T1053.004 IBM QRadar · QRadar

Detect Launchd in IBM QRadar

Adversaries may abuse the launchd daemon to perform task scheduling for initial or recurring execution of malicious code on macOS. The launchd daemon is responsible for loading and maintaining services within the operating system. It processes property list (plist) files found in /System/Library/LaunchDaemons, /Library/LaunchDaemons (system-wide daemons run as root), /Library/LaunchAgents (user agents run for all users), and ~/Library/LaunchAgents (user agents run for the specific user). Adversaries may install malicious plist files in these directories to achieve persistence, privilege escalation (via LaunchDaemons running as root), or execution at system startup or login. This technique is noted as deprecated by MITRE due to inaccurate original characterization, but the underlying abuse of launchd-controlled directories remains a valid and observed persistence mechanism on macOS.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Canonical reference
https://attack.mitre.org/techniques/T1053/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(highlevelcategory) AS high_category,
  "Message",
  CASE WHEN "Message" LIKE '%Library/LaunchDaemons%' THEN '1' ELSE '0' END AS is_daemon_path,
  CASE WHEN "Message" LIKE '%System/Library%' THEN '1' ELSE '0' END AS is_system_path,
  CASE
    WHEN "Message" LIKE '%LaunchDaemons%.plist%'
      AND ("Message" LIKE '% bash %' OR "Message" LIKE '% python%' OR "Message" LIKE '% curl %' OR "Message" LIKE '% wget %')
      THEN 'SuspiciousPlistCreationInDaemonDir'
    WHEN "Message" LIKE '%LaunchAgents%.plist%'
      AND ("Message" LIKE '% bash %' OR "Message" LIKE '% zsh %' OR "Message" LIKE '% python%' OR "Message" LIKE '% osascript%')
      THEN 'SuspiciousPlistCreationInAgentDir'
    WHEN "Message" LIKE '%launchctl%'
      AND ("Message" LIKE '% load %' OR "Message" LIKE '% bootstrap %' OR "Message" LIKE '% submit %')
      AND ("Message" LIKE '%/tmp/%' OR "Message" LIKE '%/var/tmp/%' OR "Message" LIKE '%/Users/Shared/%')
      THEN 'LaunchctlLoadFromSuspiciousPath'
    WHEN "Message" LIKE '%launchctl%'
      AND ("Message" LIKE '% load %' OR "Message" LIKE '% bootstrap %')
      AND ("Message" LIKE '% bash %' OR "Message" LIKE '% sh %' OR "Message" LIKE '% python%' OR "Message" LIKE '% ruby %' OR "Message" LIKE '% curl %' OR "Message" LIKE '% wget %' OR "Message" LIKE '% osascript%' OR "Message" LIKE '% node %')
      THEN 'SuspiciousLaunchctlByShellOrInterpreter'
    ELSE 'LaunchdActivityDetected'
  END AS alert_type
FROM events
WHERE
  starttime > DATEADD('hour', -24, NOW())
  AND (
    "Message" LIKE '%LaunchDaemons%' OR
    "Message" LIKE '%LaunchAgents%' OR
    "Message" LIKE '%launchctl%'
  )
  AND (
    (
      ("Message" LIKE '%LaunchDaemons%.plist%' OR "Message" LIKE '%LaunchAgents%.plist%')
      AND (
        "Message" LIKE '% bash %' OR "Message" LIKE '% sh %' OR
        "Message" LIKE '% zsh %' OR "Message" LIKE '% python%' OR
        "Message" LIKE '% ruby %' OR "Message" LIKE '% perl %' OR
        "Message" LIKE '% curl %' OR "Message" LIKE '% wget %' OR
        "Message" LIKE '% osascript%' OR "Message" LIKE '% node %'
      )
    )
    OR (
      "Message" LIKE '%launchctl%'
      AND ("Message" LIKE '% load %' OR "Message" LIKE '% bootstrap %' OR "Message" LIKE '% submit %' OR "Message" LIKE '% start %')
      AND (
        "Message" LIKE '% bash %' OR "Message" LIKE '% sh %' OR "Message" LIKE '% zsh %' OR
        "Message" LIKE '% python%' OR "Message" LIKE '% ruby %' OR "Message" LIKE '% perl %' OR
        "Message" LIKE '% curl %' OR "Message" LIKE '% wget %' OR
        "Message" LIKE '%/tmp/%' OR "Message" LIKE '%/var/tmp/%' OR
        "Message" LIKE '%/Users/Shared/%'
      )
    )
  )
ORDER BY starttime DESC
LIMIT 200
high severity medium confidence

Detects T1053.004 launchd abuse by querying QRadar normalized events for macOS log sources containing plist writes to LaunchDaemon or LaunchAgent directories combined with suspicious parent interpreter or downloader processes, or launchctl load/bootstrap/submit/start commands from shells or targeting writable staging paths. Alert type classification is applied via CASE expression for analyst triage.

Data Sources

macOS Unified Log via QRadar DSMCrowdStrike Falcon macOS via QRadar Universal DSMCarbon Black Cloud macOS via QRadar

Required Tables

events

False Positives & Tuning

  • System administrators running shell scripts to deploy legitimate application plist files to LaunchDaemons as part of software lifecycle management or MDM policy enforcement.
  • CI/CD agents (Jenkins, GitLab Runner) on macOS build hosts executing install scripts that register launch agents for build pipeline services.
  • Homebrew service management (brew services start/stop) generating launchctl events from zsh or bash on developer workstations during routine software updates.
Download portable Sigma rule (.yml)

Other platforms for T1053.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious LaunchAgent Plist for User Persistence

    Expected signal: File creation event for ~/Library/LaunchAgents/com.argus.test.persistence.plist and /tmp/argus_test_payload.sh. Process creation event for launchctl with arguments 'load ~/Library/LaunchAgents/com.argus.test.persistence.plist'. macOS Unified Log entry for launchd registering the new service with label 'com.argus.test.persistence'. Subsequent execution of /bin/bash with /tmp/argus_test_payload.sh as argument, initiated by launchd.

  2. Test 2Create Root LaunchDaemon Plist for System-Level Persistence

    Expected signal: File creation event for /Library/LaunchDaemons/com.argus.test.daemon.plist with initiating process sudo/bash running as root. Process creation events for sudo and launchctl with 'load /Library/LaunchDaemons/com.argus.test.daemon.plist'. macOS Unified Log entry from launchd registering system daemon. The IsDaemon flag in the KQL query should be set to true.

  3. Test 3Launchctl Load from Suspicious Temp Directory Path

    Expected signal: File creation event for /tmp/com.argus.tmppersist.plist. Process creation event for launchctl with command line containing 'load /tmp/com.argus.tmppersist.plist' — the /tmp path is a key indicator. macOS Unified Log entries for launchd service registration from a temp path.

  4. Test 4Simulate Adversary Plist Drop via curl and Shell

    Expected signal: Process creation for bash with the dropper script as command. File creation event for ~/Library/LaunchAgents/com.argus.dropper.test.plist with InitiatingProcessFileName=bash — the suspicious parent detection fires. Process creation for launchctl initiated by bash. macOS Unified Log shows the full execution chain: bash → file write → launchctl → launchd registration.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1053.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002AtT1053.003CronT1053.005Scheduled TaskT1053.006Systemd TimersT1053.007Container Orchestration Job

Related Techniques

T1053Scheduled Task/JobT1053.003CronT1543.001Launch AgentT1543.004Launch DaemonT1059.002AppleScriptT1059.006PythonT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1548.001Setuid and Setgid

Same Tactic: Execution

Popular Detections