[Deprecate] LaunchDaemon Creation or Modification and Immediate Loading (#4547)

rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/07"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/04/21"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ from = "now-9m"
 index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
-name = "LaunchDaemon Creation or Modification and Immediate Loading"
+name = "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading"
 references = [
     "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
 ]
@@ -67,7 +67,7 @@ note = """## Triage and analysis
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating LaunchDaemon Creation or Modification and Immediate Loading
+### Investigating Deprecated - LaunchDaemon Creation or Modification and Immediate Loading
 
 LaunchDaemons in macOS are system-level services that start at boot and run in the background, often used for legitimate system tasks. However, adversaries can exploit this by creating or modifying LaunchDaemons to ensure persistent execution of malicious payloads. The detection rule identifies such activities by monitoring for new or altered LaunchDaemon files followed by their immediate loading using `launchctl`, indicating potential misuse for persistence.