MAC-LAUNCHAGENTPersistence

LaunchAgent / LaunchDaemon Persistence

Drop a .plist in ~/Library/LaunchAgents or /Library/LaunchDaemons referencing your binary — fires on every login / boot.

§ Where this technique fits

MAC-LAUNCHAGENT is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3.5 on average.

§ Dossiers chaining this technique

LaunchDaemon persistence as root
Once at root (via sudo or a local-exploit), drop a .plist into /Library/LaunchDaemons that re-implants on every boot — survives user logout and full power-cycle.
step 2 / 5
Gatekeeper bypass → unsigned binary execution
Deliver a payload that strips the com.apple.quarantine xattr (via .dmg with no quarantine attribute or an archive format that doesn't preserve xattrs) — Gatekeeper never prompts.
step 5 / 5

§ What commonly comes next

01
Boot or Logon Autostart Execution
T1547 · Persistence
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

LaunchDaemon persistence as root

Gatekeeper bypass → unsigned binary execution

§ What commonly comes next