A LaunchAgent is a macOS persistence mechanism that starts user-level processes automatically. Attackers abuse it to relaunch malware after reboot or login, which makes a one-time infection survive long enough to steal data, fetch later stages, or maintain command access.
Expanded Definition
A LaunchAgent is a macOS user-level persistence mechanism that loads a process when a specific user logs in or when the user session is available. It is part of the broader launchd ecosystem, and in security operations it is treated as an endpoint persistence artifact rather than a benign startup convenience. Because it runs in the context of a user session, attackers often abuse LaunchAgents to re-establish execution after reboot, keep malware resident, and preserve access to data or credentials. That makes it especially relevant in investigations that involve endpoint compromise, credential theft, and post-exploitation tooling. For defenders, the practical distinction is between legitimate launch items used by software and suspicious entries that quietly survive routine reboots. This is why macOS persistence reviews are often paired with identity and secrets checks, not just endpoint triage, as highlighted in NHIMG coverage of Ultimate Guide to NHIs — 2025 Outlook and Predictions and the OWASP Top 10 for Agentic Applications 2026, where persistent execution paths and tool access are treated as governance concerns. The most common misapplication is assuming every LaunchAgent is malicious, which occurs when responders do not verify the signing status, install path, and parent software context.
Examples and Use Cases
Implementing LaunchAgent detection rigorously often introduces noise from legitimate software updaters and user utilities, so teams must balance coverage against false positives and investigation time.
- A red team drops a user-level LaunchAgent so malware relaunches at each login even if the host is restarted.
- An incident responder finds a suspicious plist in a user library and correlates it with network beacons and new token usage.
- A macOS hardening script inventories LaunchAgents alongside login items, startup daemons, and launchd jobs to spot unauthorized persistence.
- A security team reviews evidence from a suspected AI-assisted compromise using the Analysis of Claude Code Security and then checks whether the endpoint also contains user-level persistence artifacts.
- Defenders compare suspicious launch entries against guidance in the NIST AI Risk Management Framework when the infection chain includes AI-enabled tooling or automation.
In practice, LaunchAgents are also used by legitimate tools such as sync clients, remote support apps, and enterprise management agents, which is why defenders need context, code signing, and installation provenance before deciding on removal.
Why It Matters for Security Teams
LaunchAgents matter because they turn a short-lived compromise into a durable one. Once an attacker controls a user session, user-level persistence can preserve access long enough to steal browser sessions, harvest API keys, or stage additional payloads. That is especially important in environments where secrets, tokens, and automation credentials are already exposed on endpoints or in developer workflows. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, a reminder that persistence on the endpoint often becomes an identity problem as much as a malware problem. Teams reviewing suspicious macOS activity should also use sources such as NIST SP 800-53 Rev 5 Security and Privacy Controls to anchor detection and response expectations around monitoring, access control, and malicious code protection. This term becomes operationally unavoidable after a phishing click, a software supply chain compromise, or a developer workstation breach reveals that the attacker has been relaunching from a user context for days or weeks.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | LaunchAgents are found through continuous endpoint monitoring and anomaly detection. |
| NIST SP 800-53 Rev 5 | SI-3 | Malicious code protection supports identifying persistence used to relaunch malware. |
| OWASP Non-Human Identity Top 10 | Persistent endpoint access often enables theft and misuse of NHI secrets and tokens. | |
| NIST SP 800-63 | AAL2 | User-session persistence can expose authenticators and session tokens with assurance impact. |
| NIST AI RMF | GOVERN | AI-enabled attacks and toolchains require governance over persistent execution paths. |
Monitor macOS persistence paths and alert when user-level startup items appear outside approved software.