KQL Search

Query Details

HomeAI ToolsDevice Query

Mac OS Launch Agent Or Daemon Plist File Creation Or Modification

Query

# *macOS Launch Agent/Daemon .plist File Creation or Modification*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1543 | Create or Modify System Process | https://attack.mitre.org/techniques/T1543 |
| T1543.001 | Launch Agent | https://attack.mitre.org/techniques/T1543/001 |


#### Description
Detects the creation or modification of .plist files in macOS Launch Agent and Launch Daemon directories. This activity can be indicative of persistence mechanisms being established by adversaries. The rule excludes modifications by common system installers to reduce false positives.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://www.sentinelone.com/blog/how-malware-persists-on-macos/


## Defender XDR
```KQL
DeviceFileEvents
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (
    "/Library/LaunchAgents/",
    "/Library/LaunchDaemons/",
    "/System/Library/LaunchAgents/",
    "/System/Library/LaunchDaemons/"
    )
    or FolderPath contains "/Users/" and FolderPath contains "/Library/LaunchAgents/"
| where FileName endswith ".plist"
| where InitiatingProcessAccountName != "root" 
    or InitiatingProcessFileName !in ("installer", "softwareupdated", "installd")

```

Explanation

This query is designed to detect potentially suspicious activities on macOS systems related to the creation or modification of .plist files, which are configuration files used by Launch Agents and Launch Daemons. These files are often targeted by adversaries to establish persistence on a system.

Here's a simplified breakdown of what the query does:

  1. Monitors File Events: It looks at events where files are either created or modified.

  2. Targets Specific Directories: The query focuses on specific directories known for storing Launch Agent and Launch Daemon .plist files:

    • /Library/LaunchAgents/
    • /Library/LaunchDaemons/
    • /System/Library/LaunchAgents/
    • /System/Library/LaunchDaemons/
    • User-specific Launch Agent directories within /Users/

  3. Filters by File Type: It specifically looks for files with the .plist extension.

  4. Excludes Common System Processes: To reduce false positives, it excludes modifications made by common system processes or accounts, such as those initiated by the root account or by processes like installer, softwareupdated, and installd.

Overall, this query helps identify unauthorized or suspicious changes to system processes, which could indicate malicious activity aimed at maintaining persistence on a macOS device.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: November 18, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEventsFolderPathFileNameInitiatingProcessAccountNameInitiatingProcessFileName

Operators

DeviceFileEvents|whereinhas_anyorcontainsendswith!=!in

Actions