Persistent process via Launch Agent¶
An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories
id: | 8b3a3f3b-f4f0-4cd4-82f4-28f79a3cf95b |
---|---|
categories: | enrich |
confidence: | low |
os: | macos |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence |
---|---|
techniques: | T1159 Launch Agent |
Query¶
file where not subtype.delete and
file_path == "*/library/launchagents/*"