AN0780: Analytic 0780
Monitor launchd service definitions and property list (.plist) modifications for non-standard executables. Detect unauthorized processes registered as launch daemons or agents.
Analyst context for executives and security teams
This analytic matters for organizations that operate macOS endpoints because launchd services can define what runs automatically as daemons or agents. Monitoring changes to launchd property list files helps security teams identify unauthorized persistence-like registrations or unexpected background execution before they become an incident-response blind spot.
Executive priority
Security leaders should treat this as a macOS endpoint visibility and control-assurance question: do we know what is allowed to auto-start on managed Macs, and can the SOC distinguish approved IT or business software from unauthorized launch daemons or agents? The business value is stronger incident triage, better endpoint governance evidence, and reduced risk that unmanaged persistence mechanisms remain invisible during an investigation.
Technical view
For macOS, validate monitoring of launchd service definitions and .plist modifications, especially registrations that point to non-standard executables. SOC and detection engineering teams should confirm they can observe file changes to launch daemon/agent definitions and correlate those changes with the executable path, process context, signing or approval status where locally available, and whether the registering process is expected in the environment. No ATT&CK tactic or relationship context was supplied, so implementation should stay focused on the official analytic description rather than broader technique assumptions.
Likely telemetry
- macOS file modification events for launchd property list files
- launch daemon and launch agent definition contents
- Process creation or execution telemetry for executables referenced by launchd definitions
- Endpoint management or configuration inventory showing approved launch daemons and agents
- Local allowlist, software inventory, or administrative change records for expected background services
Detection direction
- Baseline approved launch daemons and agents on managed macOS systems, then alert on new or modified definitions referencing non-standard or unexpected executables.
- Review .plist changes together with the executable path and process responsible for the modification to reduce false positives from legitimate software installation, updates, or administrative tooling.
- Tune detections around business-approved macOS management agents and common enterprise software so the SOC can focus on unauthorized or unusual registrations.
- Validate telemetry coverage on all relevant macOS endpoints; gaps in file monitoring or endpoint inventory can make this analytic ineffective.
- Because no official detection logic was provided, detection teams should document local criteria for what counts as non-standard or unauthorized.
Mitigation priorities
- Establish and maintain an approved inventory of macOS launch daemons and agents.
- Restrict administrative permissions and change paths that allow unauthorized launchd service definition changes, using existing enterprise endpoint controls where available.
- Use endpoint management processes to enforce expected configurations and investigate drift.
- Integrate launchd definition monitoring into SOC triage and incident-response playbooks for macOS systems.
- Retain change evidence for compliance or audit needs where endpoint configuration governance is required.
Analyst notes and limits
This object is a detection analytic for macOS only. The supplied ATT&CK fields specify monitoring launchd service definitions and .plist modifications for non-standard executables and unauthorized daemon or agent registrations. There are no supplied relationships, tactics, procedure examples, or official detection query details, so environment-specific baselining is essential.
The source does not provide official detection logic, associated tactics, related techniques, adversary procedures, or relationship context. This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Local macOS fleet management practices and telemetry availability determine practical effectiveness.
Analytic 0780
Monitor launchd service definitions and property list (.plist) modifications for non-standard executables. Detect unauthorized processes registered as launch daemons or agents.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4ff6abc76e22… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0780Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.