Defeating Malicious Launch Persistence

A New Mitigation Strategy for the most used macOS Persistence Technique

Why Launch Persistence Research?

Persistence

Launch Persistence and launchd

Property Lists (plists)

Example Property List

Launch Persistence and Malware

Mitigation

Enterprise Mitigation

What do you mean by “locked?”

LauchAgents directory is immutable
Unlocked LaunchAgents directory via File Information

Will this break application functionality?

What about the USER LaunchAgents directory?

How do we do this at scale?

Protecting Launch Directories with Jamf Pro

Reporting on uchg Status

Writing the Script

Crafting the Policy

To Summarize

Works Cited

Red Team Pen Testing Nobody | OSCP | InfoSec | Tech Junkie | OIF Veteran | Tweets are mine, not yours, nor anyone else's... Certainly not my employer's