launchd Persistence
What is launchd Persistence?
launchd PersistencemacOS persistence technique that installs a LaunchDaemon or LaunchAgent property list so launchd executes attacker code at boot, login, or on a trigger.
launchd persistence (MITRE ATT&CK T1543.004) abuses macOS's launchd init system. Attackers drop a property-list (.plist) file in /Library/LaunchDaemons (boot, root context), /Library/LaunchAgents (every user at login), or ~/Library/LaunchAgents (current user). The plist defines a Label, a ProgramArguments command, and triggers such as RunAtLoad, KeepAlive, StartInterval, WatchPaths, or StartCalendarInterval. launchd then maintains the process and restarts it if it dies. The technique is favored by macOS malware including OSX/Shlayer and XCSSET. Defenses: monitor LaunchDaemon/Agent directories with EDR or fs_usage, baseline plists, alert on unsigned executables, and use TCC and SIP plus MDM-managed config profiles to restrict who can write to system paths.
● Examples
- 01
Dropping com.apple.softwareupdated.plist in /Library/LaunchDaemons that launches /tmp/updater at boot.
- 02
Per-user LaunchAgent that re-runs a Python implant at every login via RunAtLoad.
● Frequently asked questions
What is launchd Persistence?
macOS persistence technique that installs a LaunchDaemon or LaunchAgent property list so launchd executes attacker code at boot, login, or on a trigger. It belongs to the Attacks & Threats category of cybersecurity.
What does launchd Persistence mean?
macOS persistence technique that installs a LaunchDaemon or LaunchAgent property list so launchd executes attacker code at boot, login, or on a trigger.
How does launchd Persistence work?
launchd persistence (MITRE ATT&CK T1543.004) abuses macOS's launchd init system. Attackers drop a property-list (.plist) file in /Library/LaunchDaemons (boot, root context), /Library/LaunchAgents (every user at login), or ~/Library/LaunchAgents (current user). The plist defines a Label, a ProgramArguments command, and triggers such as RunAtLoad, KeepAlive, StartInterval, WatchPaths, or StartCalendarInterval. launchd then maintains the process and restarts it if it dies. The technique is favored by macOS malware including OSX/Shlayer and XCSSET. Defenses: monitor LaunchDaemon/Agent directories with EDR or fs_usage, baseline plists, alert on unsigned executables, and use TCC and SIP plus MDM-managed config profiles to restrict who can write to system paths.
How do you defend against launchd Persistence?
Defences for launchd Persistence typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for launchd Persistence?
Common alternative names include: LaunchDaemon persistence, LaunchAgent persistence.
● Related terms
- attacks№ 238
Cron Persistence
Linux and Unix persistence technique that uses cron, anacron, or systemd timers to schedule attacker code so it re-executes at a chosen interval or system event.
- attacks№ 610
LD_PRELOAD Hijacking
Linux persistence and library-hijacking technique that uses the LD_PRELOAD environment variable or /etc/ld.so.preload to inject attacker code into dynamically linked processes.
- attacks№ 975
Scheduled Task Persistence
Persistence and execution technique in which an attacker creates or modifies a Windows scheduled task to run their payload on a trigger such as logon, boot, or a timer.
- attacks№ 1246
WMI Event Subscription Persistence
Persistence technique that registers a permanent WMI event filter and consumer so attacker code runs whenever a chosen system event occurs.
- attacks№ 914
Registry Run Key Persistence
Classic Windows persistence technique that adds an entry under a Run or RunOnce registry key so a binary or script executes every time a user logs on.
- malware№ 949
Rootkit
Stealth malware that grants and hides privileged access to an operating system or device, evading detection by standard tools.