I was always amazed by @Hexacorn’s Beyond good ol’ Run key blog post series, which collects various persistence methods on Windows. It’s an awesome series, which has 133 parts at the time of this writing. I find them pretty cool, and if you are doing either offensive or defensive work on Windows, this is a must read and follow blog.
In the past years as my interest in macOS grew, and now that I’m mostly doing only macOS related research and studies I started to came across many - many tricks, which allows someone to do persistence on macOS beyond just the
LaunchAgents directories, which is used to store the
launchd startup files. This location is probably as classic on macOS as the
Run registry key on Windows. I did write about two different techniques in my regular posts (here and here), but it never became a full series. So I started to think about writing posts for each idea I came across, just like Adam does for Windows, but I would do for macOS. With almost the same name, just swapping
Run key with
LaunchAgents and name it
Beyond the good ol' LaunchAgents.
It turns out that there is nothing new in InfoSec, and someone else already thought about this. Pasquale Stirparo started posting using the name
Beyond the good ol' LaunchAgent three years ago, here and here. I reached out to him if he has any intention to keep going on and if not if he is OK with me using the same name. He gave permissions using this name and I really appreciate it.
Also shout out to Patrick Wardle, who did a very comprehensive list of macOS malware persistence at Virus Bulletin. To date he actively maintains a tool, called KnockKnock which can scan your computer for all sorts of persistence, and alert you. If you don’t use it, you definitely should!
There are other posts as well, which does collect macOS persistence ideas, but these are always one-off posts, and don’t try to be comprehensive on the long term.
With that I’m starting a series with the title
Beyond the good ol' LaunchAgents and try to cover as much as I can. I will definitely cover even those which have been discussed somewhere else, so it won’t be always “new”, but the idea is that this can be a go-to resource on the long run.