MITRE ATT&CK Technique
Execution T1053.004
Description

This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself. Adversaries may abuse the <code>Launchd</code> daemon to perform task scheduling for initial or recurring execution of malicious code. The <code>launchd</code> daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). An adversary may use the <code>launchd</code> daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. <code>launchd</code> can also be abused to run a process under the context of a specified account. Daemons, such as <code>launchd</code>, run with the permissions of the root user account, and will operate regardless of which user account is logged in.

Supported Platforms
macOS
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2019-12-03T14:15:27.452Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'This technique is deprecated due to the inaccurate usage. The '
                'report cited did not provide technical detail as to how the '
                'malware interacted directly with launchd rather than going '
                'through known services. Other system services are used to '
                'interact with launchd rather than launchd being used by '
                'itself. \n'
                '\n'
                'Adversaries may abuse the <code>Launchd</code> daemon to '
                'perform task scheduling for initial or recurring execution of '
                'malicious code. The <code>launchd</code> daemon, native to '
                'macOS, is responsible for loading and maintaining services '
                'within the operating system. This process loads the '
                'parameters for each launch-on-demand system-level daemon from '
                'the property list (plist) files found in '
                '<code>/System/Library/LaunchDaemons</code> and '
                '<code>/Library/LaunchDaemons</code> (Citation: AppleDocs '
                'Launch Agent Daemons). These LaunchDaemons have property list '
                'files which point to the executables that will be launched '
                '(Citation: Methods of Mac Malware Persistence).\n'
                '\n'
                'An adversary may use the <code>launchd</code> daemon in macOS '
                'environments to schedule new executables to run at system '
                'startup or on a scheduled basis for persistence. '
                '<code>launchd</code> can also be abused to run a process '
                'under the context of a specified account. Daemons, such as '
                '<code>launchd</code>, run with the permissions of the root '
                'user account, and will operate regardless of which user '
                'account is logged in.',
 'external_references': [{'external_id': 'T1053.004',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1053/004'},
                         {'description': 'Apple. (n.d.). Creating Launch '
                                         'Daemons and Agents. Retrieved July '
                                         '10, 2017.',
                          'source_name': 'AppleDocs Launch Agent Daemons',
                          'url': 'https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html'},
                         {'description': 'Patrick Wardle. (2014, September). '
                                         'Methods of Malware Persistence on '
                                         'Mac OS X. Retrieved July 5, 2017.',
                          'source_name': 'Methods of Mac Malware Persistence',
                          'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'}],
 'id': 'attack-pattern--8faedf87-dceb-4c35-b2a2-7286f59a3bc3',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'execution'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'}],
 'modified': '2025-10-24T17:49:06.023Z',
 'name': 'Launchd',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': True,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['macOS'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About