Abuse of launchctl to execute or manage Launch Agents and Daemons. Defender perspective: correlation of suspicious plist file creation or modification in LaunchAgents/LaunchDaemons directories with subsequent execution of the launchctl command. Abnormal executable paths (e.g., /tmp, /Shared) or launchctl activity followed by network connections are highly suspicious.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | execution of launchctl load/unload/start commands |
| File Modification (DC0061) | macos:unifiedlog | write of plist files in /Library/LaunchAgents or /Library/LaunchDaemons |
| Process Creation (DC0032) | macos:unifiedlog | launchctl spawning new processes |
| Service Creation (DC0060) | macos:unifiedlog | creation or loading of new launchd services |
| Field | Description |
|---|---|
| MonitoredPaths | Paths to monitor for suspicious plist files, such as /Library/LaunchAgents, /Library/LaunchDaemons, ~/Library/LaunchAgents. |
| SuspiciousExecPaths | Uncommon executable paths (e.g., /tmp, /Shared) that should raise alerts when associated with launchctl services. |
| TimeWindow | Correlation window for detecting plist file creation and subsequent launchctl execution. |