What starting position does this attack require?

The first step is Verify across reboot (T1078) — a initial access primitive. Assumed environment: attacker has root on macOS (via sudo, kernel exploit, etc.

What is the final impact of this kill-chain?

The final step lands on Write /Library/LaunchDaemons/ (MAC-LAUNCHAGENT), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

LaunchDaemon persistence as root

Once at root (via sudo or a local-exploit), drop a .plist into /Library/LaunchDaemons that re-implants on every boot — survives user logout and full power-cycle.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Verify across reboot

T1078 · Valid Accounts

Initial Access

Root shell

T1078 · Valid Accounts

Persistence

launchctl load + RunAtLoad=true

T1547 · Boot or Logon Autostart Execution

Defense Evasion

Hide plist via legitimate-looking name

T1027 · Obfuscated Files or Information

Persistence

Write /Library/LaunchDaemons/<plist>

MAC-LAUNCHAGENT · LaunchAgent / LaunchDaemon Persistence

§ Context

Assumed environment: attacker has root on macOS (via sudo, kernel exploit, etc.). The target has not deployed an EDR that catches new LaunchDaemons.

§ Steps

01
Verify across rebootInitial Access
T1078— Valid Accounts
02
Root shellInitial Access
T1078— Valid Accounts
03
launchctl load + RunAtLoad=truePersistence
T1547— Boot or Logon Autostart Execution
04
Hide plist via legitimate-looking nameDefense Evasion
T1027— Obfuscated Files or Information
05
Write /Library/LaunchDaemons/<plist>Persistence
MAC-LAUNCHAGENT— LaunchAgent / LaunchDaemon Persistence

§ References

§ Frequently asked

What is the "LaunchDaemon persistence as root" attack path?: Once at root (via sudo or a local-exploit), drop a .plist into /Library/LaunchDaemons that re-implants on every boot — survives user logout and full power-cycle. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Verify across reboot (T1078) — a initial access primitive. Assumed environment: attacker has root on macOS (via sudo, kernel exploit, etc.
What is the final impact of this kill-chain?: The final step lands on Write /Library/LaunchDaemons/<plist> (MAC-LAUNCHAGENT), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

LaunchDaemon persistence as root

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

LogoFAIL → UEFI bootkit → persistent ring-0

Process doppelgänging → spawn signed image with attacker bytes

Cross-chain bridge validator-set bypass → mint wrapped tokens