T1569.001 Splunk · SPL

Detect Launchctl in Splunk

Adversaries may abuse launchctl to execute commands or programs on macOS. Launchctl interfaces with launchd, the macOS service management framework, and supports subcommands including load, unload, start, stop, and kickstart. Adversaries use launchctl to execute payloads as Launch Agents (per-user persistence in ~/Library/LaunchAgents/ or /Library/LaunchAgents/) or Launch Daemons (system-level persistence in /Library/LaunchDaemons/). Common attack patterns include loading malicious plist files from world-writable directories such as /tmp, using the -w flag to force-enable disabled services, and invoking launchctl from scripting engines after initial access. Real-world threat actors using this technique include LoudMiner (QEMU-based cryptominer), Cuckoo Stealer, AppleJeus (North Korean cryptocurrency theft), macOS.OSAMiner, XCSSET (Xcode project infection), and Calisto spyware.

MITRE ATT&CK

Tactic
Execution
Technique
T1569 System Services
Sub-technique
T1569.001 Launchctl
Canonical reference
https://attack.mitre.org/techniques/T1569/001/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="osquery:results" (columns.path="/usr/bin/launchctl" OR columns.path="/bin/launchctl" OR like(columns.cmdline, "%launchctl%"))
| eval cmdline=coalesce('columns.cmdline', "")
| eval parent_path=coalesce('columns.parent_path', 'columns.parent', "")
| eval username=coalesce('columns.username', 'columns.uid', "")
| eval LoadFromTempPath=if(match(cmdline, "(/tmp/|/private/tmp/|/var/tmp/|/var/folders/|/Users/Shared/)"), 1, 0)
| eval ForceLoad=if(match(cmdline, "launchctl\s+load\s+-w"), 1, 0)
| eval KickstartCmd=if(match(cmdline, "launchctl\s+kickstart"), 1, 0)
| eval BootstrapCmd=if(match(cmdline, "launchctl\s+bootstrap"), 1, 0)
| eval ScriptingParent=if(match(parent_path, "/(bash|sh|zsh|ksh|python[0-9.]*|ruby|perl|osascript|curl|wget|node|npm)$"), 1, 0)
| eval LoadUserAgent=if(match(cmdline, "/Users/[^/]+/Library/LaunchAgents/"), 1, 0)
| eval SuspicionScore=LoadFromTempPath + ForceLoad + ScriptingParent + KickstartCmd
| where SuspicionScore > 0 OR (LoadUserAgent=1 AND ScriptingParent=1)
| table _time, host, username, cmdline, parent_path, LoadFromTempPath, ForceLoad, ScriptingParent, LoadUserAgent, KickstartCmd, SuspicionScore
| sort - SuspicionScore - _time
high severity medium confidence

Detects suspicious launchctl execution patterns on macOS using osquery process event data forwarded to Splunk. Evaluates command lines for high-risk indicators: loading from temp paths, force-loading with -w flag, kickstart/bootstrap subcommands, and invocation from scripting engines or download utilities. Assigns a cumulative suspicion score for analyst prioritization. Requires osquery deployed via Fleet, Kolide, or the Splunk Add-on for osquery with the process_events or processes table enabled in the osquery configuration.

Data Sources

Process: Process CreationCommand: Command Executionosquery process_events (macOS)

Required Sourcetypes

osquery:results

False Positives & Tuning

  • MDM solutions (Jamf, Mosyle, Kandji) deploying configuration profiles and LaunchAgents via scripts that invoke launchctl load — parent process will be jamf, jamfManagementService, or mdmclient
  • Homebrew package manager loading service plists during installation (brew services start) which internally invokes launchctl — parent path will be under /opt/homebrew/ or /usr/local/Homebrew/
  • macOS software installers (PKG files, App Store updates) loading LaunchDaemons for background helper processes via installer scripts
  • IT automation tools (Ansible, Chef, Puppet) managing Launch Daemons via shell scripts that invoke launchctl — correlate with scheduled maintenance windows
  • Developer tools and build systems (Docker Desktop, file sync utilities, local web servers) creating LaunchAgents for background daemons during first-run setup
Download portable Sigma rule (.yml)

Other platforms for T1569.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Load LaunchAgent from /tmp (Malware Staging Pattern)

    Expected signal: Process creation: launchctl with ProcessCommandLine containing 'load /tmp/com.df00tech.atomictest.plist'; parent process is the executing shell. Secondary process creation: /bin/sh spawned by launchd executing the RunAtLoad ProgramArguments. File creation: /tmp/launchctl_test_output.txt written by the loaded agent. macOS Unified Log entry for com.df00tech.atomictest service start under the current user's launchd domain.

  2. Test 2Load LaunchDaemon with Force-Enable Flag (-w) — XCSSET and LoudMiner Technique

    Expected signal: Process creation: sudo followed by launchctl with ProcessCommandLine containing 'load -w /Library/LaunchDaemons/com.df00tech.daemontest.plist'. File creation event in /Library/LaunchDaemons/ directory (anomalous outside MDM-managed deployments). launchd override database updated at /var/db/launchd.db/. macOS Unified Log records bootstrap of com.df00tech.daemontest in the system launchd domain.

  3. Test 3Enable Screen Sharing via Launchctl — Calisto Spyware Technique

    Expected signal: Process creation: launchctl with ProcessCommandLine 'load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist'. Parent process is sudo/shell. macOS Unified Log records screensharing daemon activation. System Preferences -> Sharing would show Screen Sharing enabled. VNC listener appears on TCP port 5900 (detectable via network telemetry). launchd override database records screensharing as enabled.

  4. Test 4Launchctl Invoked from Python Dropper (Staged Execution Chain)

    Expected signal: Process creation chain: python3 spawning /bin/launchctl as a child process. ProcessCommandLine for launchctl: 'load /tmp/com.df00tech.pytest.plist'. InitiatingProcessFileName: python3. This specific parent-child relationship (python3 → launchctl) is the key detection signal. Secondary process creation: /bin/sh running the ProgramArguments payload, spawned by launchd.

Last updated: 2026-04-21 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1569.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1569System Services

Related Sub-techniques

T1569.002Service ExecutionT1569.003Systemctl

Related Techniques

T1543.001Launch AgentT1543.004Launch DaemonT1569System ServicesT1059.004Unix ShellT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1036.005Match Legitimate Resource Name or LocationT1564.001Hidden Files and DirectoriesT1222.002Linux and Mac File and Directory Permissions Modification

Same Tactic: Execution

Popular Detections