title: Launch Daemon (T1543.004)
id: df00tech-t1543-004
status: experimental
description: "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence or privilege escalation. Launch Daemons are plist files that interact with Launchd, the macOS service management framework. They require elevated (root) privileges to install, execute before any user logs in, and run continuously in the background without user interaction. During macOS initialization, launchd loads parameters from plist files in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required keys include Label (identifier), Program or ProgramArguments (executable path), and RunAtLoad (execute on boot). Adversaries install daemons with RunAtLoad=true and a Program key pointing to a malicious executable, frequently using KeepAlive=true to restart after crashes. Daemon names are commonly disguised to mimic legitimate macOS services (e.g., com.apple.syslogd.update) to blend with hundreds of legitimate system daemons. Additionally, path hijacking attacks are possible when third-party package managers (Homebrew, MacPorts) create globally writable directories like /usr/local/bin/. Known malware families using this technique include ThiefQuest (ransomware/spyware), LoudMiner (cryptominer using com.[random_name].plist naming), OSX_OCEANLOTUS.D (APT32 backdoor), Dacls (Lazarus Group), XCSSET (Xcode supply chain malware using SSH daemon), AppleJeus (North Korean cryptocurrency theft), Bundlore (adware), and Green Lambert (nation-state implant). The daemon inherits administrative permissions at execution time, making this a combined persistence and privilege escalation vector."
references:
  - https://attack.mitre.org/techniques/T1543/004/
  - https://df00tech.com/detections/T1543.004
author: df00tech
date: 2026/03/12
tags:
  - attack.t1543.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software installers (PKG files) deploying system daemons — these are written by installd or system_installd which are excluded from the query
  - "Endpoint management solutions (Jamf Pro, Kandji, Mosyle) deploying daemon configurations via MDM enrollment profiles"
  - "Developer tools installing local service daemons (Docker Desktop installs com.docker.vmnetd, Homebrew-managed services via brew services)"
  - "IT configuration management platforms (Chef, Puppet, Ansible) deploying managed daemon configurations as part of infrastructure-as-code runs"
  - macOS major version upgrades that modify or recreate system daemons via softwareupdate or the migration assistant
level: high