Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1126: Analytic 1126

Creation or modification of `.plist` files in /Library/LaunchDaemons/, especially those with suspicious Program or ProgramArguments paths, combined with execution activity under launchd with elevated privileges. Detectable through correlated Unified Logs, file monitoring, and process telemetry.

EnterpriseAN1126AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting potentially unauthorized macOS LaunchDaemon persistence by watching for new or changed `.plist` files in `/Library/LaunchDaemons/` and correlating them with privileged execution under `launchd`. For leaders, the value is not just detecting a file change; it is validating whether the organization can see durable, elevated startup behavior on macOS systems before it becomes an incident-response blind spot.

Executive priority

Prioritize this where macOS endpoints support critical users, administrators, developers, executives, or regulated workflows. The business question is whether security teams can prove they monitor privileged macOS startup configuration changes and can distinguish expected management activity from suspicious persistence. This supports operational resilience, audit evidence for endpoint monitoring, and faster incident decisions when a Mac shows signs of unauthorized privileged execution.

Technical view

SOC and detection teams should validate coverage for macOS file monitoring in `/Library/LaunchDaemons/`, parsing of `.plist` content where available, Unified Log visibility, and process telemetry showing activity spawned by `launchd` with elevated privileges. Suspicious focus areas include newly created or modified LaunchDaemon property lists whose `Program` or `ProgramArguments` reference unusual or unexpected paths, followed by corresponding execution activity. Because ATT&CK does not provide a separate detection body for this analytic, local baselining of legitimate software deployment, endpoint management, and administrator activity is essential.

Likely telemetry

  • macOS file creation and modification events for `/Library/LaunchDaemons/*.plist`
  • File content or metadata from LaunchDaemon `.plist` files, including `Program` and `ProgramArguments` values
  • macOS Unified Logs related to LaunchDaemon loading or execution
  • Process telemetry showing `launchd`-spawned processes
  • Privilege context for processes executing with elevated rights

Detection direction

  • Correlate `.plist` creation or modification in `/Library/LaunchDaemons/` with subsequent execution under `launchd` rather than alerting on file writes alone.
  • Tune for suspicious or unexpected `Program` and `ProgramArguments` paths while allowlisting known enterprise management, security, and software update activity carefully.
  • Validate that telemetry includes both the file-system event and the resulting process execution; missing either side weakens confidence.
  • Review false positives from legitimate installers, MDM tooling, security agents, and administrator maintenance tasks.
  • Because no ATT&CK tactics or relationships are supplied, avoid over-scoping the analytic and map it locally to the behaviors and incident scenarios your team tracks.

Mitigation priorities

  • Establish an authorized inventory or baseline of expected LaunchDaemon `.plist` files on managed macOS systems.
  • Restrict and monitor administrative rights required to modify `/Library/LaunchDaemons/`.
  • Ensure endpoint logging collects file, process, privilege, and Unified Log evidence needed to investigate LaunchDaemon changes.
  • Integrate macOS software deployment and change-management records so analysts can quickly separate approved changes from suspicious ones.
  • Test incident-response playbooks for triaging unexpected privileged `launchd` execution on macOS endpoints.
Analyst notes and limits

This object is a detection analytic, not a technique description. The supplied ATT&CK fields support macOS-specific detection engineering around LaunchDaemon `.plist` changes and elevated `launchd` execution. There are no supplied relationships, aliases, labels, or tactics, so the take avoids attribution, campaign context, and broader behavior mapping.

Official detection text is not provided, and no relationship context is supplied. The analytic’s effectiveness depends on local macOS telemetry depth, plist parsing, endpoint management context, and organization-specific baselines for legitimate LaunchDaemon activity.

Official MITRE ATT&CK definition

Analytic 1126

Creation or modification of `.plist` files in /Library/LaunchDaemons/, especially those with suspicious Program or ProgramArguments paths, combined with execution activity under launchd with elevated privileges. Detectable through correlated Unified Logs, file monitoring, and process telemetry.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ab707bdc4f83fef5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ab707bdc4f83…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1126
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use