T1543.001 - Create or Modify System Process: Launch Agent
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents
, /Library/LaunchAgents
, and ~/Library/LaunchAgents
.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label
, ProgramArguments
, and RunAtLoad
keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.
Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad
or KeepAlive
keys set to true
.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X)
Atomic Tests
Atomic Test #1 - Launch Agent
Create a plist and execute it
Supported Platforms: macOS
auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| plist_filename | filename | string | com.atomicredteam.plist|
| path_malicious_plist | Name of file to store in cron folder | string | $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist|
Attack Commands: Run with
! Elevation Required (e.g. root or admin)
1
2
3
| if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;
sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}
|
Cleanup Commands:
1
2
| sudo launchctl unload ~/Library/LaunchAgents/#{plist_filename}
sudo rm ~/Library/LaunchAgents/#{plist_filename}
|
Dependencies: Run with
!
Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
Check Prereq Commands:
1
| if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
|
Get Prereq Commands:
1
| echo "The shared library doesn't exist. Check the path"; exit 1;
|
Atomic Test #2 - Event Monitor Daemon Persistence
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
Supported Platforms: macOS
auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| script_location | evil plist location | path | $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist|
| script_destination | Path where to move the evil plist | path | /etc/emond.d/rules/atomicredteam_T1543_001.plist|
| empty_file | Random name of the empty file used to trigger emond service | string | randomflag|
Attack Commands: Run with
! Elevation Required (e.g. root or admin)
1
2
| sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}
|
Cleanup Commands:
1
2
| sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}
|
Atomic Test #3 - Launch Agent - Root Directory
Create a plist and execute it
Supported Platforms: macOS
auto_generated_guid: 66774fa8-c562-4bae-a58d-5264a0dd9dd7
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| plist_filename | filename | string | com.atomicredteam.T1543.001.plist|
| path_malicious_plist | Name of file to store in cron folder | string | $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist|
Attack Commands: Run with
! Elevation Required (e.g. root or admin)
1
2
| sudo cp #{path_malicious_plist} /Library/LaunchAgents/#{plist_filename}
launchctl load -w /Library/LaunchAgents/#{plist_filename}
|
Cleanup Commands:
1
2
3
| launchctl unload /Library/LaunchAgents/#{plist_filename}
sudo rm /Library/LaunchAgents/#{plist_filename}
sudo rm /tmp/T1543_001_atomicredteam.txt
|
Dependencies: Run with
!
Description: /Library/LaunchAgents must exist
Check Prereq Commands:
1
| if [ ! -d /Library/LaunchAgents ]; then mkdir /Library/LaunchAgents; exit 0; fi;
|
Get Prereq Commands:
1
| echo "Failed to create /Library/LaunchAgents"; exit 1;
|
Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
Check Prereq Commands:
1
| if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
|
Get Prereq Commands:
1
| echo "The plist file doesn't exist. Check the path and try again."; exit 1;
|