Elastic Security Detection Rules

Persistence via Suspicious Launch Agent or Launch Daemon

Last updated a month ago on 2026-01-30
Created a month ago on 2026-01-30

About

Identifies the creation of a launch agent or daemon property list file containing abnormal or suspicious values. An adversary may establish persistence by installing a new launch agent or daemon which executes at login. This rule looks for plist files created in LaunchAgents/LaunchDaemons directories with paths commonly used by malware.
Tags
Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: PersistenceData Source: Elastic DefendLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Boot or Logon Autostart Execution (T1547)(external, opens in a new tab or window)

Create or Modify System Process (T1543)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.file-*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
file where host.os.type == "macos" and event.type != "deletion" and 
  file.extension == "plist" and
  file.path like ("/Library/LaunchAgents/*", "/Library/LaunchDaemons/*", 
                  "/Users/*/Library/LaunchAgents/*", "/System/Library/LaunchAgents/*",
                  "/System/Library/LaunchDaemons/*") and
  (process.executable like ("/private/tmp/*", "/private/var/root/Library/*", "/var/tmp/*", 
                            "/tmp/*", "/var/folders/*", "/Users/Shared/*", "/var/root/*",
                            "/Library/WebServer/*", "/Library/Graphics/*", "/Library/Fonts/*") or
   process.name like~ ("python*", "osascript", "bash", "zsh", "sh", "curl", "nscurl", "wget", "java")) and
  not process.executable like ("/System/*", "/Library/PrivilegedHelperTools/*") and
  not (process.code_signature.signing_id in ("com.apple.vim", "com.apple.cat", "com.apple.cfprefsd",
                                            "com.jetbrains.toolbox", "com.apple.pico", "com.apple.shove",
                                            "com.sublimetext.4", "com.apple.ditto") and process.code_signature.trusted == true)

Install detection rules in Elastic Security

Detect Persistence via Suspicious Launch Agent or Launch Daemon in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).