Матрица MITRE ATT&CK

Technique on mitre.org

T1543.001: Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents. Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

Launch Agents can also be executed using the Launchctl command.

Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true. The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.

Positive Technologies products that cover the technique

Description of detection methods is not available yet

Detection

ID	DS0022	Data source and component	File: File Modification	Description	Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.

ID	DS0019	Data source and component	Service: Service Creation	Description	Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application.

ID	DS0019	Data source and component	Service: Service Modification	Description	Monitor for changes made to launch agents to repeatedly execute malicious payloads as part of persistence.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed files that may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.

ID	DS0017	Data source and component	Command: Command Execution	Description	Ensure Launch Agent's `ProgramArguments` key pointing to executables located in the `/tmp` or `/shared` folders are in alignment with enterprise policy. Ensure all Launch Agents with the `RunAtLoad` key set to `true` are in alignment with policy.

ID	Data source and component	Description
DS0022	File: File Modification	Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.
DS0019	Service: Service Creation	Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application.
DS0019	Service: Service Modification	Monitor for changes made to launch agents to repeatedly execute malicious payloads as part of persistence.
DS0022	File: File Creation	Monitor for newly constructed files that may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
DS0017	Command: Command Execution	Ensure Launch Agent's `ProgramArguments` key pointing to executables located in the `/tmp` or `/shared` folders are in alignment with enterprise policy. Ensure all Launch Agents with the `RunAtLoad` key set to `true` are in alignment with policy.

Mitigation

ID	M1022	Name	Restrict File and Directory Permissions	Description	Set group policies to restrict file permissions to the `~/launchagents` folder.

ID	Name	Description
M1022	Restrict File and Directory Permissions	Set group policies to restrict file permissions to the `~/launchagents` folder.