MITRE ATT&CK Technique
Description
Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root. The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Per Apple’s developer documentation, when macOS and OS X boot '
'up, launchd is run to finish system initialization. This '
'process loads the parameters for each launch-on-demand '
'system-level daemon from the property list (plist) files '
'found in <code>/System/Library/LaunchDaemons</code> and '
'<code>/Library/LaunchDaemons</code> (Citation: AppleDocs '
'Launch Agent Daemons). These LaunchDaemons have property list '
'files which point to the executables that will be launched '
'(Citation: Methods of Mac Malware Persistence).\n'
' \n'
'Adversaries may install a new launch daemon that can be '
'configured to execute at startup by using launchd or '
'launchctl to load a plist into the appropriate directories '
'(Citation: OSX Malware Detection). The daemon name may be '
'disguised by using a name from a related operating system or '
'benign software (Citation: WireLurker). Launch Daemons may '
'be created with administrator privileges, but are executed '
'under root privileges, so an adversary may also use a service '
'to escalate privileges from administrator to root.\n'
' \n'
'The plist file permissions must be root:wheel, but the script '
'or program that it points to has no such requirement. So, it '
'is possible for poor configurations to allow an adversary to '
'modify a current Launch Daemon’s executable and gain '
'persistence or Privilege Escalation.',
'external_references': [{'external_id': 'T1160',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1160'},
{'description': 'Apple. (n.d.). Creating Launch '
'Daemons and Agents. Retrieved July '
'10, 2017.',
'source_name': 'AppleDocs Launch Agent Daemons',
'url': 'https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html'},
{'description': 'Patrick Wardle. (2014, September). '
'Methods of Malware Persistence on '
'Mac OS X. Retrieved July 5, 2017.',
'source_name': 'Methods of Mac Malware Persistence',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'},
{'description': 'Patrick Wardle. (2016, February 29). '
"Let's Play Doctor: Practical OS X "
'Malware Detection & Analysis. '
'Retrieved July 10, 2017.',
'source_name': 'OSX Malware Detection',
'url': 'https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf'},
{'description': 'Claud Xiao. (n.d.). WireLurker: A '
'New Era in iOS and OS X Malware. '
'Retrieved July 10, 2017.',
'source_name': 'WireLurker',
'url': 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf'}],
'id': 'attack-pattern--e99ec083-abdd-48de-ad87-4dbf6f8ba2a4',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:33.254Z',
'name': 'Launch Daemon',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.1'}