DET0401 Detection Strategy for Launch Daemon Creation or Modification (macOS)

Item	Value
ID	DET0401
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1543.004 (Launch Daemon)

Analytics

macOS

AN1126

Creation or modification of .plist files in /Library/LaunchDaemons/, especially those with suspicious Program or ProgramArguments paths, combined with execution activity under launchd with elevated privileges. Detectable through correlated Unified Logs, file monitoring, and process telemetry.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	macos:unifiedlog	launchd spawning processes tied to new or modified LaunchDaemon .plist entries
File Creation (DC0039)	fs:launchdaemons	file_create
File Modification (DC0061)	fs:launchdaemons	file_modify
Service Creation (DC0060)	macos:unifiedlog	launchd loading new LaunchDaemon or changes to existing daemon configuration

Mutable Elements

Field	Description
ProgramPathRegex	Regex patterns to match anomalous executable paths or names in .plist files
TimeWindow	Correlation window between file modification and launchd process execution
UserContext	Admin or root context used during daemon installation
UnsignedBinaryFlag	Whether the binary associated with the LaunchDaemon is signed or trusted