title: Launchd (T1053.004) id: df00tech-t1053-004 status: experimental description: "Adversaries may abuse the launchd daemon to perform task scheduling for initial or recurring execution of malicious code on macOS. The launchd daemon is responsible for loading and maintaining services within the operating system. It processes property list (plist) files found in /System/Library/LaunchDaemons, /Library/LaunchDaemons (system-wide daemons run as root), /Library/LaunchAgents (user agents run for all users), and ~/Library/LaunchAgents (user agents run for the specific user). Adversaries may install malicious plist files in these directories to achieve persistence, privilege escalation (via LaunchDaemons running as root), or execution at system startup or login. This technique is noted as deprecated by MITRE due to inaccurate original characterization, but the underlying abuse of launchd-controlled directories remains a valid and observed persistence mechanism on macOS." references: - https://attack.mitre.org/techniques/T1053/004/ - https://df00tech.com/detections/T1053.004 author: df00tech date: 2026/04/16 tags: - attack.t1053.004 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: process_creation product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Legitimate software installation (Homebrew, macOS app installers, enterprise MDM) creating plist files in LaunchDaemons or LaunchAgents directories" - "IT management tools (Jamf Pro, Puppet, Chef, Ansible) deploying configuration via launchctl load as part of policy enforcement" - "Developer tools and package managers (e.g., Homebrew services) that register background services using plist files" - macOS system updates modifying plist files in /System/Library paths - "Monitoring agents (CrowdStrike, Carbon Black, SentinelOne endpoint sensors) installing their own LaunchDaemon plist files" level: high