LaunchAgents (User & System)

macosPersistence MechanismsDisk Image

Location

~/Library/LaunchAgents/ (per-user), /Library/LaunchAgents/ (system-wide), /System/Library/LaunchAgents/ (Apple)

Description

Property list files defining agents that launchd loads when a user logs in. Each plist specifies the executable or script to run, arguments, environment variables, run conditions (KeepAlive, StartInterval, WatchPaths), and the label identifier. Per-user agents run in the user context; system-wide agents run for all users.

Forensic Value

LaunchAgents are the most common macOS persistence mechanism used by malware. Each plist contains the ProgramArguments array specifying the exact binary and arguments executed at login, enabling identification of the malicious payload. Comparing agent plists against known-good baselines or Apple defaults reveals attacker additions. The plist Label field provides a unique identifier for cross-referencing with launchctl output and Unified Log entries. Recently created plists with execution paths pointing to hidden directories, /tmp, or user-writable locations are high-confidence persistence indicators.

Tools Required

plutillaunchctl listmac_aptKnockKnock (Objective-See)Crowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical