Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1740: Analytic 1740

Correlates unauthorized alterations to launchd configuration (LaunchDaemons/LaunchAgents plists), background execution entitlements, or sideloaded app containers with suspicious auto-start behavior during device boot or user unlock. From the defender’s view this shows up as new or modified plist files in launchd directories, launchd starting binaries from non-Apple or non-AppStore locations, and apps with unexpected background modes that remain active immediately after boot/unlock.

MobileAN1740AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1740 is an iOS detection analytic focused on persistence-like auto-start behavior: unauthorized launchd configuration changes, suspicious background execution entitlements, or sideloaded app containers that remain active after boot or user unlock. For leaders, the value is not just spotting a changed plist; it is validating whether mobile devices can reveal unauthorized software that survives normal restart and unlock cycles, which can affect executive mobility, regulated data access, and incident containment decisions.

Executive priority

Prioritize this analytic where iOS devices have access to sensitive business systems, privileged identities, regulated data, or operational workflows. The key management question is whether the organization has enough mobile telemetry and control over app provenance, background execution, and configuration integrity to prove that only approved software can auto-start. This supports incident response readiness, mobile compliance evidence, and control prioritization around managed devices and sideloading risk.

Technical view

SOC and detection teams should validate visibility into iOS launchd-related configuration changes, LaunchDaemons/LaunchAgents plist creation or modification, launchd-started binaries from non-Apple or non-AppStore locations, and apps with unexpected background modes active immediately after boot or unlock. Because ATT&CK provides no separate detection logic and no relationship context for this analytic, teams should build local baselines for approved launchd entries, expected app containers, approved background entitlements, and normal boot/unlock process behavior before alerting on deviations.

Likely telemetry

  • New or modified plist files in iOS launchd-related LaunchDaemons or LaunchAgents directories, where accessible through managed telemetry
  • launchd process start activity, especially binaries launched during device boot or user unlock
  • Binary or app provenance indicators, including Apple, App Store, enterprise-managed, or sideloaded origin where available
  • App container inventory and changes, especially sideloaded or unexpected containers
  • Application entitlements and declared background execution modes

Detection direction

  • Baseline approved launchd plist paths, hashes, owners, and associated binaries for managed iOS fleets before treating changes as high confidence.
  • Correlate three signals where possible: configuration change, non-standard app or binary location, and execution immediately after boot or unlock.
  • Tune for legitimate enterprise-managed apps that use approved background modes to reduce false positives.
  • Flag launchd-started binaries or apps from non-Apple, non-AppStore, or otherwise unapproved locations when local policy does not allow them.
  • Validate whether mobile telemetry can actually observe filesystem, entitlement, and boot/unlock execution context; lack of these sources is a material blind spot.

Mitigation priorities

  • Define and enforce approved iOS app installation sources, especially for enterprise or managed devices.
  • Restrict or govern sideloaded applications according to business need and risk tolerance.
  • Maintain MDM or equivalent mobile management baselines for installed apps, configuration state, and compliance posture.
  • Review applications with background execution capabilities to confirm they are expected and business-approved.
  • Include suspicious mobile auto-start behavior in incident response triage, especially for devices tied to privileged users or sensitive applications.
Analyst notes and limits

This object is a detection analytic in the ATT&CK mobile domain for iOS. Its practical value is strongest in managed-device environments where defenders can compare launchd configuration, app provenance, app entitlements, and boot/unlock execution behavior against an approved baseline. No tactics or relationships were supplied, so the take avoids mapping it to a specific ATT&CK tactic beyond the behavior described in the official analytic.

Official detection content was not provided, and no relationships were supplied. Visibility into iOS filesystem changes, launchd behavior, app entitlements, and sideloaded containers may vary significantly by device management model, OS constraints, privacy settings, and telemetry provider. Local baselines are required to distinguish approved enterprise behavior from suspicious auto-start activity.

Official MITRE ATT&CK definition

Analytic 1740

Correlates unauthorized alterations to launchd configuration (LaunchDaemons/LaunchAgents plists), background execution entitlements, or sideloaded app containers with suspicious auto-start behavior during device boot or user unlock. From the defender’s view this shows up as new or modified plist files in launchd directories, launchd starting binaries from non-Apple or non-AppStore locations, and apps with unexpected background modes that remain active immediately after boot/unlock.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
7c0d7febca3ed922...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 7c0d7febca3e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1740
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use