MITRE ATT&CK Technique
Description
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists) Adversaries may install a Launch Daemon configured to execute at startup by using the <code>RunAtLoad</code> parameter set to <code>true</code> and the <code>Program</code> parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection) Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as <code>usr/local/bin</code> to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-17T19:23:15.227Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may create or modify Launch Daemons to execute '
'malicious payloads as part of persistence. Launch Daemons are '
'plist files used to interact with Launchd, the service '
'management framework used by macOS. Launch Daemons require '
'elevated privileges to install, are executed for every user '
'on a system prior to login, and run in the background without '
'the need for user interaction. During the macOS '
'initialization startup, the launchd process loads the '
'parameters for launch-on-demand system-level daemons from '
'plist files found in '
'<code>/System/Library/LaunchDaemons/</code> and '
'<code>/Library/LaunchDaemons/</code>. Required Launch Daemons '
'parameters include a <code>Label</code> to identify the task, '
'<code>Program</code> to provide a path to the executable, and '
'<code>RunAtLoad</code> to specify when the task is run. '
'Launch Daemons are often used to provide access to shared '
'resources, updates to software, or conduct automation '
'tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: '
'Methods of Mac Malware Persistence)(Citation: launchd '
'Keywords for plists)\n'
'\n'
'Adversaries may install a Launch Daemon configured to execute '
'at startup by using the <code>RunAtLoad</code> parameter set '
'to <code>true</code> and the <code>Program</code> parameter '
'set to the malicious executable path. The daemon name may be '
'disguised by using a name from a related operating system or '
'benign software (i.e. '
'[Masquerading](https://attack.mitre.org/techniques/T1036)). '
'When the Launch Daemon is executed, the program inherits '
'administrative permissions.(Citation: WireLurker)(Citation: '
'OSX Malware Detection)\n'
'\n'
'Additionally, system configuration changes (such as the '
'installation of third party package managing software) may '
'cause folders such as <code>usr/local/bin</code> to become '
'globally writeable. So, it is possible for poor '
'configurations to allow an adversary to modify executables '
"referenced by current Launch Daemon's plist files.(Citation: "
'LaunchDaemon Hijacking)(Citation: sentinelone macos persist '
'Jun 2019)',
'external_references': [{'external_id': 'T1543.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1543/004'},
{'description': 'Apple. (n.d.). Creating Launch '
'Daemons and Agents. Retrieved July '
'10, 2017.',
'source_name': 'AppleDocs Launch Agent Daemons',
'url': 'https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html'},
{'description': 'Bradley Kemp. (2021, May 10). '
'LaunchDaemon Hijacking: privilege '
'escalation and persistence via '
'insecure folder permissions. '
'Retrieved July 26, 2021.',
'source_name': 'LaunchDaemon Hijacking',
'url': 'https://bradleyjkemp.dev/post/launchdaemon-hijacking/'},
{'description': 'Claud Xiao. (n.d.). WireLurker: A '
'New Era in iOS and OS X Malware. '
'Retrieved July 10, 2017.',
'source_name': 'WireLurker',
'url': 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf'},
{'description': 'Dennis German. (2020, November 20). '
'launchd Keywords for plists. '
'Retrieved October 7, 2021.',
'source_name': 'launchd Keywords for plists',
'url': 'https://www.real-world-systems.com/docs/launchdPlist.1.html'},
{'description': 'Patrick Wardle. (2014, September). '
'Methods of Malware Persistence on '
'Mac OS X. Retrieved July 5, 2017.',
'source_name': 'Methods of Mac Malware Persistence',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'},
{'description': 'Patrick Wardle. (2016, February 29). '
"Let's Play Doctor: Practical OS X "
'Malware Detection & Analysis. '
'Retrieved November 17, 2024.',
'source_name': 'OSX Malware Detection',
'url': 'https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf'},
{'description': 'Stokes, Phil. (2019, June 17). HOW '
'MALWARE PERSISTS ON MACOS. Retrieved '
'September 10, 2019.',
'source_name': 'sentinelone macos persist Jun 2019',
'url': 'https://www.sentinelone.com/blog/how-malware-persists-on-macos/'}],
'id': 'attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:49.387Z',
'name': 'Launch Daemon',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.3'}