1. Home
  2. Techniques
  3. Enterprise
  4. System Services
  5. Launchctl

System Services: Launchctl

ID Name
T1569.001 Launchctl
T1569.002 Service Execution
T1569.003 Systemctl

Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.[1]

Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s" or /bin/launchctl load to execute Launch Agents or Launch Daemons.[2][3]

ID: T1569.001
Sub-technique of:  T1569
Tactic: Execution
Platforms: macOS
Version: 1.3
Created: 10 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0584 AppleJeus

AppleJeus has loaded a plist file using the launchctl command.[4]
S0274 Calisto

Calisto uses launchctl to enable screen sharing on the victim’s machine.[5]
S1153 Cuckoo Stealer

Cuckoo Stealer can use launchctl to load a LaunchAgent for persistence.[6]
S0451 LoudMiner

LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl. It also uses launchctl to unload all Launch Daemons when updating to a newer version of LoudMiner.[7]

S1048 macOS.OSAMiner

macOS.OSAMiner has used launchctl to restart the Launch Agent.[8]
S0658 XCSSET

XCSSET loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist.[9]

Mitigations

ID Mitigation Description
M1018 User Account Management

Prevent users from installing their own launch agents or launch daemons.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0265 Detection Strategy for System Services: Launchctl AN0736

Abuse of launchctl to execute or manage Launch Agents and Daemons. Defender perspective: correlation of suspicious plist file creation or modification in LaunchAgents/LaunchDaemons directories with subsequent execution of the launchctl command. Abnormal executable paths (e.g., /tmp, /Shared) or launchctl activity followed by network connections are highly suspicious.

References

  1. SS64. (n.d.). launchctl. Retrieved March 28, 2020.
  2. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  3. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  4. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  5. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  1. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  2. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  3. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
  4. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.