Creation or modification of .plist files in /Library/LaunchDaemons/, especially those with suspicious Program or ProgramArguments paths, combined with execution activity under launchd with elevated privileges. Detectable through correlated Unified Logs, file monitoring, and process telemetry.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | launchd spawning processes tied to new or modified LaunchDaemon .plist entries |
| File Creation (DC0039) | fs:launchdaemons | file_create |
| File Modification (DC0061) | fs:launchdaemons | file_modify |
| Service Creation (DC0060) | macos:unifiedlog | launchd loading new LaunchDaemon or changes to existing daemon configuration |
| Field | Description |
|---|---|
| ProgramPathRegex | Regex patterns to match anomalous executable paths or names in .plist files |
| TimeWindow | Correlation window between file modification and launchd process execution |
| UserContext | Admin or root context used during daemon installation |
| UnsignedBinaryFlag | Whether the binary associated with the LaunchDaemon is signed or trusted |