title: Launchctl (T1569.001)
id: df00tech-t1569-001
status: experimental
description: "Adversaries may abuse launchctl to execute commands or programs on macOS. Launchctl interfaces with launchd, the macOS service management framework, and supports subcommands including load, unload, start, stop, and kickstart. Adversaries use launchctl to execute payloads as Launch Agents (per-user persistence in ~/Library/LaunchAgents/ or /Library/LaunchAgents/) or Launch Daemons (system-level persistence in /Library/LaunchDaemons/). Common attack patterns include loading malicious plist files from world-writable directories such as /tmp, using the -w flag to force-enable disabled services, and invoking launchctl from scripting engines after initial access. Real-world threat actors using this technique include LoudMiner (QEMU-based cryptominer), Cuckoo Stealer, AppleJeus (North Korean cryptocurrency theft), macOS.OSAMiner, XCSSET (Xcode project infection), and Calisto spyware."
references:
  - https://attack.mitre.org/techniques/T1569/001/
  - https://df00tech.com/detections/T1569.001
author: df00tech
date: 2026/04/21
tags:
  - attack.t1569.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "MDM solutions (Jamf, Mosyle, Kandji) deploying configuration profiles and LaunchAgents via scripts that invoke launchctl load — parent process will be jamf, jamfManagementService, or mdmclient"
  - Homebrew package manager loading service plists during installation (brew services start) which internally invokes launchctl — parent path will be under /opt/homebrew/ or /usr/local/Homebrew/
  - "macOS software installers (PKG files, App Store updates) loading LaunchDaemons for background helper processes via installer scripts"
  - "IT automation tools (Ansible, Chef, Puppet) managing Launch Daemons via shell scripts that invoke launchctl — correlate with scheduled maintenance windows"
  - "Developer tools and build systems (Docker Desktop, file sync utilities, local web servers) creating LaunchAgents for background daemons during first-run setup"
level: high