Techniques
Sample rules
LaunchDaemon Creation or Modification and Immediate Loading
- source: elastic
- technicques:
- T1543
Description
Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence.
Detection logic
sequence by host.id with maxspan=1m
[file where host.os.type == "macos" and event.type != "deletion" and file.path : ("/System/Library/LaunchDaemons/*", "/Library/LaunchDaemons/*")]
[process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"]