MITRE ATT&CK Technique
Description
Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>$HOME/Library/LaunchAgents</code> (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware). Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories (Citation: Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Per Apple’s developer documentation, when a user logs in, a '
'per-user launchd process is started which loads the '
'parameters for each launch-on-demand user agent from the '
'property list (plist) files found in '
'<code>/System/Library/LaunchAgents</code>, '
'<code>/Library/LaunchAgents</code>, and '
'<code>$HOME/Library/LaunchAgents</code> (Citation: AppleDocs '
'Launch Agent Daemons) (Citation: OSX Keydnap malware) '
'(Citation: Antiquated Mac Malware). These launch agents have '
'property list files which point to the executables that will '
'be launched (Citation: OSX.Dok Malware).\n'
' \n'
'Adversaries may install a new launch agent that can be '
'configured to execute at login by using launchd or launchctl '
'to load a plist into the appropriate directories (Citation: '
'Sofacy Komplex Trojan) (Citation: Methods of Mac Malware '
'Persistence). The agent name may be disguised by using a name '
'from a related operating system or benign software. Launch '
'Agents are created with user level privileges and are '
'executed with the privileges of the user when they log in '
'(Citation: OSX Malware Detection) (Citation: OceanLotus for '
'OS X). They can be set up to execute when a specific user '
'logs in (in the specific user’s directory structure) or when '
'any user logs in (which requires administrator privileges).',
'external_references': [{'external_id': 'T1159',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1159'},
{'description': 'Apple. (n.d.). Creating Launch '
'Daemons and Agents. Retrieved July '
'10, 2017.',
'source_name': 'AppleDocs Launch Agent Daemons',
'url': 'https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html'},
{'description': 'Marc-Etienne M.Leveille. (2016, July '
'6). New OSX/Keydnap malware is '
'hungry for credentials. Retrieved '
'July 3, 2017.',
'source_name': 'OSX Keydnap malware',
'url': 'https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/'},
{'description': 'Thomas Reed. (2017, January 18). New '
'Mac backdoor using antiquated code. '
'Retrieved July 5, 2017.',
'source_name': 'Antiquated Mac Malware',
'url': 'https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/'},
{'description': 'Thomas Reed. (2017, July 7). New '
'OSX.Dok malware intercepts web '
'traffic. Retrieved July 10, 2017.',
'source_name': 'OSX.Dok Malware',
'url': 'https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/'},
{'description': 'Dani Creus, Tyler Halfpop, Robert '
'Falcone. (2016, September 26). '
"Sofacy's 'Komplex' OS X Trojan. "
'Retrieved July 8, 2017.',
'source_name': 'Sofacy Komplex Trojan',
'url': 'https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/'},
{'description': 'Patrick Wardle. (2014, September). '
'Methods of Malware Persistence on '
'Mac OS X. Retrieved July 5, 2017.',
'source_name': 'Methods of Mac Malware Persistence',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'},
{'description': 'Patrick Wardle. (2016, February 29). '
"Let's Play Doctor: Practical OS X "
'Malware Detection & Analysis. '
'Retrieved July 10, 2017.',
'source_name': 'OSX Malware Detection',
'url': 'https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf'},
{'description': 'Eddie Lee. (2016, February 17). '
'OceanLotus for OS X - an Application '
'Bundle Pretending to be an Adobe '
'Flash Update. Retrieved July 5, '
'2017.',
'source_name': 'OceanLotus for OS X',
'url': 'https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update'}],
'id': 'attack-pattern--dd901512-6e37-4155-943b-453e3777b125',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:49:29.406Z',
'name': 'Launch Agent',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.1'}