Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1543.001: Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.[1][2] [3] Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.[4] Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

Launch Agents can also be executed using the Launchctl command. Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.[5][6] The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.[7][8]

EnterpriseT1543.001Sub-techniqueObject v1.5 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Launch Agent abuse is a macOS persistence technique: a malicious or modified .plist can cause code to run when a user logs in or when launchd loads it. For leaders, the business issue is not the file format itself; it is whether Mac endpoints used by developers, executives, finance, or cryptocurrency-related staff can retain unauthorized code across reboots and user sessions without being noticed.

Executive priority

Prioritize this where macOS systems have access to sensitive data, source code, credentials, administrative tools, or regulated workflows. The key management question is whether the organization can prove control over user-level persistence locations, detect unexpected Launch Agent changes, and respond quickly enough to remove persistence before credential theft, data access, or longer dwell time occurs. This technique also supports audit and compliance conversations around endpoint hardening, least privilege, and evidence of monitoring for persistence mechanisms.

Technical view

This is a macOS sub-technique of Create or Modify System Process for persistence and privilege-escalation tactics. Validate monitoring of .plist creation or modification in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents, with attention to Launch Agent keys such as Label, ProgramArguments, RunAtLoad, and KeepAlive. Because ATT&CK does not provide official detection text for this object, detection engineering should align to the related DET0434 strategy and test whether file monitoring, process telemetry, and launchctl-related activity are actually visible on managed Macs. Relationship context shows broad use across macOS malware and multi-platform RATs, so triage should treat suspicious Launch Agents as persistence leads that may connect to credential access, backdoors, proxying, or mining behavior depending on local evidence.

Likely telemetry

  • macOS file creation, modification, ownership, and permission changes in LaunchAgents directories
  • Contents of Launch Agent .plist files, especially Label, ProgramArguments, RunAtLoad, and KeepAlive keys
  • Process execution telemetry for payloads launched by launchd
  • Command execution telemetry involving launchctl where collected
  • Endpoint security or EDR alerts tied to user-level persistence on macOS

Detection direction

  • Validate coverage for creation or modification of .plist files in system, library, and user LaunchAgents paths; user home directories are a common blind spot.
  • Tune detections to distinguish expected software updaters and developer tools from unusual labels, suspicious executable paths, newly introduced RunAtLoad or KeepAlive entries, or mismatches between plist name and referenced binary.
  • Correlate Launch Agent changes with subsequent launchd-spawned process execution rather than relying only on static file presence.
  • Review whether launchctl execution is logged and whether it can be tied to the user, parent process, and modified plist.
  • Use allowlists carefully: Launch Agents are legitimate macOS functionality, so false positives are likely without baselines for managed software and normal developer workflows.

Mitigation priorities

  • Apply least-privilege file and directory permissions, consistent with mitigation M1022, to limit unnecessary write access to sensitive LaunchAgents locations.
  • Baseline approved Launch Agents on managed macOS endpoints and review deviations through change control or endpoint management evidence.
  • Reduce local administrative or unnecessary write privileges where business operations allow, especially for high-risk user populations.
  • Ensure endpoint management and response procedures can remove both malicious .plist files and referenced payloads.
  • Include Launch Agent persistence checks in macOS hardening reviews, incident response playbooks, and compliance evidence collection.
Analyst notes and limits

The object is macOS-specific and user-level Launch Agents execute with user-level permissions. ATT&CK relationships show this technique is used by multiple named malware families and tools, including Komplex, NETWIRE, CrossRAT, Keydnap, Proton, Dok, Bundlore, CookieMiner, Dacls, MacMa, macOS.OSAMiner, and Cuckoo Stealer, plus the Contagious Interview group relationship. Those relationships justify defensive prioritization but should not be treated as evidence of current activity in a specific environment without local telemetry.

Official ATT&CK detection text is not provided for this object. The take relies on the official description, external references, and supplied relationships, including DET0434 and M1022. Local endpoint visibility, software inventory, user privilege model, and normal macOS administration practices are required to determine actual exposure and detection quality.

Official MITRE ATT&CK definition

Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.[1][2] [3] Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.[4] Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

Launch Agents can also be executed using the Launchctl command. Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.[5][6] The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.[7][8]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1159 Launch Agent Launch Agent revoked by this object.
Enterprise T1543 Create or Modify System Process This object subtechnique of Create or Modify System Process.
Associated objects

Groups, software, and campaigns

Malware Enterprise

S9010: GlassWorm

GlassWorm is a worm that propagated through supply chain attacks by compromising repository credentials from victim environments and having malicious payloads added to those compromised accounts for distribution to victims across the various development ecosystems.[1][2][3] GlassWorm has numerous variants, including Rust binaries, encrypted JavaScript and a variant leveraging invisible Unicode characters that made reverse engineering difficult.[4][1][5] GlassWorm has employed a unique command and control (C2) methodology using Solana blockchain.[6][1] GlassWorm was first reported in October 2025.[6][1][3]

macOSWindows
Malware Enterprise

S1016: MacMa

MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[1] MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.[2]

macOS
Malware Enterprise

S0482: Bundlore

Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.[1]

macOS
Malware Enterprise

S0595: ThiefQuest

ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[1] Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[2][3]

macOS
Malware Enterprise

S1048: macOS.OSAMiner

macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.[1][2]

macOS
Relationship explorer

All related ATT&CK context

uses · Malware S0274: Calisto Enterprise detects · Detection Strategy DET0434: Detection of Launch Agent Creation or Modification on macOS Enterprise uses · Malware S0279: Proton Enterprise uses · Malware S9010: GlassWorm Enterprise uses · Malware S0282: MacSpy Enterprise uses · Malware S0235: CrossRAT Enterprise uses · Malware S0281: Dok Enterprise uses · Malware S0497: Dacls Enterprise uses · Malware S1016: MacMa Enterprise revoked by · Technique T1159: Launch Agent Enterprise uses · Malware S0352: OSX_OCEANLOTUS.D Enterprise mitigates · Mitigation M1022: Restrict File and Directory Permissions Enterprise uses · Malware S0482: Bundlore Enterprise uses · Group G1052: Contagious Interview Enterprise subtechnique of · Technique T1543: Create or Modify System Process Enterprise uses · Malware S0595: ThiefQuest Enterprise uses · Malware S1048: macOS.OSAMiner Enterprise uses · Malware S1245: InvisibleFerret Enterprise uses · Malware S0369: CoinTicker Enterprise uses · Malware S0690: Green Lambert Enterprise uses · Malware S1153: Cuckoo Stealer Enterprise uses · Malware S0492: CookieMiner Enterprise uses · Malware S0277: FruitFly Enterprise uses · Malware S0162: Komplex Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1022: Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

- Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

- Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.

On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf`

File Integrity Monitoring (FIM):

- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

- Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.

Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.

- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.5
Created
Modified
Raw hash
4637da87f6e9035c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.5 Current bundle 4637da87f6e9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    AppleDocs Launch Agent Daemons

    Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.

    Open source URL
  2. [2]
    OSX Keydnap malware

    Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.

    Open source URL
  3. [3]
    Antiquated Mac Malware

    Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.

    Open source URL
  4. [4]
    OSX.Dok Malware

    Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.

    Open source URL
  5. [5]
    Sofacy Komplex Trojan

    Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.

    Open source URL
  6. [6]
    Methods of Mac Malware Persistence

    Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.

    Open source URL
  7. [7]
    OSX Malware Detection

    Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024.

    Open source URL
  8. [8]
    OceanLotus for OS X

    Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.

    Open source URL
  9. [9]
    mitre-attack T1543.001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use