DET0265 Detection Strategy for System Services: Launchctl

Item	Value
ID	DET0265
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1569.001 (Launchctl)

Analytics

macOS

AN0736

Abuse of launchctl to execute or manage Launch Agents and Daemons. Defender perspective: correlation of suspicious plist file creation or modification in LaunchAgents/LaunchDaemons directories with subsequent execution of the launchctl command. Abnormal executable paths (e.g., /tmp, /Shared) or launchctl activity followed by network connections are highly suspicious.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	macos:unifiedlog	execution of launchctl load/unload/start commands
File Modification (DC0061)	macos:unifiedlog	write of plist files in /Library/LaunchAgents or /Library/LaunchDaemons
Process Creation (DC0032)	macos:unifiedlog	launchctl spawning new processes
Service Creation (DC0060)	macos:unifiedlog	creation or loading of new launchd services

Mutable Elements

Field	Description
MonitoredPaths	Paths to monitor for suspicious plist files, such as /Library/LaunchAgents, /Library/LaunchDaemons, ~/Library/LaunchAgents.
SuspiciousExecPaths	Uncommon executable paths (e.g., /tmp, /Shared) that should raise alerts when associated with launchctl services.
TimeWindow	Correlation window for detecting plist file creation and subsequent launchctl execution.