Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0115: Analytic 0115

Detects deletion of launch agents (~/Library/LaunchAgents/) and launch daemons (/Library/LaunchDaemons/), especially after suspicious process execution or when tied to known persistence methods.

EnterpriseAN0115AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is relevant to macOS environments because LaunchAgents and LaunchDaemons are common locations for software persistence and service-style execution. Deletion of these items can be benign administration or software cleanup, but it can also matter during incident response when an actor removes persistence artifacts or when suspicious process activity is followed by cleanup. For leaders, the value is not the deletion event alone; it is whether the organization can prove it has enough macOS endpoint visibility to connect file deletion, process execution, user context, and prior persistence indicators.

Executive priority

Prioritize this as a macOS endpoint visibility and response-readiness check. Security leaders should ask whether SOC and IR teams can reconstruct changes under ~/Library/LaunchAgents/ and /Library/LaunchDaemons/, especially around suspicious process execution. This supports business continuity by improving confidence that macOS persistence or cleanup activity can be investigated quickly, and it supports audit/compliance evidence by demonstrating monitoring of security-relevant system locations. Because no ATT&CK tactic or relationship context is supplied, treat this as a focused detection analytic rather than a complete risk scenario.

Technical view

Validate collection and correlation for macOS file deletion events involving ~/Library/LaunchAgents/ and /Library/LaunchDaemons/. The analytic should be most useful when enriched with process execution history, user identity, parent process, timestamp proximity, file path, file name, and whether the deleted item was previously associated with known persistence behavior. Since the official detection logic is not provided, detection engineers should avoid relying on path matching alone and should tune for context such as deletion following suspicious process execution or removal of launch items tied to persistence investigations.

Likely telemetry

  • macOS endpoint file deletion events for ~/Library/LaunchAgents/
  • macOS endpoint file deletion events for /Library/LaunchDaemons/
  • Process execution telemetry around the time of deletion
  • Parent-child process relationships for deletion activity
  • User account and privilege context for the deleting process

Detection direction

  • Confirm that telemetry distinguishes user LaunchAgents from system LaunchDaemons and preserves full file paths.
  • Correlate deletion events with nearby process execution rather than alerting only on any launch item deletion.
  • Tune expected administrative, software update, and uninstall activity to reduce false positives.
  • Investigate deletions where the responsible process, user, or timing is inconsistent with normal macOS management activity.
  • Check whether the deleted launch item had prior persistence relevance, suspicious naming, unusual ownership, or recent modification history if those data are locally available.

Mitigation priorities

  • Ensure macOS endpoint monitoring covers security-relevant launch agent and daemon directories.
  • Retain endpoint telemetry long enough for incident responders to reconstruct persistence creation and removal timelines.
  • Define approved administrative and software management workflows that commonly remove launch items, so SOC teams can tune expected activity.
  • Harden access to system-level LaunchDaemons through standard macOS privilege and change-control practices.
  • Use IR playbooks that preserve evidence when launch items are deleted after suspicious process execution.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS launch agent and daemon deletion. It has no supplied relationships, tactic mapping, aliases, labels, or official detection logic. The strongest defensive use is as a validation point for macOS endpoint telemetry, correlation, and IR reconstruction rather than a standalone high-confidence alert.

This take is limited to the supplied official fields. It does not infer active exploitation, specific threat actors, malware families, or guaranteed detection coverage. Local baselines are required to separate normal software removal and administration from suspicious cleanup behavior.

Official MITRE ATT&CK definition

Analytic 0115

Detects deletion of launch agents (~/Library/LaunchAgents/) and launch daemons (/Library/LaunchDaemons/), especially after suspicious process execution or when tied to known persistence methods.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
be0480cd4c8e4ca6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle be0480cd4c8e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0115
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use