macOS Persistence Mechanisms: Launch Daemons, Agents, Cron Jobs, Login Items, and Startup Items

The article begins with a background on a 2015 Bit9 report titled "2015: The Most Prolific Year for OS X Malware," which analyzed 1,400 malware samples and found that OS X malware volume in 2015 was five times the total of the previous five years, indicating rapid growth in macOS infections.

The report highlights four key observations: (1) traditional Unix persistence mechanisms are largely abandoned in favor of newer OS X‑specific methods; (2) infection rates continue to rise while malware complexity remains modest; (3) there are seven primary startup mechanisms; and (4) detection on macOS is comparatively simpler because fewer persistence points exist than on Windows.

Launch Daemons/Agents

Launch daemons and agents are standard macOS startup methods managed by the launchd process, which is the user‑space init system. Daemons run in the background without user interaction and start regardless of login state, while agents run only after a user logs in and can present a GUI.

To create a daemon or agent, place an executable file and a corresponding .plist file in the appropriate directory (e.g., /Library/LaunchAgents). A sample .plist for launching Calculator includes the RunAtLoad key set to true. The file can be validated with sudo plutil -lint /path/to/com.test.plist.

Cron Job

Although deprecated on macOS in favor of launchd, cron jobs are still supported. They execute commands or scripts at scheduled times, and malicious scripts can use them to run payloads (e.g., open /Applications/Calculator.app every minute). The crontab command manages these jobs, with options -l (list), -r (remove all), and -e (edit).

Login Items

Login items are the Apple‑recommended way to start applications at login. They can be added via the System Preferences UI or programmatically. The first method stores entries in ~/Library/Preferences/com.apple.loginitems.plist. The second method, required for sandboxed apps, uses the Service Management framework with a helper executable placed in Contents/Library/LoginItems and activated via SMLoginItemSetEnabled().

Startup Items

Startup items are an older, unsupported method that still works on current macOS versions. They reside in /System/Library/StartupItems or /Library/StartupItems. Each item consists of a directory containing an executable (or script) and a StartupParameters.plist describing how to start, stop, or restart the service.

Binary Infection

Binary infection on macOS mirrors Windows PE infection: attackers modify Mach‑O binaries to inject code, often by adding new segments or altering load commands. Unsigned binaries can still execute, making this technique viable.

Detection

For personal macOS systems, detection can be performed manually by inspecting the locations of the seven persistence mechanisms or by using tools such as Objective‑See's KnockKnock , which scans all known startup vectors, and BlockBlock , which monitors dynamic changes to these vectors.

References

Key references include the Bit9 report, the 2014 Virus Bulletin paper on Mac OS X persistence, Levin's "Mac OS X and iOS Internals," and various Apple developer documentation links.