Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0401: Detection Strategy for Launch Daemon Creation or Modification (macOS)

DET0401 is a MITRE detection strategy for finding creation or modification of macOS Launch Daemons, a persistence and privilege-escalation behavior tied to...

EnterpriseDET0401Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0401 is a MITRE detection strategy for finding creation or modification of macOS Launch Daemons, a persistence and privilege-escalation behavior tied to ATT&CK technique T1543.004. The business significance is that Launch Daemons can run in the background before user login and require elevated privileges to install, so weak visibility here can leave executive, developer, and administrator Macs with durable unauthorized execution that may not depend on an interactive user session.

Executive priority

Security leaders should treat this as a macOS resilience and privileged-change monitoring question: do we have reliable evidence when background services are added or changed, and can the SOC distinguish approved administration from suspicious persistence? This matters for incident response scoping, privileged access governance, audit evidence around endpoint change control, and prioritizing macOS telemetry where high-value users or operational teams depend on Apple endpoints.

Technical view

Validate detections against the related ATT&CK technique T1543.004, Launch Daemon, under persistence and privilege escalation for macOS. SOC and detection teams should confirm they can observe Launch Daemon plist creation or modification, associated elevated activity, and subsequent background execution through launchd. Because the supplied ATT&CK object does not include an official detection description, local engineering should define expected administrative baselines and test alert logic against legitimate software management workflows before treating events as high confidence.

Likely telemetry

  • macOS file creation and modification events for Launch Daemon plist locations
  • Endpoint process telemetry involving launchd and processes started as background services
  • Privilege or administrative activity associated with installing or changing Launch Daemons
  • Endpoint security or EDR alerts that include plist path, parent process, user context, and timestamp
  • Change-management or device-management records showing approved macOS service installation or updates

Detection direction

  • Confirm telemetry exists for Launch Daemon plist creation and modification on macOS systems, especially where elevated privileges are used.
  • Correlate plist changes with process execution through launchd and with the responsible user, parent process, and management tool context.
  • Tune for known-good administrative and software-management activity to reduce false positives while preserving visibility into unusual paths, unexpected owners, or unapproved changes.
  • Use the relationship to T1543.004 to map detections to persistence and privilege-escalation coverage rather than treating this as generic file monitoring.
  • Document blind spots where macOS endpoints lack endpoint telemetry, file integrity monitoring, or centralized collection of service-change evidence.

Mitigation priorities

  • Prioritize least-privilege controls for users and administrators who can install or modify Launch Daemons.
  • Maintain approved software and device-management baselines so SOC teams can separate expected Launch Daemon changes from suspicious ones.
  • Ensure macOS endpoint telemetry and retention are sufficient for incident response reconstruction of plist changes and launchd execution.
  • Review change-control and compliance evidence for privileged service installation on managed macOS systems.
  • Include Launch Daemon persistence checks in macOS incident response triage and post-incident hardening.
Analyst notes and limits

The supplied object is a detection strategy with no official description or official detection text. The strongest context comes from its relationship to ATT&CK technique T1543.004, Launch Daemon, which identifies macOS, persistence, and privilege escalation. Recommendations therefore focus on defensive validation and evidence collection rather than a MITRE-provided analytic.

This take is limited to the supplied STIX fields, external reference, and relationship context. It does not assert active exploitation, actor use, impact, or existing detection coverage. Local endpoint tooling, macOS management practices, telemetry retention, and administrative baselines are required to determine actual coverage and alert quality.

Official MITRE ATT&CK definition

Detection Strategy for Launch Daemon Creation or Modification (macOS)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1543.004 Launch Daemon Sub-technique This object detects Launch Daemon.
Relationship explorer

All related ATT&CK context

detects · Technique T1543.004: Launch Daemon Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7ae976208c03573a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7ae976208c03…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0401
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use