DET0434 Detection of Launch Agent Creation or Modification on macOS

Item	Value
ID	DET0434
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1543.001 (Launch Agent)

Analytics

macOS

AN1208

Detects creation or modification of user-level Launch Agents in monitored directories using .plist files with suspicious ProgramArguments or RunAtLoad keys. Correlates file write activity with execution of launchctl or unsigned binaries invoked at login.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	macos:unifiedlog	launchctl load or boot-time plist registration
File Creation (DC0039)	fs:fsusage	write or chmod to ~/Library/LaunchAgents/*.plist
File Modification (DC0061)	fs:fsusage	modification of existing LaunchAgents plist
Service Creation (DC0060)	macos:osquery	detection of new launch agents with suspicious paths or unsigned binaries

Mutable Elements

Field	Description
PlistDirectoryList	Monitored directories (e.g., `/Library/LaunchAgents`, `~/Library/LaunchAgents`) for plist drops
PlistKeyMonitor	Monitored keys such as `RunAtLoad`, `KeepAlive`, or `ProgramArguments` for policy alignment
ExecutablePathPattern	Patterns used to detect execution from non-standard or suspicious locations like `/tmp`, `/var`, or `/Users/Shared`
UnsignedBinaryAlert	Raise alerts if the binary referenced in the Launch Agent is unsigned or unverified
UserContextScope	List of users whose LaunchAgents are considered high-sensitivity (e.g., admins)