LaunchDaemons (System-Level Persistence)

macosPersistence MechanismsDisk Image

Location

/Library/LaunchDaemons/ (third-party) and /System/Library/LaunchDaemons/ (Apple)

Description

Property list files defining daemons that launchd loads at system boot, running as root regardless of whether a user is logged in. LaunchDaemons provide higher-privilege persistence than LaunchAgents and execute earlier in the boot process. Each plist defines the program, arguments, run conditions, and optional socket listeners.

Forensic Value

LaunchDaemons run as root and persist across reboots, making them the most privileged launchd-based persistence mechanism. Malicious LaunchDaemons grant the attacker root-level code execution on every boot without user interaction. The ProgramArguments field reveals the exact command executed with root privileges. Daemons with RunAtLoad set to true execute immediately at boot. Checking file creation timestamps and code signing status of referenced binaries identifies unauthorized daemon installations. Any unsigned or ad-hoc signed daemon in /Library/LaunchDaemons/ warrants immediate investigation.

Tools Required

plutillaunchctl listmac_aptKnockKnock (Objective-See)Crowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical