Detect Launchd in Sumo Logic CSE
Adversaries may abuse the launchd daemon to perform task scheduling for initial or recurring execution of malicious code on macOS. The launchd daemon is responsible for loading and maintaining services within the operating system. It processes property list (plist) files found in /System/Library/LaunchDaemons, /Library/LaunchDaemons (system-wide daemons run as root), /Library/LaunchAgents (user agents run for all users), and ~/Library/LaunchAgents (user agents run for the specific user). Adversaries may install malicious plist files in these directories to achieve persistence, privilege escalation (via LaunchDaemons running as root), or execution at system startup or login. This technique is noted as deprecated by MITRE due to inaccurate original characterization, but the underlying abuse of launchd-controlled directories remains a valid and observed persistence mechanism on macOS.
MITRE ATT&CK
- Canonical reference
- https://attack.mitre.org/techniques/T1053/004/
Sumo Detection Query
_sourceCategory=macos* (LaunchDaemons OR LaunchAgents OR launchctl)
| parse regex field=_raw "(?<launch_path>(?:/System)?/Library/Launch(?:Daemons|Agents)/[\w\-\.]+\.plist)" nodrop
| parse regex field=_raw "launchctl\s+(?<launchctl_action>load|bootstrap|submit|start)\s+(?<launchctl_target>\S+)" nodrop
| eval is_plist_write = if(!isNull(launch_path), 1, 0)
| eval is_launchctl_load = if(!isNull(launchctl_action), 1, 0)
| eval suspicious_parent = if(_raw matches "(bash|sh|zsh|python3?|ruby|perl|curl|wget|osascript|node)", 1, 0)
| eval suspicious_path = if(_raw matches "(/tmp/|/var/tmp/|\.hidden|/Users/Shared/)", 1, 0)
| eval is_daemon_path = if(_raw matches "Library/LaunchDaemons", 1, 0)
| eval is_system_path = if(_raw matches "System/Library", 1, 0)
| eval alert_score = is_plist_write + is_launchctl_load + suspicious_parent + suspicious_path
| where alert_score > 0
| eval alert_type = if(is_plist_write == 1 and suspicious_parent == 1, "SuspiciousPlistWriteByShell",
if(is_plist_write == 1 and suspicious_path == 1, "PlistCreatedInSuspiciousPath",
if(is_launchctl_load == 1 and suspicious_parent == 1, "SuspiciousLaunchctlByShell",
if(is_launchctl_load == 1 and suspicious_path == 1, "LaunchctlLoadFromSuspiciousPath",
if(is_plist_write == 1, "PlistWrittenToLaunchDirectory",
if(is_launchctl_load == 1, "LaunchctlLoadDetected", "OtherLaunchdActivity"))))))
| fields _messageTime, _sourceHost, _sourceCategory, alert_type, alert_score, is_daemon_path, is_system_path, launch_path, launchctl_action, launchctl_target
| sort by alert_score desc, _messageTime descDetects T1053.004 launchd abuse on macOS by parsing Sumo Logic macOS unified log or syslog data for plist writes to Launch directories combined with suspicious interpreter or downloader processes, or suspicious launchctl load/bootstrap commands. Events are scored by risk factor overlap using multiple eval fields, and classified into granular alert types to aid analyst triage and prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise macOS management platforms (Jamf Pro, Kandji, Mosyle) deploying configuration profiles or MDM payloads that write launch agent plists via shell script post-install phases.
- Developer version manager tooling (asdf, nvm, pyenv, rbenv) writing launch agents to ~/Library/LaunchAgents from shell initialization or install hooks.
- Legitimate backup or monitoring agents such as Backblaze, Datadog macOS agent, or CrowdStrike Falcon itself installing launch daemons via shell-based installer scripts.
Other platforms for T1053.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious LaunchAgent Plist for User Persistence
Expected signal: File creation event for ~/Library/LaunchAgents/com.argus.test.persistence.plist and /tmp/argus_test_payload.sh. Process creation event for launchctl with arguments 'load ~/Library/LaunchAgents/com.argus.test.persistence.plist'. macOS Unified Log entry for launchd registering the new service with label 'com.argus.test.persistence'. Subsequent execution of /bin/bash with /tmp/argus_test_payload.sh as argument, initiated by launchd.
- Test 2Create Root LaunchDaemon Plist for System-Level Persistence
Expected signal: File creation event for /Library/LaunchDaemons/com.argus.test.daemon.plist with initiating process sudo/bash running as root. Process creation events for sudo and launchctl with 'load /Library/LaunchDaemons/com.argus.test.daemon.plist'. macOS Unified Log entry from launchd registering system daemon. The IsDaemon flag in the KQL query should be set to true.
- Test 3Launchctl Load from Suspicious Temp Directory Path
Expected signal: File creation event for /tmp/com.argus.tmppersist.plist. Process creation event for launchctl with command line containing 'load /tmp/com.argus.tmppersist.plist' — the /tmp path is a key indicator. macOS Unified Log entries for launchd service registration from a temp path.
- Test 4Simulate Adversary Plist Drop via curl and Shell
Expected signal: Process creation for bash with the dropper script as command. File creation event for ~/Library/LaunchAgents/com.argus.dropper.test.plist with InitiatingProcessFileName=bash — the suspicious parent detection fires. Process creation for launchctl initiated by bash. macOS Unified Log shows the full execution chain: bash → file write → launchctl → launchd registration.
References (10)
- https://attack.mitre.org/techniques/T1053/004/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://objective-see.org/blog.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md
- https://www.sentinelone.com/blog/how-malware-persists-on-macos/
- https://www.crowdstrike.com/blog/how-to-detect-and-prevent-mac-malware/
- https://managingosx.wordpress.com/2015/10/15/launchd-is-not-a-valid-way-to-run-a-job-at-a-scheduled-time/
- https://support.apple.com/guide/terminal/apdc6c1077b-5d5d-4d35-9c19-60f2397b2369/mac
- https://github.com/SigmaHQ/sigma/tree/master/rules/macos
Unlock Pro Content
Get the full detection package for T1053.004 including response playbook, investigation guide, and atomic red team tests.