Monitor Launch Item Creation
Audit all writes to LaunchAgent and LaunchDaemon directories to surface persistence attempts with complete process context for incident response.
Idea
Santa provides rich telemetry information via the LaunchItem event type that can tell you when Launch Agents, Launch Daemons or Login Items are added. However, there are some system limitations that often make analysis difficult since macOS will often omit key information from these events. By creating a file access rule to watch standard launch item persistence locations, Santa is able to provide complete context around when and how such items get created.
Solutions
- Path Prefixes
- •
- •
- •
- Options
- Allow Read Access:Audit Only:Rule Type:
- Custom Message
Mitre Attack
Tags
Deployment Notes
This rule doesn't cover all of Apple's new Background Task Management (BTM) system, such as apps that make use of the SMAppService framework. But Santa does provide comprehensive telemetry for all BTM-related events. Our team is still evaluating the best way to secure these other vectors with file access rules.
If you really want to lock this down extra tightly, consider making this a blocking rule (setting Block Violations to true) instead of audit-only. Adding a custom message (such as "Please contact the admin for assistance") will help guide your users into an appropriate workflow to allow them to get an exception.