From c80319d462bbb345214e6ca6bdb21279f44dcf26 Mon Sep 17 00:00:00 2001 From: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Date: Tue, 22 Apr 2025 10:53:01 -0500 Subject: [PATCH] [Deprecate] LaunchDaemon Creation or Modification and Immediate Loading (#4547) --- .../persistence_creation_modif_launch_deamon_sequence.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index db8e0e585..1db91692f 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/04/21" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ from = "now-9m" index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" -name = "LaunchDaemon Creation or Modification and Immediate Loading" +name = "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading" references = [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", ] @@ -67,7 +67,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating LaunchDaemon Creation or Modification and Immediate Loading +### Investigating Deprecated - LaunchDaemon Creation or Modification and Immediate Loading LaunchDaemons in macOS are system-level services that start at boot and run in the background, often used for legitimate system tasks. However, adversaries can exploit this by creating or modifying LaunchDaemons to ensure persistent execution of malicious payloads. The detection rule identifies such activities by monitoring for new or altered LaunchDaemon files followed by their immediate loading using `launchctl`, indicating potential misuse for persistence.