T1543.004 Launch Daemon Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let TrustedDaemonInstallers = dynamic(["installd", "softwareupdate", "mdmclient", "system_installd", "launchd", "cfprefsd", "mds_stores"]);
let SuspiciousBinaryLocations = dynamic(["/tmp/", "/var/tmp/", "/private/tmp/", "/Users/Shared/", "/dev/"]);
let LaunchDaemonDirs = dynamic(["/Library/LaunchDaemons/", "/System/Library/LaunchDaemons/"]);
// Signal 1: plist file creation or modification in LaunchDaemon directories by non-trusted processes
let NewDaemonPlist = DeviceFileEvents
| where Timestamp > ago(24h)
| where OSPlatform has_any ("macOS", "Mac")
| where FolderPath has_any (LaunchDaemonDirs)
| where FileName endswith ".plist"
| where ActionType in ("FileCreated", "FileModified")
| where InitiatingProcessFileName !in~ (TrustedDaemonInstallers)
| extend DetectionType = "LaunchDaemon_PlistWrite"
| extend SuspiciousPayload = InitiatingProcessCommandLine has_any (SuspiciousBinaryLocations)
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
         DetectionType, Artifact = strcat(FolderPath, FileName),
         InitiatingProcess = InitiatingProcessFileName,
         CommandLine = InitiatingProcessCommandLine,
         ParentProcess = InitiatingProcessParentFileName,
         SHA256, SuspiciousPayload;
// Signal 2: launchctl explicitly loading or bootstrapping daemons from LaunchDaemon directories
let LaunchctlLoad = DeviceProcessEvents
| where Timestamp > ago(24h)
| where OSPlatform has_any ("macOS", "Mac")
| where FileName =~ "launchctl"
| where ProcessCommandLine has_any (LaunchDaemonDirs)
| where ProcessCommandLine has_any ("load ", "bootstrap ", "enable ", "kickstart ")
| where InitiatingProcessFileName !in~ (TrustedDaemonInstallers)
| extend DetectionType = "LaunchDaemon_LaunchctlLoad"
| extend SuspiciousPayload = ProcessCommandLine has_any (SuspiciousBinaryLocations)
| project Timestamp, DeviceName, AccountName,
         DetectionType, Artifact = ProcessCommandLine,
         InitiatingProcess = InitiatingProcessFileName,
         CommandLine = ProcessCommandLine,
         ParentProcess = InitiatingProcessParentFileName,
         SHA256 = "", SuspiciousPayload;
// Union both detection signals
union NewDaemonPlist, LaunchctlLoad
| sort by Timestamp desc

high severity high confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (macOS agent)

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate software installers (PKG files) deploying system daemons — these are written by installd or system_installd which are excluded from the query
Endpoint management solutions (Jamf Pro, Kandji, Mosyle) deploying daemon configurations via MDM enrollment profiles
Developer tools installing local service daemons (Docker Desktop installs com.docker.vmnetd, Homebrew-managed services via brew services)
IT configuration management platforms (Chef, Puppet, Ansible) deploying managed daemon configurations as part of infrastructure-as-code runs
macOS major version upgrades that modify or recreate system daemons via softwareupdate or the migration assistant

Splunk

spl

index=mac_endpoint sourcetype="osquery:results" (name="file_events" OR name="process_events")
| spath output=target_path path=columns.target_path
| spath output=file_action path=columns.action
| spath output=proc_path path=columns.path
| spath output=cmdline path=columns.cmdline
| spath output=parent_path path=columns.parent_path
| spath output=uid path=columns.uid
| eval is_daemon_plist_create = if(
    name="file_events" AND
    match(target_path, "^(/Library/LaunchDaemons/|/System/Library/LaunchDaemons/).+\.plist$") AND
    file_action IN ("CREATED", "UPDATED"),
    1, 0)
| eval is_launchctl_load = if(
    name="process_events" AND
    match(proc_path, ".*/launchctl$") AND
    match(cmdline, "(load|bootstrap|enable|kickstart)") AND
    match(cmdline, "LaunchDaemons"),
    1, 0)
| where is_daemon_plist_create=1 OR is_launchctl_load=1
| eval detection_type = if(is_daemon_plist_create=1, "DaemonPlistCreated", "LaunchctlLoad")
| eval is_trusted_parent = if(
    match(parent_path, "(installd|softwareupdate|mdmclient|system_installd|launchd)$"),
    1, 0)
| where is_trusted_parent=0
| eval suspicious_payload = if(
    match(target_path, "(/tmp/|/var/tmp/|/private/tmp/|/Users/Shared/|/dev/)") OR
    match(cmdline, "(/tmp/|/var/tmp/|/private/tmp/|/Users/Shared/|/dev/)"),
    1, 0)
| table _time, host, detection_type, target_path, proc_path, cmdline, parent_path, uid, suspicious_payload
| sort - _time

high severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation osquery file_events osquery process_events

Required Sourcetypes

osquery:results

False Positives

Legitimate software PKG installers that deploy system daemons — parent process will be installd which is excluded by the trusted parent filter
MDM solutions (Jamf Pro, Kandji, Mosyle) pushing daemon configurations via managed profiles — these typically have mdmclient as the initiating process
Developer workstation tools (Docker Desktop, Homebrew services via 'brew services start', rbenv, pyenv) that install local daemons
IT automation tools (Chef, Puppet) executing launchctl load as part of converge runs — allowlist the specific automation service account UID
macOS system update operations modifying existing daemon plists via softwareupdate

Elastic Security (EQL)

eql

any where
  (event.category == "file" and event.type in ("creation","change") and
   file.path : ("/Library/LaunchDaemons/*","/Library/LaunchAgents/*",
                "/System/Library/LaunchDaemons/*","*/Library/LaunchAgents/*") and
   file.extension == "plist" and
   not process.name : ("installd","softwareupdate","mdmclient","system_installd",
                        "launchd","cfprefsd","mds_stores","Installer","pkgutil")) or
  (event.category == "process" and event.type == "start" and
   process.name == "launchctl" and
   process.args : ("load","enable","bootstrap") and
   process.parent.name : ("bash","sh","zsh","python*","perl","osascript","curl","wget"))

high severity high confidence

Data Sources

macOS Endpoint File Events macOS Process Events

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-*

False Positives

Legitimate software installers (PKG files) deploying system daemons — these are written by installd or system_installd which are excluded from the query
Endpoint management solutions (Jamf Pro, Kandji, Mosyle) deploying daemon configurations via MDM enrollment profiles
Developer tools installing local service daemons (Docker Desktop installs com.docker.vmnetd, Homebrew-managed services via brew services)
IT configuration management platforms (Chef, Puppet, Ansible) deploying managed daemon configurations as part of infrastructure-as-code runs
macOS major version upgrades that modify or recreate system daemons via softwareupdate or the migration assistant

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "TargetFilename" as TargetFile, "Image" as ProcessImage,
  "CommandLine" as CommandLine,
  CASE WHEN "TargetFilename" LIKE '/tmp/%' OR "TargetFilename" LIKE '/var/tmp/%' THEN 10
       WHEN "Image" LIKE '%/curl%' OR "Image" LIKE '%/wget%' THEN 9
       WHEN "Image" LIKE '%launchctl%' AND "CommandLine" LIKE '%load%' THEN 7
       ELSE 5 END as RiskScore
FROM events
WHERE (
  (eventid = 11 AND (
    "TargetFilename" LIKE '/Library/LaunchDaemons/%.plist' OR
    "TargetFilename" LIKE '/Library/LaunchAgents/%.plist'))
  OR (eventid = 1 AND "Image" LIKE '%/launchctl%' AND
      ("CommandLine" LIKE '%load%' OR "CommandLine" LIKE '%enable%') AND
      LOWER(coalesce("ParentImage","")) LIKE ANY ('%/bash%','%/sh%','%/python%','%/curl%','%/wget%'))
)
ORDER BY EventTime DESC

high severity high confidence

Data Sources

Sysmon for macOS Unified Endpoint Security

Required Tables

events

False Positives

Legitimate software installers (PKG files) deploying system daemons — these are written by installd or system_installd which are excluded from the query
Endpoint management solutions (Jamf Pro, Kandji, Mosyle) deploying daemon configurations via MDM enrollment profiles
Developer tools installing local service daemons (Docker Desktop installs com.docker.vmnetd, Homebrew-managed services via brew services)
IT configuration management platforms (Chef, Puppet, Ansible) deploying managed daemon configurations as part of infrastructure-as-code runs
macOS major version upgrades that modify or recreate system daemons via softwareupdate or the migration assistant

Sumo Logic CSE

sql

_sourceCategory=macos/endpoint
| json auto
| where EventID in ("1","11")
| eval TargetLower = toLower(coalesce(TargetFilename,""))
| eval ImageLower = toLower(coalesce(Image,""))
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval is_daemon_file = if(EventID == "11" AND (
    TargetLower matches "/library/launchdaemons/.*\.plist$" OR
    TargetLower matches "/library/launchagents/.*\.plist$"), 1, 0)
| eval is_launchctl = if(EventID == "1" AND ImageLower matches ".*/launchctl$"
    AND CmdLower matches ".*(load|enable|bootstrap).*"
    AND (ParentImage matches ".*(bash|sh|python|curl|wget|osascript).*"), 1, 0)
| where is_daemon_file == 1 OR is_launchctl == 1
| eval SuspiciousLocation = if(TargetLower matches "(/tmp/|/var/tmp/|/private/tmp/)", 1, 0)
| table _time, Computer, User, Image, CommandLine, TargetFilename, ParentImage, is_daemon_file, is_launchctl, SuspiciousLocation
| sort by _time desc

high severity high confidence

Data Sources

macOS Endpoint Events via Sumo Logic

Required Tables

macos/endpoint

False Positives

Legitimate software installers (PKG files) deploying system daemons — these are written by installd or system_installd which are excluded from the query
Endpoint management solutions (Jamf Pro, Kandji, Mosyle) deploying daemon configurations via MDM enrollment profiles
Developer tools installing local service daemons (Docker Desktop installs com.docker.vmnetd, Homebrew-managed services via brew services)
IT configuration management platforms (Chef, Puppet, Ansible) deploying managed daemon configurations as part of infrastructure-as-code runs
macOS major version upgrades that modify or recreate system daemons via softwareupdate or the migration assistant

Google Chronicle / SecOps

yaral

rule macos_launchdaemon_persistence {
  meta:
    author = "Detection Engineering"
    description = "Detects macOS LaunchDaemon/LaunchAgent persistence (T1543.004)"
    severity = "HIGH"
    tactic = "TA0003"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    re.regex($e.target.file.full_path, `(?i)/Library/Launch(Daemons|Agents)/.*\.plist$`) nocase
    not re.regex($e.principal.process.file.full_path, `(?i)(installd|softwareupdate|mdmclient|system_installd)`) nocase

  condition:
    $e
}

high severity high confidence

Data Sources

macOS File Events via Chronicle UDM

Required Tables

FILE_CREATION

False Positives

Legitimate software installers (PKG files) deploying system daemons — these are written by installd or system_installd which are excluded from the query
Endpoint management solutions (Jamf Pro, Kandji, Mosyle) deploying daemon configurations via MDM enrollment profiles
Developer tools installing local service daemons (Docker Desktop installs com.docker.vmnetd, Homebrew-managed services via brew services)
IT configuration management platforms (Chef, Puppet, Ansible) deploying managed daemon configurations as part of infrastructure-as-code runs
macOS major version upgrades that modify or recreate system daemons via softwareupdate or the migration assistant

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| (ImageFileName = /\/launchctl$/ AND CommandLine = /(load|enable|bootstrap)/i
   AND ParentBaseFileName = /(bash|sh|zsh|python|perl|ruby|curl|wget|osascript)/i)
  OR (ImageFileName != null AND TargetFileName = /\/Library\/Launch(Daemons|Agents)\/.+\.plist$/i)
| eval risk = case {
    ParentBaseFileName = /(curl|wget)/i : "critical";
    ParentBaseFileName = /(python|perl|ruby|osascript)/i : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, risk
| sort by timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Process Events (macOS)

Required Tables

ProcessRollup2

False Positives

Legitimate software installers (PKG files) deploying system daemons — these are written by installd or system_installd which are excluded from the query
Endpoint management solutions (Jamf Pro, Kandji, Mosyle) deploying daemon configurations via MDM enrollment profiles
Developer tools installing local service daemons (Docker Desktop installs com.docker.vmnetd, Homebrew-managed services via brew services)
IT configuration management platforms (Chef, Puppet, Ansible) deploying managed daemon configurations as part of infrastructure-as-code runs
macOS major version upgrades that modify or recreate system daemons via softwareupdate or the migration assistant

Launch Daemon

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections