Detect Launch Daemon in Elastic Security
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence or privilege escalation. Launch Daemons are plist files that interact with Launchd, the macOS service management framework. They require elevated (root) privileges to install, execute before any user logs in, and run continuously in the background without user interaction. During macOS initialization, launchd loads parameters from plist files in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required keys include Label (identifier), Program or ProgramArguments (executable path), and RunAtLoad (execute on boot). Adversaries install daemons with RunAtLoad=true and a Program key pointing to a malicious executable, frequently using KeepAlive=true to restart after crashes. Daemon names are commonly disguised to mimic legitimate macOS services (e.g., com.apple.syslogd.update) to blend with hundreds of legitimate system daemons. Additionally, path hijacking attacks are possible when third-party package managers (Homebrew, MacPorts) create globally writable directories like /usr/local/bin/. Known malware families using this technique include ThiefQuest (ransomware/spyware), LoudMiner (cryptominer using com.[random_name].plist naming), OSX_OCEANLOTUS.D (APT32 backdoor), Dacls (Lazarus Group), XCSSET (Xcode supply chain malware using SSH daemon), AppleJeus (North Korean cryptocurrency theft), Bundlore (adware), and Green Lambert (nation-state implant). The daemon inherits administrative permissions at execution time, making this a combined persistence and privilege escalation vector.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1543 Create or Modify System Process
- Sub-technique
- T1543.004 Launch Daemon
- Canonical reference
- https://attack.mitre.org/techniques/T1543/004/
Elastic Detection Query
any where
(event.category == "file" and event.type in ("creation","change") and
file.path : ("/Library/LaunchDaemons/*","/Library/LaunchAgents/*",
"/System/Library/LaunchDaemons/*","*/Library/LaunchAgents/*") and
file.extension == "plist" and
not process.name : ("installd","softwareupdate","mdmclient","system_installd",
"launchd","cfprefsd","mds_stores","Installer","pkgutil")) or
(event.category == "process" and event.type == "start" and
process.name == "launchctl" and
process.args : ("load","enable","bootstrap") and
process.parent.name : ("bash","sh","zsh","python*","perl","osascript","curl","wget"))Detects macOS LaunchDaemon/LaunchAgent persistence via unauthorized plist creation and launchctl load from suspicious parents.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers (PKG files) deploying system daemons — these are written by installd or system_installd which are excluded from the query
- Endpoint management solutions (Jamf Pro, Kandji, Mosyle) deploying daemon configurations via MDM enrollment profiles
- Developer tools installing local service daemons (Docker Desktop installs com.docker.vmnetd, Homebrew-managed services via brew services)
- IT configuration management platforms (Chef, Puppet, Ansible) deploying managed daemon configurations as part of infrastructure-as-code runs
- macOS major version upgrades that modify or recreate system daemons via softwareupdate or the migration assistant
Other platforms for T1543.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Load a Persistent Launch Daemon
Expected signal: DeviceFileEvents (MDE): FileCreated for /Library/LaunchDaemons/com.df00tech.test.daemon.plist with InitiatingProcessFileName=bash (not in TrustedDaemonInstallers list). DeviceProcessEvents (MDE): launchctl process with ProcessCommandLine='launchctl load /Library/LaunchDaemons/com.df00tech.test.daemon.plist' and InitiatingProcessFileName=bash. macOS Unified Log: launchd entries showing com.df00tech.test.daemon registration. osquery file_events: CREATED action for target_path=/Library/LaunchDaemons/com.df00tech.test.daemon.plist.
- Test 2Create Launch Daemon Mimicking Apple System Service with Payload in /tmp/
Expected signal: DeviceFileEvents: FileCreated for /Library/LaunchDaemons/com.apple.syslogd.helper.plist — filename starts with com.apple. but InitiatingProcessFileName=bash (not installd). DeviceFileEvents: FileCreated for /tmp/com.apple.syslogd.helper (payload in world-writable /tmp/). SuspiciousPayload=true because CommandLine references /tmp/. The com.apple. prefix written by a non-Apple process triggers the masquerading hunting query.
- Test 3Load Daemon via Modern launchctl bootstrap Command
Expected signal: DeviceFileEvents: FileCreated for the plist file. DeviceProcessEvents: launchctl process with ProcessCommandLine containing 'bootstrap system /Library/LaunchDaemons/com.df00tech.bootstrap.test.plist'. The 'bootstrap' subcommand (rather than 'load') is critical to test — detection rules must include 'bootstrap ' in the has_any filter. macOS Unified Log shows launchd registering the daemon in the system bootstrap domain.
- Test 4Simulate LaunchDaemon Path Hijacking via World-Writable Directory
Expected signal: DeviceFileEvents: FileCreated for /usr/local/df00tech-writable-test/df00tech-hijack-payload with non-root AccountName (no sudo for the payload write). DeviceFileEvents: FileCreated for /Library/LaunchDaemons/com.df00tech.hijack.test.plist with InitiatingProcessFileName=bash. DeviceProcessEvents: launchctl load targeting /Library/LaunchDaemons/. The daemon hunting query fires when launchd subsequently spawns the process from /usr/local/df00tech-writable-test/ — a non-standard path outside /usr/libexec/, /usr/bin/, /System/Library/.
References (9)
- https://attack.mitre.org/techniques/T1543/004/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- https://www.sentinelone.com/blog/how-malware-persists-on-macos/
- https://bradleyjkemp.dev/post/launchdaemon-hijacking/
- https://www.real-world-systems.com/docs/launchdPlist.1.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md
- https://objective-see.org/blog/blog_0x4C.html
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
Unlock Pro Content
Get the full detection package for T1543.004 including response playbook, investigation guide, and atomic red team tests.