← Back to Explore
T1543.004
Launch Daemon
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-le...
macOS
8
Detections
2
Sources
0
Threat Actors
BY SOURCE
6elastic2sigma
PROCEDURES (3)
Process Creation Monitoring5 detections
Auto-extracted: 5 detections for process creation monitoring
Authentication Monitoring2 detections
Auto-extracted: 2 detections for authentication monitoring
Network Connection Monitoring1 detections
Auto-extracted: 1 detections for network connection monitoring
DETECTIONS (8)
Creation of Hidden Launch Agent or Daemon
elasticmedium
First Time Python Created a LaunchAgent or LaunchDaemon
elasticmedium
Launch Agent/Daemon Execution Via Launchctl
sigmamedium
Launch Service Creation and Immediate Loading
elasticlow
Persistence via Suspicious Launch Agent or Launch Daemon
elastichigh
Potential Persistence Via PlistBuddy
sigmahigh
Suspicious Echo or Printf Execution Detected via Defend for Containers
elastichigh
Suspicious Hidden Child Process of Launchd
elasticmedium