Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1543.004: Launch Daemon

Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.[1][2][3]

Adversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. Masquerading). When the Launch Daemon is executed, the program inherits administrative permissions.[4][5]

Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.[6][7]

EnterpriseT1543.004Sub-techniqueObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Launch Daemons matter because they let software start before user login and run in the background with administrative privileges on macOS. If an adversary can create or alter these plist files, a compromised Mac can regain execution after reboot and potentially escalate privilege through trusted system startup paths. For leaders, this is a macOS persistence and privilege-risk area that should be validated in endpoint hardening, SOC monitoring, and incident response playbooks.

Executive priority

Prioritize this where macOS endpoints support executives, developers, administrators, finance users, or other high-value workflows. The key business question is whether the organization can prove who is allowed to install or modify system-level startup items, whether those changes are audited, and whether incident responders can quickly distinguish approved management software from unauthorized persistence. This also supports compliance evidence around least privilege, account management, and auditability.

Technical view

This is a macOS sub-technique of Create or Modify System Process for persistence and privilege escalation. Defenders should validate monitoring of plist creation or modification under /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/, with attention to Label, Program, and RunAtLoad values. Review whether referenced executables are in expected locations and whether any referenced paths are writable by unintended users or groups, especially where system configuration changes or third-party package management have made directories such as /usr/local/bin globally writable. Relationship context includes DET0401, a detection strategy for Launch Daemon creation or modification, and mitigations M1018 User Account Management and M1047 Audit.

Likely telemetry

  • macOS filesystem events for LaunchDaemon plist creation, modification, deletion, ownership, and permission changes
  • Process execution telemetry for launchd-spawned programs and parent-child process context
  • Endpoint inventory of LaunchDaemon plist contents, including Label, Program, and RunAtLoad keys
  • File permission and ownership data for executables referenced by LaunchDaemon plist files
  • Audit logs showing privileged account use or administrative changes on macOS systems

Detection direction

  • Baseline approved LaunchDaemon plist files and alert on new or modified entries in system LaunchDaemon paths.
  • Inspect plist Program paths and RunAtLoad=true configurations, especially when names appear to mimic operating system or benign software naming patterns.
  • Correlate LaunchDaemon changes with privileged user activity and expected software installation events to reduce false positives from legitimate updates, shared-resource tools, and automation tasks.
  • Validate whether DET0401-style coverage exists in the SOC for LaunchDaemon creation or modification, since the official ATT&CK object does not provide detection text.
  • Look for weak directory or file permissions that could allow hijacking of executables already referenced by legitimate LaunchDaemon plist files.

Mitigation priorities

  • Enforce least privilege for macOS administrative rights so only approved users and management processes can install or modify Launch Daemons.
  • Audit LaunchDaemon directories, plist contents, referenced executables, and permissions on a recurring basis.
  • Maintain an approved inventory of business-required Launch Daemons and reconcile endpoint state against it.
  • Review globally writable or overly permissive directories that may be referenced by LaunchDaemon plist Program paths.
  • Ensure incident response procedures include collection and review of LaunchDaemon plist files and referenced binaries from affected macOS hosts.
Analyst notes and limits

ATT&CK maps this behavior to macOS persistence and privilege escalation. Multiple software and campaign relationships are supplied, showing that ATT&CK has observed this technique in reported activity, but those relationships should not be interpreted as evidence of current exposure in a specific environment. Some related software entries list non-macOS platforms, so local validation should focus on the platform field of this technique: macOS.

The official ATT&CK detection field is not provided. This take is based on the technique description, external references, and supplied relationships only; it does not assert active exploitation, attribution, customer exposure, or guaranteed detection coverage. Local endpoint configuration, EDR visibility, audit policy, and software-management practices determine actual risk and coverage.

Official MITRE ATT&CK definition

Launch Daemon

Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.[1][2][3]

Adversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. Masquerading). When the Launch Daemon is executed, the program inherits administrative permissions.[4][5]

Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.[6][7]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1160 Launch Daemon Launch Daemon revoked by this object.
Enterprise T1543 Create or Modify System Process This object subtechnique of Create or Modify System Process.
Associated objects

Groups, software, and campaigns

Malware Enterprise

S1219: REPTILE

REPTILE is an open-source Linux rootkit with multiple components that provides backdoor access and functionality.[1]

Linux
Malware Enterprise

S0690: Green Lambert

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[1][2]

WindowsiOSmacOS
Malware Enterprise

S1105: COATHANGER

COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.[1]

LinuxNetwork Devices
Malware Enterprise

S0595: ThiefQuest

ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[1] Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[2][3]

macOS
Malware Enterprise

S0451: LoudMiner

LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[1]

macOSWindows
Malware Enterprise

S0482: Bundlore

Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.[1]

macOS
Malware Enterprise

S0658: XCSSET

XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]

macOS
Malware Enterprise

S0584: AppleJeus

AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[1]

WindowsmacOS
Campaign Enterprise

C0057: 3CX Supply Chain Attack

The 3CX Supply Chain Attack was the first publicly reported case of one supply chain compromise triggering another, leading to a cascading, two-stage intrusion. The initial supply chain attack began when a 3CX employee downloaded and executed a trojanized, end-of-life version of the X_Trader trading software from Trading Technologies. This provided UNC4736, a threat cluster associated with AppleJeus, access to the 3CX environment. From there UNC4736 compromised the Windows and macOS build environments used to distribute the 3CX desktop application to their customers.[1] While 3CX serves more than 600,000 customers and 12 million users, only a subset of systems were affected. Subsequent targeting focused on victims in the defense and cryptocurrency sectors, where attackers deployed secondary payloads such as Gopuram for credential theft and persistence.[2] The campaign began in late 2022 and was disrupted after security vendors publicly reported the compromise in March 2023.[3][4]

Relationship explorer

All related ATT&CK context

uses · Malware S1219: REPTILE Enterprise uses · Malware S0690: Green Lambert Enterprise uses · Malware S1105: COATHANGER Enterprise mitigates · Mitigation M1018: User Account Management Enterprise revoked by · Technique T1160: Launch Daemon Enterprise subtechnique of · Technique T1543: Create or Modify System Process Enterprise uses · Campaign C0057: 3CX Supply Chain Attack Enterprise uses · Malware S0595: ThiefQuest Enterprise uses · Malware S0451: LoudMiner Enterprise uses · Malware S0352: OSX_OCEANLOTUS.D Enterprise uses · Malware S0482: Bundlore Enterprise uses · Malware S0497: Dacls Enterprise uses · Malware S0658: XCSSET Enterprise detects · Detection Strategy DET0401: Detection Strategy for Launch Daemon Creation or Modification (macOS) Enterprise mitigates · Mitigation M1047: Audit Enterprise uses · Malware S0584: AppleJeus Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Mitigation Enterprise

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
c04d09ec3c3d469d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle c04d09ec3c3d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    AppleDocs Launch Agent Daemons

    Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.

    Open source URL
  2. [2]
    Methods of Mac Malware Persistence

    Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.

    Open source URL
  3. [3]
    launchd Keywords for plists

    Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021.

    Open source URL
  4. [4]
    WireLurker

    Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.

    Open source URL
  5. [5]
    OSX Malware Detection

    Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024.

    Open source URL
  6. [6]
    LaunchDaemon Hijacking

    Bradley Kemp. (2021, May 10). LaunchDaemon Hijacking: privilege escalation and persistence via insecure folder permissions. Retrieved July 26, 2021.

    Open source URL
  7. [7]
    sentinelone macos persist Jun 2019

    Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.

    Open source URL
  8. [8]
    mitre-attack T1543.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use