LaunchDaemons (System-Level Persistence)

Location

Description

Property list files defining daemons that launchd loads at system boot, running as root regardless of whether a user is logged in. LaunchDaemons provide higher-privilege persistence than LaunchAgents and execute earlier in the boot process. Each plist defines the program, arguments, run conditions, and optional socket listeners.

Forensic Value

LaunchDaemons run as root and persist across reboots, making them the most privileged launchd-based persistence mechanism. Malicious LaunchDaemons grant the attacker root-level code execution on every boot without user interaction. The ProgramArguments field reveals the exact command executed with root privileges. Daemons with RunAtLoad set to true execute immediately at boot. Checking file creation timestamps and code signing status of referenced binaries identifies unauthorized daemon installations. Any unsigned or ad-hoc signed daemon in /Library/LaunchDaemons/ warrants immediate investigation.

Tools Required

Collection Commands

for f in /Library/LaunchDaemons/*.plist; do echo "=== $f ===" && plutil -p "$f"; done > /forensics/launch_daemons.txt

sudo launchctl list > /forensics/launchctl_daemons_list.txt

find /Library/LaunchDaemons -name "*.plist" -exec stat -f "%Sm %N" -t "%Y-%m-%d %H:%M:%S" {} \; | sort > /forensics/launch_daemons_timeline.txt

sudo cp /Library/LaunchDaemons/*.plist /forensics/launch_daemons_copy/

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

MITRE ATT&CK Techniques

References