T1053.004

Launchd

Execution Persistence Privilege Escalation

Adversaries may abuse the launchd daemon to perform task scheduling for initial or recurring execution of malicious code on macOS. The launchd daemon is responsible for loading and maintaining services within the operating system. It processes property list (plist) files found in /System/Library/LaunchDaemons, /Library/LaunchDaemons (system-wide daemons run as root), /Library/LaunchAgents (user agents run for all users), and ~/Library/LaunchAgents (user agents run for the specific user). Adversaries may install malicious plist files in these directories to achieve persistence, privilege escalation (via LaunchDaemons running as root), or execution at system startup or login. This technique is noted as deprecated by MITRE due to inaccurate original characterization, but the underlying abuse of launchd-controlled directories remains a valid and observed persistence mechanism on macOS.

Microsoft Sentinel / Defender

kusto

// Detection for T1053.004 - Launchd abuse on macOS via Microsoft Defender for Endpoint
// Detects plist file creation/modification in LaunchDaemon/LaunchAgent directories
// and suspicious launchctl usage
let LaunchDaemonPaths = dynamic([
  "/Library/LaunchDaemons/",
  "/System/Library/LaunchDaemons/",
  "/Library/LaunchAgents/",
  "/System/Library/LaunchAgents/"
]);
let UserLaunchAgentPattern = "/Library/LaunchAgents/";
let SuspiciousParents = dynamic([
  "bash", "sh", "zsh", "python", "python3", "ruby", "perl",
  "curl", "wget", "osascript", "node"
]);
// Detect plist file creation in LaunchDaemon/LaunchAgent directories
let PlistFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where OSPlatform =~ "macOS" or DeviceType =~ "Mac"
| where FolderPath has_any (LaunchDaemonPaths)
| where FileName endswith ".plist"
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| extend AlertType = "PlistCreatedInLaunchDirectory"
| extend IsDaemon = FolderPath has "/Library/LaunchDaemons/"
| extend IsSystemPath = FolderPath has "/System/Library/"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName, ActionType, AlertType, IsDaemon, IsSystemPath;
// Detect suspicious launchctl load/bootstrap commands
let LaunchctlSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where OSPlatform =~ "macOS" or DeviceType =~ "Mac"
| where FileName =~ "launchctl"
| where ProcessCommandLine has_any ("load", "bootstrap", "submit", "start")
| where InitiatingProcessFileName has_any (SuspiciousParents)
       or ProcessCommandLine has_any ("/tmp/", "/var/tmp/", "/dev/shm", ".hidden",
                                       "curl", "wget", "base64", "/Users/Shared/")
| extend AlertType = "SuspiciousLaunchctlExecution"
| extend IsDaemon = ProcessCommandLine has "/Library/LaunchDaemons/"
| extend IsSystemPath = ProcessCommandLine has "/System/Library/"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName, AlertType, IsDaemon, IsSystemPath;
// Union both detections
PlistFileCreation
| extend ProcessCommandLine = InitiatingProcessCommandLine
| union (LaunchctlSuspicious
         | extend FileName = FileName, FolderPath = "", ActionType = "ProcessCreated")
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (macOS)

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate software installation (Homebrew, macOS app installers, enterprise MDM) creating plist files in LaunchDaemons or LaunchAgents directories
IT management tools (Jamf Pro, Puppet, Chef, Ansible) deploying configuration via launchctl load as part of policy enforcement
Developer tools and package managers (e.g., Homebrew services) that register background services using plist files
macOS system updates modifying plist files in /System/Library paths
Monitoring agents (CrowdStrike, Carbon Black, SentinelOne endpoint sensors) installing their own LaunchDaemon plist files

Splunk

spl

index=mac_logs (sourcetype="macos:unified_log" OR sourcetype="syslog" OR sourcetype="macos:security")
("LaunchDaemons" OR "LaunchAgents" OR "launchctl")
| eval is_plist_creation=if(match(_raw, "(LaunchDaemons|LaunchAgents).+\.plist") AND match(_raw, "(created|modified|written|open for write)"), 1, 0)
| eval is_launchctl_load=if(match(_raw, "launchctl.+(load|bootstrap|submit|start)"), 1, 0)
| eval suspicious_parent=if(match(_raw, "(bash|sh|zsh|python|python3|ruby|perl|curl|wget|osascript|node)"), 1, 0)
| eval suspicious_path=if(match(_raw, "(/tmp/|/var/tmp/|\.hidden|/Users/Shared/)"), 1, 0)
| eval is_daemon_path=if(match(_raw, "Library/LaunchDaemons"), 1, 0)
| eval is_system_path=if(match(_raw, "System/Library"), 1, 0)
| eval alert_score=is_plist_creation + is_launchctl_load + suspicious_parent + suspicious_path
| where alert_score > 0
| eval alert_type=case(
    is_plist_creation=1 AND suspicious_parent=1, "SuspiciousPlistCreationByShellOrInterpreter",
    is_plist_creation=1 AND suspicious_path=1, "PlistCreatedInSuspiciousPath",
    is_launchctl_load=1 AND suspicious_parent=1, "SuspiciousLaunchctlLoadByShell",
    is_launchctl_load=1 AND suspicious_path=1, "LaunchctlLoadFromSuspiciousPath",
    is_plist_creation=1, "PlistCreatedInLaunchDirectory",
    is_launchctl_load=1, "LaunchctlLoadDetected",
    true(), "OtherLaunchdActivity"
  )
| table _time, host, user, sourcetype, alert_type, alert_score, is_daemon_path, is_system_path, _raw
| sort - alert_score, - _time

high severity medium confidence

Data Sources

macOS Unified Log Syslog macOS Security Events Process: Process Creation File: File Creation

Required Sourcetypes

macos:unified_log syslog macos:security

False Positives

Legitimate software installation (Homebrew, macOS app installers, enterprise MDM) creating plist files in LaunchDaemons or LaunchAgents directories
IT management tools (Jamf Pro, Puppet, Chef, Ansible) deploying configuration via launchctl load as part of policy enforcement
Developer tools and package managers (e.g., Homebrew services) that register background services using plist files
macOS system updates modifying plist files in /System/Library paths
Monitoring agents (CrowdStrike, Carbon Black, SentinelOne endpoint sensors) installing their own LaunchDaemon plist files

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(highlevelcategory) AS high_category,
  "Message",
  CASE WHEN "Message" LIKE '%Library/LaunchDaemons%' THEN '1' ELSE '0' END AS is_daemon_path,
  CASE WHEN "Message" LIKE '%System/Library%' THEN '1' ELSE '0' END AS is_system_path,
  CASE
    WHEN "Message" LIKE '%LaunchDaemons%.plist%'
      AND ("Message" LIKE '% bash %' OR "Message" LIKE '% python%' OR "Message" LIKE '% curl %' OR "Message" LIKE '% wget %')
      THEN 'SuspiciousPlistCreationInDaemonDir'
    WHEN "Message" LIKE '%LaunchAgents%.plist%'
      AND ("Message" LIKE '% bash %' OR "Message" LIKE '% zsh %' OR "Message" LIKE '% python%' OR "Message" LIKE '% osascript%')
      THEN 'SuspiciousPlistCreationInAgentDir'
    WHEN "Message" LIKE '%launchctl%'
      AND ("Message" LIKE '% load %' OR "Message" LIKE '% bootstrap %' OR "Message" LIKE '% submit %')
      AND ("Message" LIKE '%/tmp/%' OR "Message" LIKE '%/var/tmp/%' OR "Message" LIKE '%/Users/Shared/%')
      THEN 'LaunchctlLoadFromSuspiciousPath'
    WHEN "Message" LIKE '%launchctl%'
      AND ("Message" LIKE '% load %' OR "Message" LIKE '% bootstrap %')
      AND ("Message" LIKE '% bash %' OR "Message" LIKE '% sh %' OR "Message" LIKE '% python%' OR "Message" LIKE '% ruby %' OR "Message" LIKE '% curl %' OR "Message" LIKE '% wget %' OR "Message" LIKE '% osascript%' OR "Message" LIKE '% node %')
      THEN 'SuspiciousLaunchctlByShellOrInterpreter'
    ELSE 'LaunchdActivityDetected'
  END AS alert_type
FROM events
WHERE
  starttime > DATEADD('hour', -24, NOW())
  AND (
    "Message" LIKE '%LaunchDaemons%' OR
    "Message" LIKE '%LaunchAgents%' OR
    "Message" LIKE '%launchctl%'
  )
  AND (
    (
      ("Message" LIKE '%LaunchDaemons%.plist%' OR "Message" LIKE '%LaunchAgents%.plist%')
      AND (
        "Message" LIKE '% bash %' OR "Message" LIKE '% sh %' OR
        "Message" LIKE '% zsh %' OR "Message" LIKE '% python%' OR
        "Message" LIKE '% ruby %' OR "Message" LIKE '% perl %' OR
        "Message" LIKE '% curl %' OR "Message" LIKE '% wget %' OR
        "Message" LIKE '% osascript%' OR "Message" LIKE '% node %'
      )
    )
    OR (
      "Message" LIKE '%launchctl%'
      AND ("Message" LIKE '% load %' OR "Message" LIKE '% bootstrap %' OR "Message" LIKE '% submit %' OR "Message" LIKE '% start %')
      AND (
        "Message" LIKE '% bash %' OR "Message" LIKE '% sh %' OR "Message" LIKE '% zsh %' OR
        "Message" LIKE '% python%' OR "Message" LIKE '% ruby %' OR "Message" LIKE '% perl %' OR
        "Message" LIKE '% curl %' OR "Message" LIKE '% wget %' OR
        "Message" LIKE '%/tmp/%' OR "Message" LIKE '%/var/tmp/%' OR
        "Message" LIKE '%/Users/Shared/%'
      )
    )
  )
ORDER BY starttime DESC
LIMIT 200

high severity medium confidence

Data Sources

macOS Unified Log via QRadar DSM CrowdStrike Falcon macOS via QRadar Universal DSM Carbon Black Cloud macOS via QRadar

Required Tables

events

False Positives

System administrators running shell scripts to deploy legitimate application plist files to LaunchDaemons as part of software lifecycle management or MDM policy enforcement.
CI/CD agents (Jenkins, GitLab Runner) on macOS build hosts executing install scripts that register launch agents for build pipeline services.
Homebrew service management (brew services start/stop) generating launchctl events from zsh or bash on developer workstations during routine software updates.

Sumo Logic CSE

sql

_sourceCategory=macos* (LaunchDaemons OR LaunchAgents OR launchctl)
| parse regex field=_raw "(?<launch_path>(?:/System)?/Library/Launch(?:Daemons|Agents)/[\w\-\.]+\.plist)" nodrop
| parse regex field=_raw "launchctl\s+(?<launchctl_action>load|bootstrap|submit|start)\s+(?<launchctl_target>\S+)" nodrop
| eval is_plist_write = if(!isNull(launch_path), 1, 0)
| eval is_launchctl_load = if(!isNull(launchctl_action), 1, 0)
| eval suspicious_parent = if(_raw matches "(bash|sh|zsh|python3?|ruby|perl|curl|wget|osascript|node)", 1, 0)
| eval suspicious_path = if(_raw matches "(/tmp/|/var/tmp/|\.hidden|/Users/Shared/)", 1, 0)
| eval is_daemon_path = if(_raw matches "Library/LaunchDaemons", 1, 0)
| eval is_system_path = if(_raw matches "System/Library", 1, 0)
| eval alert_score = is_plist_write + is_launchctl_load + suspicious_parent + suspicious_path
| where alert_score > 0
| eval alert_type = if(is_plist_write == 1 and suspicious_parent == 1, "SuspiciousPlistWriteByShell",
    if(is_plist_write == 1 and suspicious_path == 1, "PlistCreatedInSuspiciousPath",
    if(is_launchctl_load == 1 and suspicious_parent == 1, "SuspiciousLaunchctlByShell",
    if(is_launchctl_load == 1 and suspicious_path == 1, "LaunchctlLoadFromSuspiciousPath",
    if(is_plist_write == 1, "PlistWrittenToLaunchDirectory",
    if(is_launchctl_load == 1, "LaunchctlLoadDetected", "OtherLaunchdActivity"))))))
| fields _messageTime, _sourceHost, _sourceCategory, alert_type, alert_score, is_daemon_path, is_system_path, launch_path, launchctl_action, launchctl_target
| sort by alert_score desc, _messageTime desc

high severity medium confidence

Data Sources

macOS Unified Log via Sumo Logic macOS collector Syslog from macOS endpoints CrowdStrike Falcon Data Replicator to Sumo Logic

Required Tables

_sourceCategory=macos*

False Positives

Enterprise macOS management platforms (Jamf Pro, Kandji, Mosyle) deploying configuration profiles or MDM payloads that write launch agent plists via shell script post-install phases.
Developer version manager tooling (asdf, nvm, pyenv, rbenv) writing launch agents to ~/Library/LaunchAgents from shell initialization or install hooks.
Legitimate backup or monitoring agents such as Backblaze, Datadog macOS agent, or CrowdStrike Falcon itself installing launch daemons via shell-based installer scripts.

Google Chronicle / SecOps

yaral

rule t1053_004_launchd_plist_by_suspicious_process {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects plist file creation in macOS LaunchDaemon or LaunchAgent directories initiated by a shell, interpreter, or downloader process (T1053.004)"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1053.004"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    re.regex($e.target.file.full_path, `/Library/Launch(Daemons|Agents)/.*\.plist$`)
    re.regex($e.principal.process.file.full_path, `/(bash|sh|zsh|python3?|ruby|perl|curl|wget|osascript|node)$`)
    $e.principal.hostname = $hostname

  condition:
    $e
}

rule t1053_004_suspicious_launchctl_execution {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects suspicious launchctl load/bootstrap/submit/start commands on macOS from shell or interpreter parents, or targeting staging paths (T1053.004)"
    mitre_attack_tactic = "Persistence, Privilege Escalation, Execution"
    mitre_attack_technique = "T1053.004"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.file.full_path, `/usr/bin/launchctl$`)
    re.regex($e.target.process.command_line, `\b(load|bootstrap|submit|start)\b`)
    (
      re.regex($e.principal.process.file.full_path, `/(bash|sh|zsh|python3?|ruby|perl|curl|wget|osascript|node)$`) or
      re.regex($e.target.process.command_line, `(/tmp/|/var/tmp/|\.hidden|/Users/Shared/)`)
    )
    $e.principal.hostname = $hostname

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle via CrowdStrike Falcon macOS telemetry Google Chronicle via Palo Alto Cortex XDR macOS Google Chronicle via Carbon Black Cloud macOS UDM ingestion

Required Tables

UDM Events (FILE_CREATION, PROCESS_LAUNCH)

False Positives

MDM solutions such as Jamf Pro or Mosyle executing post-enrollment shell scripts that create plist files in LaunchDaemons as part of managed device configuration.
macOS package managers (Homebrew, MacPorts) installing launch agents from zsh or bash during brew install or port install operations, particularly for services like nginx or postgresql.
Corporate IT automation scripts using launchctl bootstrap to register network monitoring or endpoint security agents during provisioning workflows.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2|FileCreate|FileWrite)$/
| case {
    #event_simpleName = /^(FileCreate|FileWrite)$/ and
    TargetFileName = /\.plist$/ and
    TargetFilePath = /\/(Library\/LaunchDaemons|Library\/LaunchAgents|System\/Library\/LaunchDaemons|System\/Library\/LaunchAgents)\// and
    ImageFileName = /(bash|sh|zsh|python3?|ruby|perl|curl|wget|osascript|node)$/ |
      AlertType := "PlistCreatedInLaunchDirectory" ;

    #event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2)$/ and
    ImageFileName = /\/launchctl$/ and
    CommandLine = /\b(load|bootstrap|submit|start)\b/ and
    ParentBaseFileName = /(bash|sh|zsh|python3?|ruby|perl|curl|wget|osascript|node)$/ |
      AlertType := "SuspiciousLaunchctlByShell" ;

    #event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2)$/ and
    ImageFileName = /\/launchctl$/ and
    CommandLine = /\b(load|bootstrap|submit|start)\b/ and
    CommandLine = /(\/tmp\/|\/var\/tmp\/|\.hidden|\/Users\/Shared\/)/ |
      AlertType := "LaunchctlFromSuspiciousPath" ;
  }
| AlertType = *
| IsDaemonPath := if(TargetFilePath = /Library\/LaunchDaemons/ or CommandLine = /Library\/LaunchDaemons/, "true", "false")
| IsSystemPath := if(TargetFilePath = /System\/Library/ or CommandLine = /System\/Library/, "true", "false")
| groupBy(
    [ComputerName, UserName, AlertType, IsDaemonPath, IsSystemPath],
    function=[
      count(as=EventCount),
      collect([TargetFilePath, TargetFileName, ImageFileName, ParentBaseFileName, CommandLine], limit=10)
    ]
  )
| sort(field=EventCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon macOS sensor Falcon Data Replicator (FDR) LogScale repository

Required Tables

ProcessRollup2 SyntheticProcessRollup2 FileCreate FileWrite

False Positives

CrowdStrike Falcon sensor itself or other macOS EDR agents registering their own launch daemons via launchctl during initial installation or sensor update cycles.
macOS enterprise management platforms (Jamf, Kandji, Mosyle) deploying configuration profiles that write launch agent plists via shell script post-install phases.
Developer workflows using make, cmake, or custom build scripts that install launch agents as part of local development environment setup for services such as local database or web server instances.

Last updated: 2026-04-16 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1053.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002At T1053.003Cron T1053.005Scheduled Task T1053.006Systemd Timers T1053.007Container Orchestration Job

Launchd

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections