Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0434: Detection of Launch Agent Creation or Modification on macOS

This detection strategy matters because Launch Agent creation or modification is a macOS persistence and privilege-escalation behavior: if an attacker can...

EnterpriseDET0434Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because Launch Agent creation or modification is a macOS persistence and privilege-escalation behavior: if an attacker can place or alter the relevant property list files, code may run again when a user logs in. For leaders, the practical issue is whether macOS endpoint monitoring can prove when these persistence points change, who changed them, and whether the change is expected software activity or suspicious.

Executive priority

Prioritize this as a macOS resilience and incident-readiness control point. It supports faster scoping during suspected compromise, strengthens audit evidence around endpoint change monitoring, and helps security teams validate whether managed detection and IR processes cover user-level persistence rather than only obvious malware execution.

Technical view

The supplied relationship maps DET0434 to ATT&CK T1543.001 Launch Agent, associated with persistence and privilege-escalation on macOS. SOC and detection teams should validate visibility into creation and modification of Launch Agent .plist files in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents, then correlate those changes with the responsible user, process, parent process, file metadata, and subsequent execution behavior where available. Because no official detection logic is provided in the object, local baselining is required to distinguish legitimate software installation, management tooling, and OS activity from suspicious persistence changes.

Likely telemetry

  • macOS file creation, modification, and deletion events for Launch Agent .plist paths
  • Endpoint process telemetry showing the process and user responsible for Launch Agent changes
  • File metadata and content indicators for changed .plist files, such as path, ownership, permissions, timestamps, and referenced program or arguments
  • User logon/session context to understand when launchd may load per-user agents
  • Endpoint security or EDR alerts related to persistence, startup item changes, or suspicious child processes after login

Detection direction

  • Validate that telemetry exists for all relationship-supplied Launch Agent locations: /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.
  • Tune detections around newly created or recently modified .plist files, especially when the responsible process is unusual for the environment or not tied to approved software management.
  • Correlate Launch Agent changes with subsequent execution at user login to improve confidence and reduce noise.
  • Baseline legitimate macOS administration, application updates, and endpoint-management activity before escalating alerts as incidents.
  • Review blind spots for user home directories, unmanaged macOS assets, short telemetry retention, and file-only monitoring that lacks process/user attribution.

Mitigation priorities

  • Ensure macOS endpoints are enrolled in endpoint monitoring capable of collecting file and process evidence for Launch Agent locations.
  • Restrict unauthorized administrative changes and validate least-privilege practices for users and management tools.
  • Maintain approved software deployment and change records so SOC teams can distinguish expected Launch Agent updates from suspicious persistence.
  • Include Launch Agent review in macOS incident response triage and persistence eradication checklists.
  • Test detection and response workflows using benign validation activities approved by the organization, without relying on vendor-default assumptions.
Analyst notes and limits

The ATT&CK detection strategy object itself has no official description, detection text, platforms, or tactics. The practical guidance here is derived from the supplied relationship to T1543.001 Launch Agent and its provided macOS path and tactic context.

This take does not assert active exploitation, attribution, customer exposure, or guaranteed detection. Local environment evidence is required to determine whether Launch Agent monitoring is deployed, retained, and actionable.

Official MITRE ATT&CK definition

Detection of Launch Agent Creation or Modification on macOS

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1543.001 Launch Agent Sub-technique This object detects Launch Agent.
Relationship explorer

All related ATT&CK context

detects · Technique T1543.001: Launch Agent Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0d23f5f8384aa51d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0d23f5f8384a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0434
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use