title: Launch Agent (T1543.001)
id: df00tech-t1543-001
status: experimental
description: "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence on macOS. When a user logs in, a per-user launchd process loads parameters for each launch-on-demand user agent from property list (.plist) files in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents. Adversaries install Launch Agents by placing a .plist file into these directories with RunAtLoad or KeepAlive keys set to true, ensuring malicious payloads execute at every user login. Launch Agents execute with user-level permissions and are commonly disguised using Apple-like naming conventions (e.g., com.apple.softwareupdate.plist, com.apple.GrowlHelper.plist). This technique is used by Calisto, Proton, MacSpy, CrossRAT, Dok, OceanLotus, ThiefQuest, Dacls, macOS.OSAMiner, InvisibleFerret (Contagious Interview), CoinTicker, and Green Lambert malware families."
references:
  - https://attack.mitre.org/techniques/T1543/001/
  - https://df00tech.com/detections/T1543.001
author: df00tech
date: 2026/04/20
tags:
  - attack.t1543.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software installers (Adobe Creative Cloud, Zoom, Dropbox, Google Chrome updater) creating Launch Agents for auto-update or helper functionality during user-initiated installation — these will show installer or package manager as the writer process"
  - "Enterprise MDM solutions (Jamf Pro, Mosyle, Kandji) deploying configuration profiles that include Launch Agent definitions as part of managed device policy enforcement"
  - "Homebrew package manager and casks installing helper services (e.g., postgresql, redis, docker-machine) via brew services — these will show bash or brew as the writer process"
  - "VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and endpoint security agents (CrowdStrike Falcon, Carbon Black, SentinelOne) creating helper daemons during initial agent installation"
  - "Developer tools including JetBrains Toolbox, Xcode command line tools, and language version managers (rbenv, pyenv, nvm) registering launch services during setup"
level: high