{"id":10505,"date":"2021-04-14T09:00:00","date_gmt":"2021-04-14T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-macos-lab-2\/"},"modified":"2021-04-14T09:00:00","modified_gmt":"2021-04-14T08:00:00","slug":"attack-detection-fundamentals-2021-macos-lab-2","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-2\/","title":{"rendered":"Attack Detection Fundamentals 2021: macOS &#8211; Lab #2"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals 2021: macOS &#8211; <span class=\"blue-text\">Lab #2<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Software Protection                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                14 avril, 2021                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Partager cette information                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-2\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20macOS%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: macOS &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_2e5e2ad7de8702f253425092170359ad\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Calum Hall<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Luke Roberts<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Navigation dans le contenu            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    S\u00e9lectionnez une section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-2\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20macOS%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: macOS &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the first lab of F-Secure Consulting&#x27;s Attack Detection Fundamentals workshop focussing on macOS we played around with Office Macros.<\/p>\n<p>This lab demonstrated how macros can be abused within the macOS ecosystem, and namely focussed on the following areas:<\/p>\n<ul>\n<li>Gain initial code execution via Office Macros using the Mythic framework<\/li>\n<li>Breaking out of Apple&#x27;s sandbox<\/li>\n<li>Creating a login item to gain persistence<\/li>\n<\/ul>\n<p>Perhaps more importantly however, we also investigated how we can gather and analyse the necessary telemetry to detect certain stages of this attack. Apple&#x27;s Endpoint Security Framework (ESF) proved to be a key source of information for identifying the malicious behaviour of our Office document payload, and the Unified Log revealed certain telemetry that indicated a sandbox restricted event.<\/p>\n<p>A recording of this workshop series can be found <a href=\"https:\/\/www.youtube.com\/watch?v=A6rSlavcF4Q\" target=\"_blank\" rel=\"noopener\">here<\/a> and the slides are available <a href=\"https:\/\/www.f-secure.com\/content\/dam\/f-secure\/en\/consulting\/events\/collaterals\/digital\/f-secure_attack-detection-fundamentals-workshop-2-macos_2021-04-14.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>To follow on from this, in this lab we&#x27;re going to look at alternative means for which an adversary may persist on a device. This lab will discuss the well documented persistence technique that is abusing Apple&#x27;s LaunchAgent functionality. Given that this attack is abusing legitimate macOS behaviour, the offensive walkthrough of this lab is rather short and focusses more on the fundamentals of how this technique is often abused. The key takeaways here will be focussing around the detection techniques that can be implemented to confidently identify this type of persistence on your devices.<\/p>\n<h2>Background<\/h2>\n<p>The macOS ecosystem provides a large array of persistence opportunities, both native to the operating system, <a href=\"https:\/\/www.mdsec.co.uk\/2021\/01\/macos-post-exploitation-shenanigans-with-vscode-extensions\/\" target=\"_blank\" rel=\"noopener\">as well as software dependent<\/a>. A large number of these vectors resemble techniques that have been observed within *nix environments for many years. We only plan on delving into one of these techniques within this workshop, however there are some excellent resources out there, such as Csaba Fitzl&#x27;s latest <a href=\"https:\/\/theevilbit.github.io\/beyond\/\" target=\"_blank\" rel=\"noopener\">Beyond the good ol&amp;#x27; LaunchAgents<\/a> blog series discussion on macOS persistence techniques.<\/p>\n<h2>Walkthrough<\/h2>\n<p>For the purpose of this workshop, we will focus on a technique that has been abused countless times in the wild by macOS malware &#8211; LaunchAgents. LaunchAgents have been used by malware for a number of years now, and are a common TTP used by offensive operators on macOS engagements. The Silver Sparrow malware for example, one of the first pieces of macOS malware that was compiled to run on Apple&#x27;s latest silicon, was found to utilise a LaunchAgent for persistence.<\/p>\n<p>A LaunchAgent can be used to employ launchd to run a given program periodically, or to keep that program alive indefinitely. This persistence mechanism can be abused by users of all privilege levels, as LaunchAgents can be configured on a per user basis within a specific user&#x27;s home directory ($HOME\/Library\/LaunchAgents\/). Hence, administrative privileges are not required to abuse this vector. It should be noted that a LaunchAgent will execute within the context of the user that created the LaunchAgent, with the exception of administrative users creating LaunchAgents on behalf of other users.<\/p>\n<p>It is also worth noting at this point that in addition to LaunchAgents we also have LaunchDaemons. LaunchDaemons behave in a similar manner to LaunchAgents except that daemons run at a system level on startup, rather than within the context of a specific user&#x27;s session. Given that you must be root on a device to register a new LaunchDaemon, they are not as commonly abused as LaunchAgents. Hence, for this document we will focus on the LaunchAgent side of things.<\/p>\n<p>LaunchAgents exist in a .plist format similar to the following:<\/p>\n<pre><code class=\"language-bash\">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;\n&lt;!DOCTYPE plist PUBLIC &quot;-\/\/Apple\/\/DTD PLIST 1.0\/\/EN&quot; &quot;&lt;http:\/\/www.apple.com\/DTDs\/PropertyList-1.0.dtd&gt;&quot;&gt;\n&lt;plist version=&quot;1.0&quot;&gt;\n&lt;dict&gt;\n&lt;key&gt;Label&lt;\/key&gt;\n&lt;string&gt;malicious_plist&lt;\/string&gt;\n&lt;key&gt;ProgramArguments&lt;\/key&gt;\n&lt;array&gt;\n&lt;string&gt;\/tmp\/.malicious_binary&lt;\/string&gt;\n&lt;\/array&gt;\n&lt;key&gt;RunAtLoad&lt;\/key&gt;\n&lt;true\/&gt;\n&lt;key&gt;StartInterval&lt;\/key&gt;\n&lt;integer&gt;20&lt;\/integer&gt;\n&lt;\/dict&gt;\n&lt;\/plist&gt;<\/code><\/pre>\n<p>This LaunchAgent will run the &quot;\/tmp\/.malicious_binary&quot; upon being loaded, and then every 20 seconds thereafter.<\/p>\n<h2>Detections<\/h2>\n<h3>Creation of LaunchAgent<\/h3>\n<p>Using the Endpoint Security Framework (ESF), we can detect certain events of interest. In this instance, rather than monitoring processes, we are going to look at the file events occurring on the device. Using Objective-See&#x27;s <a href=\"https:\/\/objective-see.com\/products\/utilities.html\" target=\"_blank\" rel=\"noopener\">FileMonitor<\/a> we can monitor for files that are created within the target directories:<\/p>\n<ul>\n<li>\/Library\/LaunchAgents\/<\/li>\n<li>\/Library\/LaunchDaemons\/<\/li>\n<li>\/Users\/$USER_HOME\/Library\/LaunchAgents\/<\/li>\n<\/ul>\n<p>For example, here we are going to grep through the output of FileMonitor in an attempt to identify any file writes containing &quot;\/Library\/Launch&quot;. Note that we are using JQ here to prettify the JSON output:<\/p>\n<pre><code class=\"language-bash\">&gt; sudo .\/FileMonitor.app\/Contents\/MacOS\/FileMonitor &gt; LaunchAgents\n&gt; cat LaunchAgents | grep -I \/Library\/Launch | jq\n\n{\n&quot;event&quot;: &quot;ES_EVENT_TYPE_NOTIFY_CREATE&quot;,\n&quot;timestamp&quot;: &quot;2021-04-06 08:55:05 +0000&quot;,\n&quot;file&quot;: {\n&quot;destination&quot;: &quot;\/Users\/calumhall\/Library\/LaunchAgents\/com.malicious.plist&quot;,\n&quot;process&quot;: {\n&quot;pid&quot;: 39665,\n&quot;name&quot;: &quot;touch&quot;,\n&quot;path&quot;: &quot;\/usr\/bin\/touch&quot;,\n&quot;uid&quot;: 501,\n&quot;architecture&quot;: &quot;unknown&quot;,\n&quot;arguments&quot;: [],\n&quot;ppid&quot;: 39279,\n&quot;rpid&quot;: 32162,\n&quot;ancestors&quot;: [\n32162,\n1\n],\n&quot;signing info (reported)&quot;: {\n&quot;csFlags&quot;: 570522385,\n&quot;platformBinary&quot;: 1,\n&quot;signingID&quot;: &quot;com.apple.touch&quot;,\n&quot;teamID&quot;: &quot;&quot;,\n&quot;cdHash&quot;: &quot;1840467F3490AFAA5119AF54623768C1D8BE99E1&quot;\n},\n&quot;signing info (computed)&quot;: {\n&quot;signatureID&quot;: &quot;com.apple.touch&quot;,\n&quot;signatureStatus&quot;: 0,\n&quot;signatureSigner&quot;: &quot;Apple&quot;,\n&quot;signatureAuthorities&quot;: [\n&quot;Software Signing&quot;,\n&quot;Apple Code Signing Certification Authority&quot;,\n&quot;Apple Root CA&quot;\n]\n}\n}\n}\n}\n[...redacted...]<\/code><\/pre>\n<p>At which point, we identify the LaunchAgent &quot;com.malicious.plist&quot; being created within this directory. At this point, we can confidently identify when a new LaunchAgent is created on the device, however we have one very obvious problem &#8211; LaunchAgents are a core component of macOS and many legitimate software packages. Hence, the creation of a LaunchAgent in itself does not indicate malicious behaviour. As such, we need to delve into the contents of the agents that are created.<\/p>\n<h3>Suspicious LaunchAgent Behaviour<\/h3>\n<p>Using the ESF we can detect when a LaunchAgent is created, yet we are provided with no indication as to the behaviour of the agent. As a result, we must employ alternative methods of retrieving this information such as <a href=\"https:\/\/osquery.io\/\" target=\"_blank\" rel=\"noopener\">osquery<\/a>.<\/p>\n<p>Using osquery we are able to not only read the contents of the file, but also link certain attributes with more contextual information. As Patrick Wardle discusses in his talk &quot;<a href=\"https:\/\/www.youtube.com\/watch?v=_M0bCbaaDtw\" target=\"_blank\" rel=\"noopener\">What\u2019s Your Game Plan? Leveraging Apple\u2019s Game Engine to Detect Threats<\/a>&quot; we can create a number of predicates that will flag suspicious behaviour within LaunchAgents. Namely, in this instance we&#x27;re going to focus on Apple&#x27;s Code Signing, or &#8211; in our case &#8211; lack thereof!<\/p>\n<p>For those that aren&#x27;t familiar &#8211; osquery is a tool that can be deployed across your estate, enabling you to query your organisation&#x27;s devices in a SQL database-like manner. There are plenty of resources out there that will provide everything you need to know about using osquery and as such we&#x27;re going to stick to discussing what we need from it.<\/p>\n<p>Specifically, we want to detect LaunchAgents that execute an unsigned binary on the device, which we can achieve with the following query provided by <a href=\"https:\/\/www.uptycs.com\/blog\/hunting-for-evil-launch-daemons-identifying-suspicious-behavior-with-osquery\" target=\"_blank\" rel=\"noopener\">Guillaume Ross<\/a>:<\/p>\n<pre><code class=\"language-bash\">&gt; select * FROM signature s JOIN launchd d ON d.program_arguments = s.path WHERE signed=0 AND d.run_at_load=1;\n\n+-----------------------------------------------------------------+----------------+--------+--------+------------+--------+-----------------+-----------+-----------------------------------------------------------------+-----------------------------------+-----------------------------+---------+-------------+------------+-----------+----------+----------+-----------+-------------+-------------+----------------+---------------------------------------+-------------+-------------------+---------------------+----------------+----------------+-------------------+--------------+\n| path | hash_resources | arch | signed | identifier | cdhash | team_identifier | authority | path | name | label | program | run_at_load | keep_alive | on_demand | disabled | username | groupname | stdout_path | stderr_path | start_interval | program_arguments | watch_paths | queue_directories | inetd_compatibility | start_on_mount | root_directory | working_directory | process_type |\n+-----------------------------------------------------------------+----------------+--------+--------+------------+--------+-----------------+-----------+-----------------------------------------------------------------+-----------------------------------+-----------------------------+---------+-------------+------------+-----------+----------+----------+-----------+-------------+-------------+----------------+---------------------------------------+-------------+-------------------+---------------------+----------------+----------------+-------------------+--------------+\n| \/Users\/calumhall\/Library\/LaunchAgents\/com.malicious.plist | 1 | | 0 | | | | | \/Users\/calumhall\/Library\/LaunchAgents\/com.malicious.plist | com.malicious.plist | malicious_plist | | 1 | | | | | | | | 20 | \/tmp\/.malicious_binary | | | | | | | |\n| \/Users\/calumhall\/Library\/LaunchAgents\/com.malicious.plist | 1 | x86_64 | 0 | | | | | \/Users\/calumhall\/Library\/LaunchAgents\/com.malicious.plist | com.malicious.plist | malicious_plist | | 1 | | | | | | | | 20 | \/tmp\/.malicious_binary | | | | | | | |\n+-----------------------------------------------------------------+----------------+--------+--------+------------+--------+-----------------+-----------+-----------------------------------------------------------------+-----------------------------------+-----------------------------+---------+-------------+------------+-----------+----------+----------+-----------+-------------+-------------+----------------+---------------------------------------+-------------+-------------------+---------------------+----------------+----------------+-------------------+----------<\/code><\/pre>\n<p>From this output we can see that the &quot;\/tmp\/.malicious_binary&quot; binary is being called as a &quot;Program Argument&quot; from within the LaunchAgent. By joining the data held within osquery we can see that this file is unsigned, which in itself is suspect. We can also implement further predicates that are likely to flag additional suspicious behaviour, e.g. the fact that we&#x27;re executing a hidden binary from the &quot;\/tmp\/&quot; directory is bound to raise some eyebrows. There are too many potential indicators to cover in this workshop, however for those interested, Patrick Wardle&#x27;s talk discussed previously is a great place to start.<\/p>\n<p>Osquery only returns information that has not previously been gathered from the device, and hence we can focus on analysing new LaunchAgents that are added to the device. On the flip side however, it is worth noting a few limitations of osquery:<\/p>\n<ul>\n<li>Not real-time reporting &#8211; osquery will periodically send new events, rather than as they happen<\/li>\n<li>Runs in user-land &#8211; Anything that gains root access to the device will be able to bypass osquery detection<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>Throughout this lab we have demonstrated the simplistic nature of LaunchAgents and consequently why they are so commonly employed as a persistence technique. Thankfully for the good guys, we have also demonstrated the following methods that we can employ to detect such an attack:<\/p>\n<ul>\n<li>Identify the creation of new LaunchAgents via the ESF<\/li>\n<li>Discover conspicuous LaunchAgents on target devices using osquery<\/li>\n<\/ul>\n<p>The detection techniques we have described are just the tip of the iceberg of the detection capability we could develop. We have demonstrated that whilst the ESF can provide real-time detection of new LaunchAgents, it is the further analysis of these LaunchAgents that provide us with the ability to accurately detect malicious behaviour.<\/p>\n<h3>References<\/h3>\n<p>Special shoutout to the following researchers whose work has formed the basis of this workshop series:<\/p>\n<ul>\n<li>Patrick Wardle<\/li>\n<li>Cody Thomas<\/li>\n<li>Michael Jack<\/li>\n<li>Cedric Owens<\/li>\n<li>Csaba Fitzl<\/li>\n<li>Jaron Bradley<\/li>\n<li>Guillaume Ross<\/li>\n<li>Howard Oakley<\/li>\n<li>Phil Stokes<\/li>\n<li>Madhav Bhatt<\/li>\n<li>Adam Chester<\/li>\n<\/ul>\n<p>And to anyone else that we have inevitably forgotten to mention.<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-2\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20macOS%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: macOS &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/darkgate-rises\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/reverse-engineering-a-lumma-infection\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/machine-learning-driven-malware-analysis\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>This lab will discuss the well documented persistence technique that is abusing Apple&rsquo;s LaunchAgent functionality.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[306,328,307],"labs_content_type":[309],"class_list":["post-10505","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-endpoint-security","category-software-protection"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals 2021: macOS &#8211; Lab #2<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">This lab will discuss the well documented persistence technique that is abusing Apple&#039;s LaunchAgent functionality.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-macos-lab-2\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item\/10505","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/media?parent=10505"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/categories?post=10505"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/labs_content_type?post=10505"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}