Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0766: Analytic 0766

Observes creation or modification of LaunchAgent/LaunchDaemon property list files combined with anomalous plist payload execution after user logon

EnterpriseAN0766AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about macOS visibility into LaunchAgent or LaunchDaemon property list creation or modification, paired with unusual payload execution after user logon. For leaders, the practical issue is whether the organization can notice when macOS logon/startup behavior changes in a way that may affect endpoint trust, user productivity, and incident response timelines.

Executive priority

Prioritize this where macOS endpoints support executives, developers, administrators, or regulated workflows. The decision value is not just having a rule, but proving that SOC and IR teams can correlate macOS configuration changes with post-logon execution, separate normal software management from suspicious behavior, and retain evidence for investigation or audit.

Technical view

For macOS coverage, validate that endpoint telemetry captures creation and modification of LaunchAgent/LaunchDaemon plist files and can correlate those events with subsequent anomalous payload execution after user logon. Because the official object does not provide tactics, relationships, or detailed detection logic, teams should treat this as a detection-validation requirement rather than a complete analytic specification.

Likely telemetry

  • macOS file creation and modification events for LaunchAgent/LaunchDaemon property list files
  • Property list metadata or content sufficient to identify referenced payloads
  • User logon/session events
  • Process execution telemetry after user logon
  • Endpoint management or software deployment activity for false-positive context

Detection direction

  • Test correlation between plist creation/modification and payload execution after user logon rather than alerting on file change alone.
  • Baseline legitimate macOS management, application installation, and update activity to reduce false positives.
  • Validate visibility for both file-system activity and process execution; either source alone may be insufficient.
  • Review whether telemetry preserves enough plist detail to identify the executed payload and responsible user or process.
  • Tune for anomalous payloads, unexpected timing, unusual parent/child process relationships, or changes outside approved administrative workflows, using local environment baselines.

Mitigation priorities

  • Maintain managed macOS endpoint visibility for file modification, logon, and process execution events.
  • Apply least-privilege and change-control practices around software installation and system configuration changes.
  • Use endpoint management records to distinguish approved LaunchAgent/LaunchDaemon changes from unapproved activity.
  • Ensure SOC playbooks cover triage of plist changes, associated payloads, user context, and recent logon activity.
  • Retain relevant macOS endpoint telemetry long enough to support incident response and compliance evidence needs.
Analyst notes and limits

This is a detection analytic object, not a technique object. The supplied fields support macOS-specific monitoring of LaunchAgent/LaunchDaemon plist creation or modification plus anomalous payload execution after user logon. No relationship context was supplied, so this take does not infer specific ATT&CK techniques, actors, campaigns, or impacts.

Official detection logic was not provided, tactics were not specified, and no relationships were supplied. Local baselines, endpoint telemetry quality, and approved software-management practices are required to determine what is anomalous in a given environment.

Official MITRE ATT&CK definition

Analytic 0766

Observes creation or modification of LaunchAgent/LaunchDaemon property list files combined with anomalous plist payload execution after user logon

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ff3de38f85836d80...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ff3de38f8583…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0766
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use