Detect Launch Agent in Sumo Logic CSE
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence on macOS. When a user logs in, a per-user launchd process loads parameters for each launch-on-demand user agent from property list (.plist) files in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents. Adversaries install Launch Agents by placing a .plist file into these directories with RunAtLoad or KeepAlive keys set to true, ensuring malicious payloads execute at every user login. Launch Agents execute with user-level permissions and are commonly disguised using Apple-like naming conventions (e.g., com.apple.softwareupdate.plist, com.apple.GrowlHelper.plist). This technique is used by Calisto, Proton, MacSpy, CrossRAT, Dok, OceanLotus, ThiefQuest, Dacls, macOS.OSAMiner, InvisibleFerret (Contagious Interview), CoinTicker, and Green Lambert malware families.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1543 Create or Modify System Process
- Sub-technique
- T1543.001 Launch Agent
- Canonical reference
- https://attack.mitre.org/techniques/T1543/001/
Sumo Detection Query
// Branch 1: osquery launchd table - new LaunchAgent entries
(_sourceCategory=*osquery* OR _sourceCategory=*endpoint*)
| where name = "launchd" AND action = "added"
| json field=_raw "columns.path" as plist_path nodrop
| json field=_raw "columns.label" as agent_label nodrop
| json field=_raw "columns.program_arguments" as program_args nodrop
| json field=_raw "columns.program" as program nodrop
| json field=_raw "columns.run_at_load" as run_at_load nodrop
| json field=_raw "columns.keep_alive" as keep_alive nodrop
| where plist_path matches "/Library/LaunchAgents/*" OR plist_path matches "/System/Library/LaunchAgents/*" OR plist_path matches "*/Library/LaunchAgents/*"
| if (plist_path matches "/System/Library/LaunchAgents/*", "System",
if (plist_path matches "/Library/LaunchAgents/*", "Global", "User")) as agent_scope
| if (program_args matches "*(bash|sh|zsh|python3|python|ruby|perl|curl|wget|osascript|node|/tmp/|/var/tmp/|/var/folders/)*" OR program matches "*(bash|sh|zsh|python3|python|ruby|perl|curl|wget|osascript|node|/tmp/|/var/tmp/)*", 1, 0) as suspicious_program
| if (plist_path matches "com.apple.*.*.plist" AND !(plist_path matches "/System/Library/*"), 1, 0) as apple_name_spoof
| if (plist_path matches "com.[a-z0-9]{4,10}.[a-z0-9]{4,10}.plist" AND !(plist_path matches "*com.apple.*" OR plist_path matches "*com.microsoft.*" OR plist_path matches "*com.adobe.*" OR plist_path matches "*com.google.*"), 1, 0) as random_name
| if (run_at_load = "1" OR keep_alive = "1", 1, 0) as persistence_enabled
| (suspicious_program + apple_name_spoof + random_name + persistence_enabled) as risk_score
| where risk_score > 0
| fields _messageTime, _sourceHost, plist_path, agent_label, program_args, agent_scope, run_at_load, keep_alive, suspicious_program, apple_name_spoof, random_name, persistence_enabled, risk_score
| sort by risk_score desc, _messageTime descDetects macOS Launch Agent persistence using osquery launchd differential results. Evaluates newly registered launch agents for suspicious executable paths (shells, interpreters, download utilities), Apple naming convention spoofing, random reverse-DNS labels, and persistence keys (RunAtLoad/KeepAlive). Produces a risk score to prioritize high-confidence alerts.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate commercial software (Zoom, Slack, Dropbox, 1Password) registers launch agents with RunAtLoad=1 during installation; their plist labels typically include the vendor's known bundle ID prefix
- Enterprise security tools (Carbon Black, Falcon sensor, Tanium) install their own launch agents via installer or pkg workflows, which may trigger the suspicious_program flag
- Development tools like rbenv, pyenv, nvm, or direnv write shell-based launch agents during environment setup, generating false positives on developer endpoints
Other platforms for T1543.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Persistent Launch Agent via Bash
Expected signal: DeviceFileEvents: FileCreated action for file 'com.df00tech.atomictest.plist' in '~/Library/LaunchAgents/', InitiatingProcessFileName='bash'. osquery_differential: action='added' in launchd table with label='com.df00tech.atomictest', run_at_load='1', program_arguments='/bin/bash -c date...'.
- Test 2Load Launch Agent with launchctl
Expected signal: DeviceProcessEvents: FileName='launchctl', ProcessCommandLine contains 'load' and 'LaunchAgents/com.df00tech.launchctltest.plist', InitiatingProcessFileName='bash'. DeviceFileEvents: FileCreated for the plist in LaunchAgents directory.
- Test 3Apple Name Spoof Launch Agent (MacMa/Green Lambert Pattern)
Expected signal: DeviceFileEvents: FileCreated for 'com.apple.softwareupdate.helper.plist' in ~/Library/LaunchAgents/, InitiatingProcessFileName='bash'. osquery_differential: action='added', label='com.apple.softwareupdate.helper', run_at_load='1', keep_alive='1', path contains '/Users/<user>/Library/LaunchAgents/'.
- Test 4KeepAlive Launch Agent with Randomly Named Plist (Dok/CoinTicker Pattern)
Expected signal: DeviceFileEvents: FileCreated for 'com.<rand1>.<rand2>.plist' in ~/Library/LaunchAgents/, InitiatingProcessFileName='bash'. osquery_differential: action='added', label='com.<rand1>.<rand2>', run_at_load='1', keep_alive='1'.
References (11)
- https://attack.mitre.org/techniques/T1543/001/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- https://www.sentinelone.com/blog/how-malware-persists-on-macos/
- https://objective-see.org/blog/blog_0x25.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md
- https://www.trendmicro.com/en_us/research/20/d/new-macos-dacls-rat-backdoor-show-lazarus-apt-targets-macos.html
- https://securelist.com/calisto-trojan-for-macos/86543/
- https://www.checkpoint.com/research/may-i-download-adware-please-new-macos-malware-spreading-via-bundled-software/
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- https://www.zscaler.com/blogs/security-research/contagiousinterview-invisibleferret
- https://github.com/SigmaHQ/sigma/tree/master/rules/macos
Unlock Pro Content
Get the full detection package for T1543.001 including response playbook, investigation guide, and atomic red team tests.