--- title: "Monitor Launch Item Creation | Security Cookbook" description: "Audit all writes to LaunchAgent and LaunchDaemon directories to surface persistence attempts with complete process context for incident response." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/monitor-launch-items" --- [Back](https://northpole.security/cookbook) ### Idea Santa provides rich telemetry information via the LaunchItem event type that can tell you when Launch Agents, Launch Daemons or Login Items are added. However, there are some system limitations that often make analysis difficult since macOS will often omit key information from these events. By creating a file access rule to watch standard launch item persistence locations, Santa is able to provide complete context around when and how such items get created. ### Solutions File AccessMonitor Launch Item Directories Log all creations or modifications of new launch items Path Prefixes - • /Library/LaunchAgents - • /Library/LaunchDaemons - • /Users/\*/Library/LaunchAgents Options Allow Read Access:true Audit Only:true Rule Type:PathsWithAllowedProcesses Custom Message Launch item modification detected ### Mitre Attack Tactics [Persistence](https://attack.mitre.org/tactics/TA0003/)[Privilege Escalation](https://attack.mitre.org/tactics/TA0004/) Techniques [T1543.001: Launch Agent](https://attack.mitre.org/techniques/T1543/001/)[T1543.004: Launch Daemon](https://attack.mitre.org/techniques/T1543/004/)[T1547.015: Login Items](https://attack.mitre.org/techniques/T1547/015/) ### Tags launchagentlaunchdaemonpersistence ### Deployment Notes This rule doesn't cover all of Apple's new Background Task Management (BTM) system, such as apps that make use of the SMAppService framework. But Santa does provide comprehensive telemetry for all BTM-related events. Our team is still evaluating the best way to secure these other vectors with file access rules. If you really want to lock this down extra tightly, consider making this a blocking rule (setting Block Violations to true) instead of audit-only. Adding a custom message (such as "Please contact the admin for assistance") will help guide your users into an appropriate workflow to allow them to get an exception. ### Resources [Santa LaunchItem Event TypeTake a look](https://github.com/northpolesec/santa/blob/1506550e61cfc4cb5058dd9efcfce873fa7f4ad9/Source/common/santa.proto#L964) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)