Persistent process via Launch Agent

An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories

id:8b3a3f3b-f4f0-4cd4-82f4-28f79a3cf95b categories:enrich confidence:low os:macos created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Persistence techniques:T1159 Launch Agent

Query

file where not subtype.delete and
  file_path == "*/library/launchagents/*"

Contributors

• Endgame