Uncommon Launch Daemon persistency was registered or modified

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-02-02

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags	Generic Persistence Analytics
ATT&CK Tactic	Persistence (TA0003)
ATT&CK Technique	Create or Modify System Process (T1543) Create or Modify System Process: Launch Daemon (T1543.004)
Severity	Informational

Description

An uncommon Launch Daemon persistence mechanism was registered/modified on the system.

Attacker's Goals

Establish persistent access to the compromised host by registering malicious code.

Investigative actions

Analyze the persistency item and determine whether it performs any malicious/suspicious actions.
Analyze the registered process and determine whether it performs any malicious/suspicious actions.
Check the events generated by the process for potential malicious behavior.

Variations

Uncommon Launch Daemon persistency was registered or modified by a security testing tool

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Severity

High

Description

An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a security testing tool.

Attacker's Goals

Establish persistent access to the compromised host by registering malicious code.

Investigative actions

Analyze the persistency item and determine whether it performs any malicious/suspicious actions.
Analyze the registered process and determine whether it performs any malicious/suspicious actions.
Check the events generated by the process for potential malicious behavior.

Uncommon Launch Daemon persistency was registered or modified by a tool with possible web access

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a tool with possible web access.

Attacker's Goals

Establish persistent access to the compromised host by registering malicious code.

Investigative actions

Analyze the persistency item and determine whether it performs any malicious/suspicious actions.
Analyze the registered process and determine whether it performs any malicious/suspicious actions.
Check the events generated by the process for potential malicious behavior.

Uncommon Launch Daemon persistency was registered or modified while using a data communication tool

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon Launch Daemon persistence mechanism was registered/modified on the system while using a data communication tool for persistency registration or as a persistency triggered execution.

Attacker's Goals

Establish persistent access to the compromised host by registering malicious code.

Investigative actions

Analyze the persistency item and determine whether it performs any malicious/suspicious actions.
Analyze the registered process and determine whether it performs any malicious/suspicious actions.
Check the events generated by the process for potential malicious behavior.

Uncommon Launch Daemon persistency was registered or modified while using osascript

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon Launch Daemon persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency triggered execution.

Attacker's Goals

Establish persistent access to the compromised host by registering malicious code.

Investigative actions

Analyze the persistency item and determine whether it performs any malicious/suspicious actions.
Analyze the registered process and determine whether it performs any malicious/suspicious actions.
Check the events generated by the process for potential malicious behavior.

Uncommon Launch Daemon persistency was registered or modified using Plist Buddy with Run-At-Load key

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Severity

Low

Description

An uncommon Launch Daemon persistence mechanism was registered/modified on the system using Plist Buddy with Run-At-Load key set to True.

Attacker's Goals

Establish persistent access to the compromised host by registering malicious code.

Investigative actions

Analyze the persistency item and determine whether it performs any malicious/suspicious actions.
Analyze the registered process and determine whether it performs any malicious/suspicious actions.
Check the events generated by the process for potential malicious behavior.

Uncommon Launch Daemon persistency was registered or modified with an uncommon path containing a known vendor name

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon Launch Daemon persistence mechanism was registered/modified on the system with an uncommon path containing a known vendor name.

Attacker's Goals

Establish persistent access to the compromised host by registering malicious code.

Investigative actions

Analyze the persistency item and determine whether it performs any malicious/suspicious actions.
Analyze the registered process and determine whether it performs any malicious/suspicious actions.
Check the events generated by the process for potential malicious behavior.

Uncommon Launch Daemon persistency was registered or modified with an unusual persistency executable path

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon Launch Daemon persistence mechanism was registered/modified on the system with an unusual persistency executable path.

Attacker's Goals

Establish persistent access to the compromised host by registering malicious code.

Investigative actions

Analyze the persistency item and determine whether it performs any malicious/suspicious actions.
Analyze the registered process and determine whether it performs any malicious/suspicious actions.
Check the events generated by the process for potential malicious behavior.

Uncommon Launch Daemon persistency was registered or modified by a non validly signed process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a non validly signed process.

Attacker's Goals

Establish persistent access to the compromised host by registering malicious code.

Investigative actions

Analyze the persistency item and determine whether it performs any malicious/suspicious actions.
Analyze the registered process and determine whether it performs any malicious/suspicious actions.
Check the events generated by the process for potential malicious behavior.

Uncommon Launch Daemon persistency was registered or modified by an unsigned process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon Launch Daemon persistence mechanism was registered/modified on the system by an unsigned process.

Attacker's Goals

Establish persistent access to the compromised host by registering malicious code.

Investigative actions

Analyze the persistency item and determine whether it performs any malicious/suspicious actions.
Analyze the registered process and determine whether it performs any malicious/suspicious actions.
Check the events generated by the process for potential malicious behavior.