T1569.001 Launchctl Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPaths = dynamic([
  "/tmp/", "/private/tmp/", "/var/tmp/", "/var/folders/",
  "/Users/Shared/", "/Library/Caches/"
]);
let SuspiciousParents = dynamic([
  "bash", "sh", "zsh", "ksh", "fish",
  "python", "python3", "ruby", "perl", "osascript",
  "curl", "wget", "node", "npm"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "launchctl"
| where ProcessCommandLine has_any ("load", "start", "kickstart", "bootstrap")
| extend LoadFromTempPath = ProcessCommandLine has_any (SuspiciousPaths)
| extend ForceLoad = ProcessCommandLine has "-w"
| extend LoadFromUserLibrary = ProcessCommandLine matches regex @"/Users/[^/]+/Library/LaunchAgents/"
| extend ScriptingEngineParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend SuspicionScore = toint(LoadFromTempPath) + toint(ForceLoad) + toint(ScriptingEngineParent)
| where LoadFromTempPath
    or ScriptingEngineParent
    or (ForceLoad and LoadFromUserLibrary)
    or (ForceLoad and SuspicionScore >= 1)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         LoadFromTempPath, ForceLoad, LoadFromUserLibrary,
         ScriptingEngineParent, SuspicionScore
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (macOS agent)

Required Tables

DeviceProcessEvents

False Positives

MDM solutions (Jamf, Mosyle, Kandji) deploying configuration profiles and LaunchAgents via scripts that invoke launchctl load — parent process will be jamf, jamfManagementService, or mdmclient
Homebrew package manager loading service plists during installation (brew services start) which internally invokes launchctl — parent path will be under /opt/homebrew/ or /usr/local/Homebrew/
macOS software installers (PKG files, App Store updates) loading LaunchDaemons for background helper processes via installer scripts
IT automation tools (Ansible, Chef, Puppet) managing Launch Daemons via shell scripts that invoke launchctl — correlate with scheduled maintenance windows
Developer tools and build systems (Docker Desktop, file sync utilities, local web servers) creating LaunchAgents for background daemons during first-run setup

Splunk

spl

index=* sourcetype="osquery:results" (columns.path="/usr/bin/launchctl" OR columns.path="/bin/launchctl" OR like(columns.cmdline, "%launchctl%"))
| eval cmdline=coalesce('columns.cmdline', "")
| eval parent_path=coalesce('columns.parent_path', 'columns.parent', "")
| eval username=coalesce('columns.username', 'columns.uid', "")
| eval LoadFromTempPath=if(match(cmdline, "(/tmp/|/private/tmp/|/var/tmp/|/var/folders/|/Users/Shared/)"), 1, 0)
| eval ForceLoad=if(match(cmdline, "launchctl\s+load\s+-w"), 1, 0)
| eval KickstartCmd=if(match(cmdline, "launchctl\s+kickstart"), 1, 0)
| eval BootstrapCmd=if(match(cmdline, "launchctl\s+bootstrap"), 1, 0)
| eval ScriptingParent=if(match(parent_path, "/(bash|sh|zsh|ksh|python[0-9.]*|ruby|perl|osascript|curl|wget|node|npm)$"), 1, 0)
| eval LoadUserAgent=if(match(cmdline, "/Users/[^/]+/Library/LaunchAgents/"), 1, 0)
| eval SuspicionScore=LoadFromTempPath + ForceLoad + ScriptingParent + KickstartCmd
| where SuspicionScore > 0 OR (LoadUserAgent=1 AND ScriptingParent=1)
| table _time, host, username, cmdline, parent_path, LoadFromTempPath, ForceLoad, ScriptingParent, LoadUserAgent, KickstartCmd, SuspicionScore
| sort - SuspicionScore - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution osquery process_events (macOS)

Required Sourcetypes

osquery:results

False Positives

MDM solutions (Jamf, Mosyle, Kandji) deploying configuration profiles and LaunchAgents via scripts that invoke launchctl load — parent process will be jamf, jamfManagementService, or mdmclient
Homebrew package manager loading service plists during installation (brew services start) which internally invokes launchctl — parent path will be under /opt/homebrew/ or /usr/local/Homebrew/
macOS software installers (PKG files, App Store updates) loading LaunchDaemons for background helper processes via installer scripts
IT automation tools (Ansible, Chef, Puppet) managing Launch Daemons via shell scripts that invoke launchctl — correlate with scheduled maintenance windows
Developer tools and build systems (Docker Desktop, file sync utilities, local web servers) creating LaunchAgents for background daemons during first-run setup

Elastic Security (EQL)

eql

sequence by host.name, process.parent.entity_id with maxspan=30s
  [process where event.type == "start"
   and process.name == "launchctl"
   and (
     process.args : ("load", "start", "kickstart", "bootstrap")
   )
   and (
     process.command_line : ("*/tmp/*", "*/private/tmp/*", "*/var/tmp/*", "*/var/folders/*", "*/Users/Shared/*", "*/Library/Caches/*")
     or process.parent.name : ("bash", "sh", "zsh", "ksh", "fish", "python", "python3", "ruby", "perl", "osascript", "curl", "wget", "node", "npm")
     or (process.command_line : "*-w*" and process.command_line : "*/Users/*/Library/LaunchAgents/*")
   )
  ]

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent macOS process telemetry

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate software installers or package managers (Homebrew, MacPorts) that use launchctl to register services from temporary staging directories during installation
System administrators running shell scripts that invoke launchctl to manage enterprise LaunchAgents or LaunchDaemons via configuration management tools (Ansible, Chef, Puppet)
Developer tools and CI/CD pipelines that bootstrap background services by calling launchctl from scripted environments during build or test workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "processname",
  "processcmdline",
  "parentprocesspath",
  CASE
    WHEN "processcmdline" IMATCHES '%/tmp/%' OR "processcmdline" IMATCHES '%/private/tmp/%'
      OR "processcmdline" IMATCHES '%/var/tmp/%' OR "processcmdline" IMATCHES '%/var/folders/%'
      OR "processcmdline" IMATCHES '%/Users/Shared/%' THEN 1 ELSE 0
  END AS load_from_temp,
  CASE
    WHEN "processcmdline" IMATCHES '%launchctl load -w%' THEN 1 ELSE 0
  END AS force_load,
  CASE
    WHEN "processcmdline" IMATCHES '%launchctl kickstart%' THEN 1 ELSE 0
  END AS kickstart_cmd,
  CASE
    WHEN "parentprocesspath" IMATCHES '%(bash|sh|zsh|ksh|python|ruby|perl|osascript|curl|wget|node|npm)' THEN 1 ELSE 0
  END AS scripting_parent
FROM events
WHERE
  LOGSOURCETYPEID IN (SELECT id FROM SensorDeviceType WHERE name ILIKE '%osquery%' OR name ILIKE '%carbon black%' OR name ILIKE '%falcon%')
  AND "processname" ILIKE '%launchctl%'
  AND ("processcmdline" IMATCHES '%(load|start|kickstart|bootstrap)%')
  AND starttime > NOW() - 86400000
HAVING
  load_from_temp = 1
  OR scripting_parent = 1
  OR (force_load = 1 AND "processcmdline" IMATCHES '%/Users/%/Library/LaunchAgents/%')
ORDER BY event_time DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar SIEM osquery macOS log source CrowdStrike Falcon log source Carbon Black log source

Required Tables

events

False Positives

Enterprise software deployment systems (Jamf Pro, Kandji) that use launchctl to register managed configurations and may invoke it from shell wrapper scripts
Security tools and EDR agents that use launchctl for self-installation or service registration from temporary extraction paths
Developer workstations running automated test harnesses that bootstrap launchctl services as part of local testing pipelines using scripting environments

Sumo Logic CSE

sql

_sourceCategory=*osquery* OR _sourceCategory=*endpoint* OR _sourceCategory=*macos*
| where (%"columns.path" = "/usr/bin/launchctl" OR %"columns.path" = "/bin/launchctl" OR %"columns.cmdline" matches "*launchctl*")
| if(isNull(%"columns.cmdline"), "", %"columns.cmdline") as cmdline
| if(isNull(%"columns.parent_path"), "", %"columns.parent_path") as parent_path
| if(isNull(%"columns.username"), "", %"columns.username") as username
| if(isNull(%"columns.host"), _sourceHost, %"columns.host") as endpoint_host
| if(cmdline matches "*(/tmp/|/private/tmp/|/var/tmp/|/var/folders/|/Users/Shared/)*", 1, 0) as LoadFromTempPath
| if(cmdline matches "*launchctl load -w*", 1, 0) as ForceLoad
| if(cmdline matches "*launchctl kickstart*", 1, 0) as KickstartCmd
| if(cmdline matches "*launchctl bootstrap*", 1, 0) as BootstrapCmd
| if(parent_path matches "*(bash|sh|zsh|ksh|python|ruby|perl|osascript|curl|wget|node|npm)", 1, 0) as ScriptingParent
| if(cmdline matches "*/Users/*/Library/LaunchAgents/*", 1, 0) as LoadUserAgent
| LoadFromTempPath + ForceLoad + ScriptingParent + KickstartCmd as SuspicionScore
| where SuspicionScore > 0 or (LoadUserAgent = 1 and ScriptingParent = 1)
| fields _messagetime, endpoint_host, username, cmdline, parent_path, LoadFromTempPath, ForceLoad, ScriptingParent, LoadUserAgent, KickstartCmd, SuspicionScore
| sort by SuspicionScore desc, _messagetime desc

high severity medium confidence

Data Sources

Sumo Logic CSE osquery macOS process_events table macOS Unified Log forwarding

Required Tables

_sourceCategory=*osquery* _sourceCategory=*macos*

False Positives

macOS system updates or Apple software patches that invoke launchctl via shell scripts to reload system services during the update process
Third-party application installers using curl or wget to download components and then calling launchctl to register background update agents
Legitimate developer tools such as Docker Desktop, VirtualBox, or VMware Fusion that register system extensions or helpers using launchctl from non-standard paths

Google Chronicle / SecOps

yaral

rule t1569_001_launchctl_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1569.001 launchctl abuse on macOS — suspicious launchctl invocations loading from temp paths, invoked by scripting engines, or using force-load flags with user LaunchAgent directories"
    mitre_attack_technique = "T1569.001"
    mitre_attack_tactic = "Execution"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /\/usr\/bin\/launchctl|\/bin\/launchctl/
    (
      $e.target.process.command_line = /launchctl\s+(load|start|kickstart|bootstrap)/
      or $e.target.process.file.full_path = /launchctl/
    )
    (
      $e.target.process.command_line = /\/tmp\/|\/private\/tmp\/|\/var\/tmp\/|\/var\/folders\/|\/Users\/Shared\//
      or $e.principal.process.file.full_path = /(bash|sh|zsh|ksh|fish|python[0-9.]*|ruby|perl|osascript|curl|wget|node|npm)$/
      or (
        $e.target.process.command_line = /\-w/
        and $e.target.process.command_line = /\/Users\/[^\/]+\/Library\/LaunchAgents\//
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) macOS endpoint telemetry via Chronicle forwarder

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Enterprise MDM solutions (Jamf, Mosyle, Kandji) that deploy configuration profiles and service registrations using launchctl via managed shell scripts on enrolled macOS endpoints
Software development environments where build scripts or test runners launch background services using launchctl, particularly in organizations with active macOS development teams
IT automation tools (Ansible, Terraform) managing macOS fleet configuration that run launchctl commands through scripted playbooks during maintenance windows

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /\/usr\/bin\/launchctl|\/bin\/launchctl/i
| CommandLine = /(load|start|kickstart|bootstrap)/i
| (
    CommandLine = /\/tmp\/|\/private\/tmp\/|\/var\/tmp\/|\/var\/folders\/|\/Users\/Shared\//i
    OR ParentBaseFileName = /^(bash|sh|zsh|ksh|fish|python[0-9.]*|ruby|perl|osascript|curl|wget|node|npm)$/i
    OR (
      CommandLine = /\-w/i
      AND CommandLine = /\/Users\/[^\/]+\/Library\/LaunchAgents\//i
    )
  )
| eval(LoadFromTempPath = if(CommandLine = /\/tmp\/|\/private\/tmp\/|\/var\/tmp\/|\/var\/folders\/|\/Users\/Shared\//i, 1, 0))
| eval(ForceLoad = if(CommandLine = /launchctl\s+load\s+-w/i, 1, 0))
| eval(KickstartCmd = if(CommandLine = /launchctl\s+kickstart/i, 1, 0))
| eval(ScriptingParent = if(ParentBaseFileName = /^(bash|sh|zsh|ksh|fish|python[0-9.]*|ruby|perl|osascript|curl|wget|node|npm)$/i, 1, 0))
| eval(LoadUserAgent = if(CommandLine = /\/Users\/[^\/]+\/Library\/LaunchAgents\//i, 1, 0))
| eval(SuspicionScore = LoadFromTempPath + ForceLoad + KickstartCmd + ScriptingParent)
| table([timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName, LoadFromTempPath, ForceLoad, ScriptingParent, LoadUserAgent, KickstartCmd, SuspicionScore])
| sort(SuspicionScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale Falcon sensor macOS process telemetry

Required Tables

ProcessRollup2

False Positives

Falcon sensor self-update or configuration processes that may appear as launchctl activity when the Falcon agent registers its own macOS LaunchDaemon components
IT managed deployment scripts distributed via CrowdStrike RTR (Real Time Response) that invoke launchctl to push configuration changes to managed macOS fleet endpoints
Security scanning tools or vulnerability assessment scripts that test launchctl behavior on managed endpoints as part of scheduled compliance or hardening verification checks

Launchctl

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections