The detection rule "Creation of Hidden Launch Agent or Daemon" identifies instances where an adversary may create unauthorized launch agents or daemons on macOS systems to establish persistence. This occurs when malicious actors install new agents that run automatically at user login, facilitating covert operations without user consent. The rule employs EQL (Event Query Language) to scrutinize specific file paths typically associated with launch agents and daemons, filtering out deletion events. It searches for newly created plist files under designated directories, which are prime targets for adversaries aiming to maintain stealth through persistence mechanisms. The rule is integrated within Elastic Defend and monitors data generated by the Elastic Agent, which must be configured to capture endpoint events relevant to security monitoring. Potential investigation steps include examining file paths, timestamps, the contents of plist files, user account history, and correlating findings with threat intelligence. The rule has a medium severity level and is intended to help security analysts identify suspicious activities proactively.