Query Details

macOS Launch Agent/Daemon .plist File Creation or Modification

Mac OS Launch Agent Or Daemon Plist File Creation Or Modification

Query

DeviceFileEvents
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (
    "/Library/LaunchAgents/",
    "/Library/LaunchDaemons/",
    "/System/Library/LaunchAgents/",
    "/System/Library/LaunchDaemons/"
    )
    or FolderPath contains "/Users/" and FolderPath contains "/Library/LaunchAgents/"
| where FileName endswith ".plist"
| where InitiatingProcessAccountName != "root" 
    or InitiatingProcessFileName !in ("installer", "softwareupdated", "installd")

About this query

macOS Launch Agent/Daemon .plist File Creation or Modification

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1543Create or Modify System Processhttps://attack.mitre.org/techniques/T1543
T1543.001Launch Agenthttps://attack.mitre.org/techniques/T1543/001

Description

Detects the creation or modification of .plist files in macOS Launch Agent and Launch Daemon directories. This activity can be indicative of persistence mechanisms being established by adversaries. The rule excludes modifications by common system installers to reduce false positives.

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect potentially suspicious activities on macOS systems related to the creation or modification of .plist files, which are configuration files used by Launch Agents and Launch Daemons. These files are often targeted by adversaries to establish persistence on a system.

Here's a simplified breakdown of what the query does:

  1. Monitors File Events: It looks at events where files are either created or modified.

  2. Targets Specific Directories: The query focuses on specific directories known for storing Launch Agent and Launch Daemon .plist files:

    • /Library/LaunchAgents/
    • /Library/LaunchDaemons/
    • /System/Library/LaunchAgents/
    • /System/Library/LaunchDaemons/
    • User-specific Launch Agent directories within /Users/
  3. Filters by File Type: It specifically looks for files with the .plist extension.

  4. Excludes Common System Processes: To reduce false positives, it excludes modifications made by common system processes or accounts, such as those initiated by the root account or by processes like installer, softwareupdated, and installd.

Overall, this query helps identify unauthorized or suspicious changes to system processes, which could indicate malicious activity aimed at maintaining persistence on a macOS device.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: November 18, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEventsFolderPathNameInitiatingProcessAccount

Operators

DeviceFileEvents|whereinhas_anyorcontainsendswith!=!in

MITRE Techniques

Actions

GitHub