AN0260: Analytic 0260
Detects creation or alteration of LaunchAgents or LaunchDaemons with corresponding plist modification followed by execution of associated binaries.
Analyst context for executives and security teams
This analytic matters because LaunchAgents and LaunchDaemons are common macOS mechanisms for starting software automatically. For security leaders, the practical question is whether the organization can see when these startup items are created or changed and then used to run binaries. That visibility supports faster triage of suspicious persistence-like behavior on macOS endpoints and helps validate whether macOS monitoring is mature enough for incident response and audit evidence.
Executive priority
Prioritize this as a macOS endpoint visibility and resilience check. The supplied ATT&CK object does not specify a tactic or threat actor, but it identifies a concrete detection pattern: LaunchAgent or LaunchDaemon creation or alteration, plist modification, and subsequent execution of associated binaries. Leaders should ask whether managed detection, EDR, and endpoint logging actually capture those linked events on macOS, and whether SOC teams can distinguish authorized software deployment from suspicious changes.
Technical view
For SOC, detection engineering, and IR teams, validate correlation across three event classes on macOS: creation or alteration of LaunchAgents or LaunchDaemons, modification of related plist files, and execution of binaries referenced by those plist entries. Because the official detection text is not provided, teams should treat this as a detection objective rather than a complete rule. Tune around known administrative tools, software installers, device management activity, and approved enterprise agents that legitimately create or update these items.
Likely telemetry
- macOS file creation and file modification events for LaunchAgent and LaunchDaemon locations
- plist file modification metadata and, where available, parsed plist content
- Process execution telemetry for binaries associated with modified plist entries
- Endpoint security or EDR events that link file changes to the responsible process or user
- Change-management or device-management records for expected macOS software deployment activity
Detection direction
- Validate that macOS telemetry covers both creation and alteration events, not only new file creation.
- Correlate plist modification with later execution of the binary referenced by the plist, rather than alerting only on isolated file writes.
- Baseline expected LaunchAgent and LaunchDaemon changes from approved software, management tooling, and updates to reduce false positives.
- Confirm IR analysts can pivot from the plist to the writing process, user context, file path, binary execution, and host timeline.
- Identify blind spots where endpoint tools do not parse plist content or do not retain enough file/process history to prove the sequence described by the analytic.
Mitigation priorities
- Establish an approved baseline for LaunchAgents and LaunchDaemons on managed macOS systems.
- Restrict and monitor administrative paths and workflows that can modify startup items, consistent with local macOS management policy.
- Use endpoint controls and change-management processes to separate authorized software deployment from unexpected persistence-related changes.
- Ensure incident response playbooks include collection of modified plist files, associated binaries, responsible processes, and user context.
- Review macOS logging retention and EDR policy so the creation/modification-to-execution sequence can be reconstructed after an alert.
Analyst notes and limits
This is a detection analytic object, not a full ATT&CK technique entry. It is specific to macOS and focuses on LaunchAgents/LaunchDaemons with plist modification followed by execution of associated binaries. No relationship context, tactic, or official detection implementation was supplied, so local engineering is required to convert the concept into deployable logic.
The supplied object does not provide a tactic, detection rule, data source list, related techniques, mitigations, adversary relationships, or evidence of active exploitation. Conclusions should therefore be limited to macOS detection validation for this analytic pattern and must be tested against local endpoint telemetry and administrative workflows.
Analytic 0260
Detects creation or alteration of LaunchAgents or LaunchDaemons with corresponding plist modification followed by execution of associated binaries.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4651828f464e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0260Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.