T1543.001

Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence on macOS. When a user logs in, a per-user launchd process loads parameters for each launch-on-demand user agent from property list (.plist) files in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents. Adversaries install Launch Agents by placing a .plist file into these directories with RunAtLoad or KeepAlive keys set to true, ensuring malicious payloads execute at every user login. Launch Agents execute with user-level permissions and are commonly disguised using Apple-like naming conventions (e.g., com.apple.softwareupdate.plist, com.apple.GrowlHelper.plist). This technique is used by Calisto, Proton, MacSpy, CrossRAT, Dok, OceanLotus, ThiefQuest, Dacls, macOS.OSAMiner, InvisibleFerret (Contagious Interview), CoinTicker, and Green Lambert malware families.

Microsoft Sentinel / Defender

kusto

let SuspiciousParentProcesses = dynamic(["bash", "sh", "zsh", "python3", "python", "ruby", "perl", "curl", "wget", "osascript", "node", "npm", "installer", "pkgutil", "xattr", "mktemp"]);
// Part 1: .plist file creation or modification in LaunchAgent directories
let PlistFileEvents = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has "/Library/LaunchAgents/"
| where FileName endswith ".plist"
| where ActionType in ("FileCreated", "FileModified")
| extend AgentScope = case(
    FolderPath startswith "/System/Library/LaunchAgents/", "System",
    FolderPath startswith "/Library/LaunchAgents/", "Global",
    "User"
)
| extend SuspiciousWriter = InitiatingProcessFileName in~ (SuspiciousParentProcesses)
| extend AppleNameSpoof = FileName matches regex @"com\.apple\.[a-z]+\.[a-z]+\.plist"
| extend RandomName = FileName matches regex @"com\.[a-z0-9]{4,10}\.[a-z0-9]{4,10}\.plist" and not (FileName startswith "com.apple." or FileName startswith "com.microsoft." or FileName startswith "com.adobe." or FileName startswith "com.google.")
| project Timestamp, DeviceName, AccountName, DetectionType="PlistWritten",
    TargetFile=FileName, TargetPath=FolderPath, AgentScope, SuspiciousWriter, AppleNameSpoof, RandomName,
    WriterProcess=InitiatingProcessFileName, WriterCommandLine=InitiatingProcessCommandLine,
    WriterFolderPath=InitiatingProcessFolderPath;
// Part 2: launchctl load or bootstrap commands targeting LaunchAgent paths
let LaunchctlEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "launchctl"
| where ProcessCommandLine has_any ("load", "bootstrap")
| where ProcessCommandLine has "LaunchAgents" or ProcessCommandLine has ".plist"
| extend AgentScope = case(
    ProcessCommandLine has "/System/Library/LaunchAgents", "System",
    ProcessCommandLine has "/Library/LaunchAgents", "Global",
    "User"
)
| extend SuspiciousWriter = InitiatingProcessFileName in~ (SuspiciousParentProcesses)
| extend AppleNameSpoof = ProcessCommandLine matches regex @"com\.apple\.[a-z]+\.[a-z]+\.plist"
| extend RandomName = ProcessCommandLine matches regex @"com\.[a-z0-9]{4,10}\.[a-z0-9]{4,10}\.plist" and not (ProcessCommandLine has "com.apple." or ProcessCommandLine has "com.microsoft." or ProcessCommandLine has "com.adobe." or ProcessCommandLine has "com.google.")
| project Timestamp, DeviceName, AccountName, DetectionType="LaunchctlLoad",
    TargetFile=ProcessCommandLine, TargetPath=ProcessCommandLine, AgentScope, SuspiciousWriter, AppleNameSpoof, RandomName,
    WriterProcess=InitiatingProcessFileName, WriterCommandLine=InitiatingProcessCommandLine,
    WriterFolderPath=InitiatingProcessFolderPath;
PlistFileEvents
| union LaunchctlEvents
| sort by Timestamp desc

high severity high confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (macOS)

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate software installers (Adobe Creative Cloud, Zoom, Dropbox, Google Chrome updater) creating Launch Agents for auto-update or helper functionality during user-initiated installation — these will show installer or package manager as the writer process
Enterprise MDM solutions (Jamf Pro, Mosyle, Kandji) deploying configuration profiles that include Launch Agent definitions as part of managed device policy enforcement
Homebrew package manager and casks installing helper services (e.g., postgresql, redis, docker-machine) via brew services — these will show bash or brew as the writer process
VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and endpoint security agents (CrowdStrike Falcon, Carbon Black, SentinelOne) creating helper daemons during initial agent installation
Developer tools including JetBrains Toolbox, Xcode command line tools, and language version managers (rbenv, pyenv, nvm) registering launch services during setup

Splunk

spl

index=osquery sourcetype=osquery_differential name=launchd
| where action="added"
| eval plist_path=coalesce('columns.path', spath(_raw, "columns.path"))
| eval agent_label=coalesce('columns.label', spath(_raw, "columns.label"), "unknown")
| eval program_args=coalesce('columns.program_arguments', 'columns.program', spath(_raw, "columns.program_arguments"), "unknown")
| eval run_at_load=coalesce('columns.run_at_load', "0")
| eval keep_alive=coalesce('columns.keep_alive', "0")
| eval on_demand=coalesce('columns.on_demand', "0")
| where match(plist_path, "(?i)/Library/LaunchAgents/")
| eval AgentScope=case(
    match(plist_path, "(?i)^/System/Library/LaunchAgents/"), "System",
    match(plist_path, "(?i)^/Library/LaunchAgents/"), "Global",
    1=1, "User"
)
| eval SuspiciousProgram=if(
    match(program_args, "(?i)(\\bbash\\b|\\bsh\\b|\\bzsh\\b|python3?|\\bruby\\b|\\bperl\\b|\\bcurl\\b|\\bwget\\b|osascript|\\bnode\\b|/tmp/|/var/tmp/|/var/folders/)"),
    1, 0
)
| eval AppleNameSpoof=if(
    match(plist_path, "com\.apple\.[a-z]+\.[a-z]+\.plist") AND NOT match(plist_path, "(?i)^/System/Library/"),
    1, 0
)
| eval RandomName=if(
    match(plist_path, "com\.[a-z0-9]{4,10}\.[a-z0-9]{4,10}\.plist") AND NOT match(plist_path, "(com\.apple\.|com\.microsoft\.|com\.adobe\.|com\.google\.)"),
    1, 0
)
| eval PersistenceEnabled=if(run_at_load="1" OR keep_alive="1", 1, 0)
| eval RiskScore=SuspiciousProgram + AppleNameSpoof + RandomName + PersistenceEnabled
| where RiskScore > 0
| table _time, host, plist_path, agent_label, program_args, AgentScope, run_at_load, keep_alive, SuspiciousProgram, AppleNameSpoof, RandomName, PersistenceEnabled, RiskScore
| sort - RiskScore, - _time

high severity high confidence

Data Sources

File: File Creation Process: Process Creation macOS: launchd osquery launchd table

Required Sourcetypes

osquery_differential

False Positives

Legitimate software installers creating Launch Agents during user-initiated installation of commercial applications — verify by correlating with recent Finder/installer activity and checking the publisher signature of the target binary
Enterprise MDM tooling (Jamf, Mosyle, Kandji) deploying launch agents as part of configuration management — these should match approved MDM policy definitions
Homebrew services (brew services start) creating launch agents for development dependencies like postgresql, redis, nginx — validate by checking if the binary path is under /usr/local/Cellar or /opt/homebrew
Developer toolchain components (rbenv, pyenv, nvm version managers) registering shim helpers via launch agents during environment setup
Endpoint security products and VPN clients writing their own helper agents during initial onboarding — these should match known-good hashes from vendor documentation

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [
    file where host.os.type == "macos"
      and event.type in ("creation", "change")
      and file.path : ("/Library/LaunchAgents/*.plist", "/System/Library/LaunchAgents/*.plist", "/Users/*/Library/LaunchAgents/*.plist")
      and (
        process.name in ("bash", "sh", "zsh", "python3", "python", "ruby", "perl", "curl", "wget", "osascript", "node", "npm", "installer", "pkgutil", "xattr", "mktemp")
        or file.name : ("com.apple.*.*.plist")
        or file.path : ("*/tmp/*", "*/var/folders/*")
      )
  ] by process.entity_id
  [
    process where host.os.type == "macos"
      and process.name == "launchctl"
      and process.args in ("load", "bootstrap")
      and (
        process.args : "*LaunchAgents*"
        or process.args : "*.plist"
      )
  ] by process.parent.entity_id
---
ALTERNATIVE STANDALONE FILE EVENT QUERY:
file where host.os.type == "macos"
  and event.type in ("creation", "change")
  and file.path : (
    "/Library/LaunchAgents/*.plist",
    "/System/Library/LaunchAgents/*.plist",
    "/Users/*/Library/LaunchAgents/*.plist"
  )
  and (
    process.name in ("bash", "sh", "zsh", "python3", "python", "ruby", "perl", "curl", "wget", "osascript", "node", "npm", "installer", "pkgutil", "xattr", "mktemp")
    or file.name : ("com.apple.*.*.plist")
    or file.path : ("*/tmp/*.plist", "*/var/folders/*.plist")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security (macOS) Elastic Agent file and process telemetry

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-*

False Positives

Legitimate software installers (e.g., Homebrew casks, Adobe Creative Cloud updaters) write plist files to /Library/LaunchAgents using installer or pkgutil as the initiating process
Developer tools such as Docker Desktop, Vagrant, or VMware Fusion register launch agents during initial setup or updates, which may match the initiating process list
macOS software updates can use launchctl bootstrap commands during OS patch application, potentially triggering the launchctl sequence detection branch

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "hostname",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "filename",
  "filepath",
  "command" AS process_args,
  "parentcommand" AS parent_process,
  CASE
    WHEN ISNULL("filepath") = FALSE AND "filepath" ILIKE '/System/Library/LaunchAgents/%' THEN 'System'
    WHEN ISNULL("filepath") = FALSE AND "filepath" ILIKE '/Library/LaunchAgents/%' THEN 'Global'
    ELSE 'User'
  END AS agent_scope,
  CASE
    WHEN LOWER("parentcommand") MATCHES '(^|/)bash$|(^|/)sh$|(^|/)zsh$|(^|/)python3?$|(^|/)ruby$|(^|/)perl$|(^|/)curl$|(^|/)wget$|(^|/)osascript$|(^|/)node$|(^|/)installer$|(^|/)pkgutil$' THEN 1
    ELSE 0
  END AS suspicious_writer,
  CASE
    WHEN "filename" ILIKE 'com.apple.%.%.plist' AND "filepath" NOT ILIKE '/System/Library/%' THEN 1
    ELSE 0
  END AS apple_name_spoof,
  CASE
    WHEN REGEXP("filename", 'com\.[a-z0-9]{4,10}\.[a-z0-9]{4,10}\.plist')
      AND "filename" NOT ILIKE 'com.apple.%'
      AND "filename" NOT ILIKE 'com.microsoft.%'
      AND "filename" NOT ILIKE 'com.adobe.%'
      AND "filename" NOT ILIKE 'com.google.%'
    THEN 1 ELSE 0
  END AS random_name
FROM events
WHERE
  starttime > NOW() - 1 DAYS
  AND (
    (
      CATEGORYNAME(category) ILIKE '%file%create%' OR CATEGORYNAME(category) ILIKE '%file%write%' OR CATEGORYNAME(category) ILIKE '%file%modified%'
      AND ("filepath" ILIKE '/Library/LaunchAgents/%.plist' OR "filepath" ILIKE '/System/Library/LaunchAgents/%.plist' OR "filepath" ILIKE '%/Library/LaunchAgents/%.plist')
    )
    OR (
      CATEGORYNAME(category) ILIKE '%process%'
      AND "command" ILIKE '%launchctl%'
      AND ("command" ILIKE '%load%' OR "command" ILIKE '%bootstrap%')
      AND ("command" ILIKE '%LaunchAgents%' OR "command" ILIKE '%.plist%')
    )
  )
  AND (
    CASE
      WHEN LOWER("parentcommand") MATCHES '(^|/)bash$|(^|/)sh$|(^|/)zsh$|(^|/)python3?$|(^|/)ruby$|(^|/)perl$|(^|/)curl$|(^|/)wget$|(^|/)osascript$|(^|/)node$|(^|/)installer$|(^|/)pkgutil$' THEN 1
      ELSE 0
    END +
    CASE WHEN "filename" ILIKE 'com.apple.%.%.plist' AND "filepath" NOT ILIKE '/System/Library/%' THEN 1 ELSE 0 END +
    CASE WHEN REGEXP("filename", 'com\.[a-z0-9]{4,10}\.[a-z0-9]{4,10}\.plist') AND "filename" NOT ILIKE 'com.apple.%' AND "filename" NOT ILIKE 'com.microsoft.%' THEN 1 ELSE 0 END
  ) > 0
ORDER BY event_time DESC

high severity medium confidence

Data Sources

macOS endpoint agent logs (CrowdStrike, Carbon Black, or Jamf telemetry forwarded to QRadar) osquery differential results via syslog or Universal DSM

Required Tables

events

False Positives

Enterprise MDM solutions such as Jamf Pro write legitimate LaunchAgent plists during device enrollment, software deployment, or profile updates using installer as the parent process
Developer environments like Homebrew, MacPorts, or Conda install plists via shell scripts as part of package post-install hooks, generating high-volume true-positive-like events on developer workstations
Apple's own Software Update mechanism can trigger launchctl bootstrap operations for newly installed system daemons during OS updates, appearing as System-scope events

Sumo Logic CSE

sql

// Branch 1: osquery launchd table - new LaunchAgent entries
(_sourceCategory=*osquery* OR _sourceCategory=*endpoint*)
| where name = "launchd" AND action = "added"
| json field=_raw "columns.path" as plist_path nodrop
| json field=_raw "columns.label" as agent_label nodrop
| json field=_raw "columns.program_arguments" as program_args nodrop
| json field=_raw "columns.program" as program nodrop
| json field=_raw "columns.run_at_load" as run_at_load nodrop
| json field=_raw "columns.keep_alive" as keep_alive nodrop
| where plist_path matches "/Library/LaunchAgents/*" OR plist_path matches "/System/Library/LaunchAgents/*" OR plist_path matches "*/Library/LaunchAgents/*"
| if (plist_path matches "/System/Library/LaunchAgents/*", "System",
   if (plist_path matches "/Library/LaunchAgents/*", "Global", "User")) as agent_scope
| if (program_args matches "*(bash|sh|zsh|python3|python|ruby|perl|curl|wget|osascript|node|/tmp/|/var/tmp/|/var/folders/)*" OR program matches "*(bash|sh|zsh|python3|python|ruby|perl|curl|wget|osascript|node|/tmp/|/var/tmp/)*", 1, 0) as suspicious_program
| if (plist_path matches "com.apple.*.*.plist" AND !(plist_path matches "/System/Library/*"), 1, 0) as apple_name_spoof
| if (plist_path matches "com.[a-z0-9]{4,10}.[a-z0-9]{4,10}.plist" AND !(plist_path matches "*com.apple.*" OR plist_path matches "*com.microsoft.*" OR plist_path matches "*com.adobe.*" OR plist_path matches "*com.google.*"), 1, 0) as random_name
| if (run_at_load = "1" OR keep_alive = "1", 1, 0) as persistence_enabled
| (suspicious_program + apple_name_spoof + random_name + persistence_enabled) as risk_score
| where risk_score > 0
| fields _messageTime, _sourceHost, plist_path, agent_label, program_args, agent_scope, run_at_load, keep_alive, suspicious_program, apple_name_spoof, random_name, persistence_enabled, risk_score
| sort by risk_score desc, _messageTime desc

high severity high confidence

Data Sources

osquery differential results (launchd table) macOS endpoint telemetry via Sumo Logic Installed Collector or osquery-logger

Required Tables

osquery launchd differential (name=launchd, action=added)

False Positives

Legitimate commercial software (Zoom, Slack, Dropbox, 1Password) registers launch agents with RunAtLoad=1 during installation; their plist labels typically include the vendor's known bundle ID prefix
Enterprise security tools (Carbon Black, Falcon sensor, Tanium) install their own launch agents via installer or pkg workflows, which may trigger the suspicious_program flag
Development tools like rbenv, pyenv, nvm, or direnv write shell-based launch agents during environment setup, generating false positives on developer endpoints

Google Chronicle / SecOps

yaral

rule macos_launch_agent_persistence_t1543_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects macOS Launch Agent persistence via suspicious plist file creation in LaunchAgent directories or launchctl load/bootstrap execution. Covers Apple name spoofing and shell/interpreter-initiated writes."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1543.001"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1543/001/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Branch 1: Plist file creation in LaunchAgent directories by suspicious processes
    (
      $file_event.metadata.event_type = "FILE_CREATION" or
      $file_event.metadata.event_type = "FILE_MODIFICATION"
    )
    and $file_event.target.file.full_path = /\/Library\/LaunchAgents\/.+\.plist/
    and (
      $file_event.principal.process.file.full_path = /\/(bash|sh|zsh|python3|python|ruby|perl|curl|wget|osascript|node|npm|installer|pkgutil|xattr|mktemp)$/
      or $file_event.target.file.full_path = /com\.apple\.[a-z]+\.[a-z]+\.plist/
      or (
        $file_event.target.file.full_path = /com\.[a-z0-9]{4,10}\.[a-z0-9]{4,10}\.plist/
        and not $file_event.target.file.full_path = /com\.(apple|microsoft|adobe|google)\./
      )
    )

  match:
    $file_event.principal.hostname over 5m

  outcome:
    $hostname = $file_event.principal.hostname
    $user = $file_event.principal.user.userid
    $plist_path = $file_event.target.file.full_path
    $writer_process = $file_event.principal.process.file.full_path
    $writer_cmdline = $file_event.principal.process.command_line
    $agent_scope = if(
      re.match($file_event.target.file.full_path, "^/System/Library/LaunchAgents/"), "System",
      if(re.match($file_event.target.file.full_path, "^/Library/LaunchAgents/"), "Global", "User")
    )
    $apple_name_spoof = re.match($file_event.target.file.full_path, "com\.apple\.[a-z]+\.[a-z]+\.plist") and
      not re.match($file_event.target.file.full_path, "^/System/Library/")

  condition:
    $file_event
}

rule macos_launchctl_load_bootstrap_t1543_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects launchctl load or bootstrap commands targeting LaunchAgent paths, initiated by shell interpreters or download utilities — a key step in activating a malicious launch agent."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1543.001"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    and $proc.target.process.file.full_path = /\/launchctl$/
    and (
      $proc.target.process.command_line = /load/ or
      $proc.target.process.command_line = /bootstrap/
    )
    and (
      $proc.target.process.command_line = /LaunchAgents/ or
      $proc.target.process.command_line = /\.plist/
    )
    and $proc.principal.process.file.full_path = /\/(bash|sh|zsh|python3|python|ruby|perl|curl|wget|osascript|node|npm|installer|pkgutil)$/

  match:
    $proc.principal.hostname over 5m

  outcome:
    $hostname = $proc.principal.hostname
    $user = $proc.principal.user.userid
    $parent_process = $proc.principal.process.file.full_path
    $parent_cmdline = $proc.principal.process.command_line
    $launchctl_cmdline = $proc.target.process.command_line

  condition:
    $proc
}

high severity high confidence

Data Sources

Chronicle UDM via Google Security Operations ingestion macOS endpoint telemetry (CrowdStrike, Elastic, or Tanium forwarded via Chronicle forwarder)

Required Tables

UDM events: FILE_CREATION, FILE_MODIFICATION, PROCESS_LAUNCH with macOS host context

False Positives

Software package managers (Homebrew, MacPorts) write launch agent plists via shell scripts during formula installation, creating high-volume events on developer machines that match the suspicious writer process list
Legitimate enterprise deployment tools (Munki, Jamf) use installer or scripts to deploy configuration plists into /Library/LaunchAgents as part of managed software pushes
Security research tooling or red team simulation frameworks (e.g., Atomic Red Team macOS tests) intentionally create synthetic launch agents for detection validation, which will match all indicators in this rule

CrowdStrike LogScale (CQL)

cql

// Branch 1: Plist file creation in LaunchAgent directories by suspicious initiating processes
#repo=base_sensor_telemetry
| #event_simpleName IN (MacFileCreationV1, MacFileWrittenV1)
| TargetPath = /\/Library\/LaunchAgents\/.+\.plist/
| SuspiciousWriter := match(field=ImageFileName, regex="/(bash|sh|zsh|python3|python|ruby|perl|curl|wget|osascript|node|npm|installer|pkgutil|xattr|mktemp)$")
| AppleNameSpoof := match(field=TargetPath, regex="com\.apple\.[a-z]+\.[a-z]+\.plist") AND NOT match(field=TargetPath, regex="^/System/Library/")
| RandomName := match(field=TargetPath, regex="com\.[a-z0-9]{4,10}\.[a-z0-9]{4,10}\.plist") AND NOT match(field=TargetPath, regex="(com\.apple\.|com\.microsoft\.|com\.adobe\.|com\.google\.)")
| AgentScope := if(TargetPath = /^\/System\/Library\/LaunchAgents\//, "System",
    if(TargetPath = /^\/Library\/LaunchAgents\//, "Global", "User"))
| RiskScore := if(SuspiciousWriter, 1, 0) + if(AppleNameSpoof, 1, 0) + if(RandomName, 1, 0)
| RiskScore > 0
| table([@timestamp, ComputerName, UserName, TargetPath, ImageFileName, CommandLine, AgentScope, SuspiciousWriter, AppleNameSpoof, RandomName, RiskScore])
| sort(RiskScore, order=desc)

// Branch 2: launchctl load or bootstrap targeting LaunchAgent paths
// Run as a separate query or union via saved searches
#repo=base_sensor_telemetry
| #event_simpleName IN (MacProcessRollup2, ProcessRollup2)
| ImageFileName=/\/launchctl$/
| (CommandLine=/\bload\b/ OR CommandLine=/\bbootstrap\b/)
| (CommandLine=/LaunchAgents/ OR CommandLine=/\.plist/)
| ParentBaseFileName := FileName(ParentImageFileName)
| SuspiciousParent := match(field=ParentBaseFileName, regex="^(bash|sh|zsh|python3|python|ruby|perl|curl|wget|osascript|node|npm|installer|pkgutil)$")
| AppleNameSpoof := match(field=CommandLine, regex="com\.apple\.[a-z]+\.[a-z]+\.plist") AND NOT match(field=CommandLine, regex="/System/Library/")
| AgentScope := if(CommandLine=/\/System\/Library\/LaunchAgents/, "System",
    if(CommandLine=/\/Library\/LaunchAgents/, "Global", "User"))
| table([@timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName, AgentScope, SuspiciousParent, AppleNameSpoof])
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor (macOS) Falcon telemetry events: MacFileCreationV1, MacFileWrittenV1, MacProcessRollup2

Required Tables

base_sensor_telemetry (#event_simpleName: MacFileCreationV1, MacFileWrittenV1, MacProcessRollup2, ProcessRollup2)

False Positives

Xcode command-line tools and CocoaPods post-install scripts write launch agents using sh or ruby during dependency installation on developer machines, generating frequent matches on the file creation branch
macOS system integrity protection (SIP) bypass testing tools and legitimate security research frameworks deliberately place test plists in LaunchAgent paths using curl or bash to validate endpoint detection coverage
Enterprise backup agents (Time Machine, Carbonite, Backblaze) and VPN clients (Cisco AnyConnect, GlobalProtect) install LaunchAgents via installer during initial deployment or version upgrades, matching on AgentScope=Global

Last updated: 2026-04-20 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1543.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1543Create or Modify System Process

Related Sub-techniques

T1543.002Systemd Service T1543.003Windows Service T1543.004Launch Daemon T1543.005Container Service

Launch Agent

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections