Attack technique
Technique name: Persistence Using Launch Agents
MITRE ATT&CK
- Tactic: Persistence, Privilege Escalation
- Technique: Create or Modify System Process (T1543.001)
Technique description
-
Native Use - LaunchAgent:
LaunchAgent is a macOS feature that allows users and applications to run programs automatically in the background. It is similar to Task Scheduler on Windows and is used to manage background tasks and services that run on a per-user basis. LaunchAgents are configured through property list (.plist) files, which specify the executable to run, as well as conditions such as when and how often to execute the program. Common uses include starting applications at login, scheduling maintenance tasks, and running scripts at specified intervals. -
Abuse by Attackers:
Attackers abuse LaunchAgents to maintain persistence on a targeted macOS system. By creating or modifying LaunchAgent .plist files, they can ensure that their malicious payloads execute automatically whenever the user logs in. This technique allows attackers to maintain a foothold on the machine without requiring user interaction each time.
Threat hunting theses breakdown
Relevant data sources: EDR Logs
Thesis explanation
The thesis aims to detect a new malicious plist file created in the LaunchAgents directory. Meaning it can lead to a potential automatic execution of malicious code.
Thesis break-down:
- Creation of a baseline table of
plistfiles on the six months preceding the last 30 days. - Compare the hashes of the new files created over the last 30 days against the hashes that exist in the baseline.
- Exclude hashes that appeared on at least three hosts over the last 30 days.
Blind spots
Some of the EDR vendors may not fully audit plist files, potentially leading to gaps in detection or issues with handling plist-related activities. Please refer to the attached table for a detailed comparison of how various EDR agents handle plist file monitoring.
| Topic | Plist File Detection | Correct Detection of Plist Activity | Events Names | Description |
|---|---|---|---|---|
| CrowdStrike | ✅ | ❌ | AsepFileChangeDetectInfo, AsepFileChangeScanInfo |
An issue was reported to CrowdStrike regarding how plist file activity is being audited. Specifically, some plist-related activity is incorrectly being classified as "Rename" and "Close" events, rather than the actual actions taken on the plist files, such as creation. |
| SentinelOne | ✅ | ✅ | File Modification, File Rename, File Creation, File Deletion | Activity related to plist files seems to be functioning correctly |
| MDATP | ❌ | ❌ | None | It appears that Microsoft Defender for Endpoint (MDATP) does not effectively monitor or detect activity related to plist files |
Recommended investigation flow
- Investigate the user that did the modification/creation of
plist- Is this user part of the security team / IT team
- Is this user commonly used for the modification/creation of
plistfiles?
- Investigate the initiating process
- Is the process known? is it supposed to create a launch agent?
- File reputation -
- Is the hash clean on VirusTotal?
- Is the file signed by a trustworthy company?
- Is the file prevalent in the organization? does it appear on a large number of machines?
- Investigate the executions conducted as a result of the launch agent execution, after the modification/creation of the
plistfile- Was there any suspicious binary or command line used?
- Was there any suspicious network connection related to this execution?
- Investigate the
plistfile itself- Is the
plistfile signed by a trustworthy company? - A
plistfile is a structured file format used primarily in macOS and iOS, Plist files typically come in two formats XML and Binary, In the case that theplistis an XML file you could investigate it- Investigate any file paths or commands listed in the
plistfile - Check for unusual entries, especially in keys related to system startup, and suspicious keys such as RunAtLoad
- Investigate any file paths or commands listed in the
- Is the