Detect Launchctl in CrowdStrike LogScale
Adversaries may abuse launchctl to execute commands or programs on macOS. Launchctl interfaces with launchd, the macOS service management framework, and supports subcommands including load, unload, start, stop, and kickstart. Adversaries use launchctl to execute payloads as Launch Agents (per-user persistence in ~/Library/LaunchAgents/ or /Library/LaunchAgents/) or Launch Daemons (system-level persistence in /Library/LaunchDaemons/). Common attack patterns include loading malicious plist files from world-writable directories such as /tmp, using the -w flag to force-enable disabled services, and invoking launchctl from scripting engines after initial access. Real-world threat actors using this technique include LoudMiner (QEMU-based cryptominer), Cuckoo Stealer, AppleJeus (North Korean cryptocurrency theft), macOS.OSAMiner, XCSSET (Xcode project infection), and Calisto spyware.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1569 System Services
- Sub-technique
- T1569.001 Launchctl
- Canonical reference
- https://attack.mitre.org/techniques/T1569/001/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /\/usr\/bin\/launchctl|\/bin\/launchctl/i
| CommandLine = /(load|start|kickstart|bootstrap)/i
| (
CommandLine = /\/tmp\/|\/private\/tmp\/|\/var\/tmp\/|\/var\/folders\/|\/Users\/Shared\//i
OR ParentBaseFileName = /^(bash|sh|zsh|ksh|fish|python[0-9.]*|ruby|perl|osascript|curl|wget|node|npm)$/i
OR (
CommandLine = /\-w/i
AND CommandLine = /\/Users\/[^\/]+\/Library\/LaunchAgents\//i
)
)
| eval(LoadFromTempPath = if(CommandLine = /\/tmp\/|\/private\/tmp\/|\/var\/tmp\/|\/var\/folders\/|\/Users\/Shared\//i, 1, 0))
| eval(ForceLoad = if(CommandLine = /launchctl\s+load\s+-w/i, 1, 0))
| eval(KickstartCmd = if(CommandLine = /launchctl\s+kickstart/i, 1, 0))
| eval(ScriptingParent = if(ParentBaseFileName = /^(bash|sh|zsh|ksh|fish|python[0-9.]*|ruby|perl|osascript|curl|wget|node|npm)$/i, 1, 0))
| eval(LoadUserAgent = if(CommandLine = /\/Users\/[^\/]+\/Library\/LaunchAgents\//i, 1, 0))
| eval(SuspicionScore = LoadFromTempPath + ForceLoad + KickstartCmd + ScriptingParent)
| table([timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName, LoadFromTempPath, ForceLoad, ScriptingParent, LoadUserAgent, KickstartCmd, SuspicionScore])
| sort(SuspicionScore, order=desc)CrowdStrike LogScale (Falcon) CQL detection for T1569.001 launchctl abuse on macOS. Queries ProcessRollup2 events from Falcon sensor telemetry to identify launchctl invocations loading from world-writable temp directories, spawned by scripting engines or download utilities, or force-loading user LaunchAgent services. Composite suspicion scoring mirrors the reference KQL/SPL detection logic.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor self-update or configuration processes that may appear as launchctl activity when the Falcon agent registers its own macOS LaunchDaemon components
- IT managed deployment scripts distributed via CrowdStrike RTR (Real Time Response) that invoke launchctl to push configuration changes to managed macOS fleet endpoints
- Security scanning tools or vulnerability assessment scripts that test launchctl behavior on managed endpoints as part of scheduled compliance or hardening verification checks
Other platforms for T1569.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Load LaunchAgent from /tmp (Malware Staging Pattern)
Expected signal: Process creation: launchctl with ProcessCommandLine containing 'load /tmp/com.df00tech.atomictest.plist'; parent process is the executing shell. Secondary process creation: /bin/sh spawned by launchd executing the RunAtLoad ProgramArguments. File creation: /tmp/launchctl_test_output.txt written by the loaded agent. macOS Unified Log entry for com.df00tech.atomictest service start under the current user's launchd domain.
- Test 2Load LaunchDaemon with Force-Enable Flag (-w) — XCSSET and LoudMiner Technique
Expected signal: Process creation: sudo followed by launchctl with ProcessCommandLine containing 'load -w /Library/LaunchDaemons/com.df00tech.daemontest.plist'. File creation event in /Library/LaunchDaemons/ directory (anomalous outside MDM-managed deployments). launchd override database updated at /var/db/launchd.db/. macOS Unified Log records bootstrap of com.df00tech.daemontest in the system launchd domain.
- Test 3Enable Screen Sharing via Launchctl — Calisto Spyware Technique
Expected signal: Process creation: launchctl with ProcessCommandLine 'load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist'. Parent process is sudo/shell. macOS Unified Log records screensharing daemon activation. System Preferences -> Sharing would show Screen Sharing enabled. VNC listener appears on TCP port 5900 (detectable via network telemetry). launchd override database records screensharing as enabled.
- Test 4Launchctl Invoked from Python Dropper (Staged Execution Chain)
Expected signal: Process creation chain: python3 spawning /bin/launchctl as a child process. ProcessCommandLine for launchctl: 'load /tmp/com.df00tech.pytest.plist'. InitiatingProcessFileName: python3. This specific parent-child relationship (python3 → launchctl) is the key detection signal. Secondary process creation: /bin/sh running the ProgramArguments payload, spawned by launchd.
References (11)
- https://attack.mitre.org/techniques/T1569/001/
- https://ss64.com/osx/launchctl.html
- https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
- https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://blog.kandji.io/cuckoo-stealer
- https://us-cert.cisa.gov/ncas/alerts/aa21-048a
- https://securelist.com/calisto-trojan-for-macos/86543/
- https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-zero-day-exploit.html
- https://www.welivesecurity.com/2019/07/09/mac-cryptocurrency-trading-app-repackaged-deliver-sigspoof-backdoor/
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md
Unlock Pro Content
Get the full detection package for T1569.001 including response playbook, investigation guide, and atomic red team tests.