🍎 macOS

Root Service Execution from Suspicious Path

Detects the system launchd process (PID 1) executing a child process from a suspicious, non-standard directory This indicates a LaunchDaemon has been compromised to run a malicious payload

Author: Chris S (avrgsec_)

Date: 2025-11-06

Level: CRITICAL

Status: experimental

T1543.004

📥 Download Sigma Rule

Sigma Rule

title: Root Service Execution from Suspicious Path
id: 9a8b76d6-5e4f-3a2b-1c0d-9e87fa6b5c4d
status: experimental
description: |
  Detects the system launchd process (PID 1) executing a child process from a suspicious, non-standard directory
  This indicates a LaunchDaemon has been compromised to run a malicious payload
references:
  - https://www.exploit-db.com/exploits/52316
  - https://github.com/mbanyamer
author: Chris S (avrgsec_)
date: "2025-11-06"
tags:
  - attack.persistence
  - attack.t1543.004
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    ParentImage: '/sbin/launchd'
    User: 'root'
    Image|startswith:
      - '/tmp/'
      - '/private/tmp/'
      - '/var/tmp/'
      - '/private/var/tmp/'
      - '/Users/Shared/'
      - '/Users/'
  condition: selection
falsepositives:
  - Extremely rare (and insecure) legitimate software that runs helper tools from temp directories.
level: critical

False Positives

• Extremely rare (and insecure) legitimate software that runs helper tools from temp directories.

References

← Back to all detections