillance and Data Exfiltration:

  • Launch Agents are used to periodically execute malware responsible for data collection, exfiltration, and command-and-control (C2) communication.

• Stage of Attack Lifecycle:

  • Primarily observed during the Persistence and Execution stages within the MITRE ATT&CK lifecycle.

How this Technique is Usually Detected

Detection of malicious Launch Agents involves monitoring filesystem changes, analyzing plist files, and identifying anomalous behaviors. Detection methods and indicators include:

• File Monitoring:

  • Monitor creation, modification, or deletion of plist files in:

    • ~/Library/LaunchAgents/

    • /Library/LaunchAgents/

    • /System/Library/LaunchAgents/

• Behavioral Analysis:

  • Detect unusual or unexpected processes spawned by launchd.

  • Identify Launch Agents executing from suspicious or temporary directories.

• Endpoint Detection and Response (EDR) Tools:

  • Tools such as Jamf Protect, CrowdStrike Falcon, SentinelOne, or Carbon Black can detect and alert on anomalous Launch Agent activities.

• Audit Logging and SIEM Integration:

  • macOS audit logs can capture events related to plist file modifications.

  • Integration of logs into SIEM platforms (e.g., Splunk, Elastic Stack) facilitates correlation and detection of malicious activities.

• Indicators of Compromise (IoCs):

  • Suspicious plist files with unusual naming conventions or execution paths.

  • Executables or scripts located in uncommon directories such as /tmp, /var/tmp, or hidden directories.

  • Launch Agents configured with KeepAlive or RunAtLoad set to true, pointing to unknown or suspicious executables.

Why it is Important to Detect This Technique

Early detection of malicious Launch Agents is critical due to the significant impacts they can have on systems and networks, including:

• Persistence and Long-Term Compromise:

  • Attackers establish persistent footholds, enabling continuous unauthorized access and lateral movement within the network.

• Data Exfiltration and Loss:

  • Malicious Launch Agents can periodically execute malware designed to steal sensitive or proprietary data, resulting in financial losses, reputational damage, and regulatory penalties.

• System Stability and Performance Issues:

  • Persistent malware execution may degrade system performance, cause instability, or disrupt legitimate applications and services.

• Elevation of Privileges and Escalation of Attacks:

  • Attackers may leverage persistent access to escalate privileges, compromise additional systems, and expand the scope of their attacks.

• Difficulty in Remediation:

  • Undetected malicious Launch Agents complicate remediation efforts, as attackers retain persistent access even after initial malware removal or system cleanup.

Examples

Real-world examples demonstrating the use of Launch Agents include:

• OSX.Dok Malware:

  • Attack Scenario: Distributed through phishing emails containing malicious attachments.

  • Tools Used: OSX.Dok malware established persistence via Launch Agents located at ~/Library/LaunchAgents/com.apple.Safari.proxy.plist.

  • Impacts: Enabled man-in-the-middle attacks, data interception, credential theft, and unauthorized network access.

• Shlayer Trojan:

  • Attack Scenario: Distributed via malicious websites and fake software updates.

  • Tools Used: Shlayer created Launch Agents to execute payloads upon user login, ensuring persistent adware and malware infections.

  • Impacts: Persistent adware infections, unwanted software installations, and potential exposure to additional malware.

• OceanLotus (APT32) macOS Campaign:

  • Attack Scenario: Targeted espionage campaign against activists and organizations.

  • Tools Used: Created malicious Launch Agents to execute payloads stored in hidden directories, maintaining persistent backdoor access.

  • Impacts: Persistent surveillance, data exfiltration, and espionage activities against targeted users.

• WindTail Malware:

  • Attack Scenario: Targeted macOS users via spear-phishing emails with malicious attachments.

  • Tools Used: Utilized Launch Agents to execute Python-based malware persistently, enabling data theft and command-and-control communication.

  • Impacts: Persistent data exfiltration, credential theft, and unauthorized remote access.

These examples illustrate the versatility and effectiveness of Launch Agents as a persistence mechanism, emphasizing the necessity for robust detection and monitoring strategies.