Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1577: Analytic 1577

Detects creation or modification of `LaunchDaemon` or `LaunchAgent` plist files under `/Library/LaunchDaemons/`, `~/Library/LaunchAgents/`, or similar. Monitors execution of `launchctl`, property list edits, and file permission changes.

EnterpriseAN1577AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about watching macOS systems for creation or modification of LaunchDaemon and LaunchAgent property list files, plus related use of launchctl, plist edits, and permission changes. For leaders, the practical value is coverage of a macOS configuration area that can materially affect endpoint behavior and incident scope. If the organization uses macOS for privileged users, developers, executives, or regulated workflows, teams should know whether these file-system and process activities are actually logged, retained, and reviewed.

Executive priority

Prioritize this as a macOS endpoint visibility and response-readiness question: can the SOC prove when LaunchDaemon or LaunchAgent files are created or changed, by whom, and what process made the change? This matters for business continuity and audit evidence because weak macOS telemetry can leave incident responders unable to reconstruct endpoint changes or distinguish legitimate administration from suspicious persistence-like behavior. Budget and control decisions should focus on endpoint logging coverage, retention, alert triage capacity, and change-governance expectations for managed macOS fleets.

Technical view

Validate monitoring on macOS for file creation and modification under /Library/LaunchDaemons/, ~/Library/LaunchAgents/, and similar LaunchDaemon or LaunchAgent locations. Correlate those file events with process execution of launchctl, property list editing activity, and file permission changes. Because the official ATT&CK object does not provide a full detection specification or tactic mapping, teams should treat AN1577 as a coverage requirement rather than a complete rule: confirm which sensors capture file paths, responsible user, parent process, command line, timestamps, and permission metadata.

Likely telemetry

  • macOS endpoint file creation and modification events for LaunchDaemon and LaunchAgent plist paths
  • Process execution telemetry for launchctl
  • Command-line or process context for property list editing utilities or scripts
  • File permission and ownership change events on relevant plist files
  • User, host, parent process, and timestamp context for correlating endpoint changes

Detection direction

  • Baseline legitimate macOS management activity that creates or updates LaunchDaemon and LaunchAgent plist files to reduce false positives.
  • Alert on new or modified plist files in the specified locations when paired with unusual user context, unexpected parent processes, launchctl execution, or permission changes.
  • Confirm coverage for both system-level /Library/LaunchDaemons/ and user-level ~/Library/LaunchAgents/ paths; user-home visibility is a common blind spot.
  • Tune detections around approved software deployment, patching, and device-management workflows so SOC analysts can separate expected administrative changes from events needing investigation.
  • Use this analytic as a validation test for macOS logging completeness because the official object provides no detailed detection logic.

Mitigation priorities

  • Establish an approved change path for macOS LaunchDaemon and LaunchAgent configuration changes.
  • Restrict who can create, modify, or change permissions on relevant plist files, consistent with local administration and endpoint management requirements.
  • Ensure endpoint security tooling collects file, process, command-line, and permission-change telemetry from macOS systems where business risk warrants it.
  • Document expected LaunchDaemon and LaunchAgent entries for managed systems to support faster incident response and compliance evidence.
  • Review retention and response playbooks so investigators can reconstruct plist changes during a macOS endpoint investigation.
Analyst notes and limits

AN1577 is a detection analytic for macOS focused on LaunchDaemon and LaunchAgent plist creation or modification, launchctl execution, plist edits, and file permission changes. No ATT&CK relationships, tactic mapping, aliases, labels, or official detection logic were supplied, so implementation should be driven by local macOS fleet architecture and available endpoint telemetry.

This take is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, adversary attribution, business impact, or guaranteed detection coverage. The object names macOS as the platform and provides a high-level description only; local validation is required to determine sensor support, normal administrative patterns, and alert quality.

Official MITRE ATT&CK definition

Analytic 1577

Detects creation or modification of `LaunchDaemon` or `LaunchAgent` plist files under `/Library/LaunchDaemons/`, `~/Library/LaunchAgents/`, or similar. Monitors execution of `launchctl`, property list edits, and file permission changes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
814a9280c4ca66b4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 814a9280c4ca…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1577
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use