Create or Modify System Process: Launch Daemon

Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons [1]. These LaunchDaemons have property list files which point to the executables that will be launched [2].

Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories [3]. The daemon name may be disguised by using a name from a related operating system or benign software [4]. Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.

The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.

ID: T1543.004
Sub-technique of:  T1543
Platforms: macOS
Permissions Required: Administrator
Effective Permissions: root
Data Sources: Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Version: 1.1
Created: 17 January 2020
Last Modified: 16 September 2020

Procedure Examples

ID Name Description
S0584 AppleJeus

AppleJeus has placed a plist file within the LaunchDaemons folder and launched it manually.[5]

S0482 Bundlore

Bundlore can persist via a LaunchDaemon.[6]

S0497 Dacls

Dacls can establish persistence via a Launch Daemon.[7][8]

S0451 LoudMiner

LoudMiner added plist files in /Library/LaunchDaemons with RunAtLoad set to true.[9]


OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.[10]

S0595 ThiefQuest

When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the /Library/LaunchDaemons/ folder with the RunAtLoad key set to true establishing persistence as a Launch Daemon. [11]


ID Mitigation Description
M1018 User Account Management

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.


Monitor for launch daemon creation or modification through plist files and utilities such as Objective-See's KnockKnock application.