System Services: Launchctl

ID Name
T1569.001 Launchctl
T1569.002 Service Execution

Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like Launch Agents and Launch Daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.[1]

By loading or reloading Launch Agents or Launch Daemons, adversaries can install persistence or execute changes they made.[2]

Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute "arg" "arg" "arg". Adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.

ID: T1569.001
Sub-technique of:  T1569
Tactic: Execution
Platforms: macOS
Permissions Required: User, root
Data Sources: Command: Command Execution, File: File Modification, Process: Process Creation, Service: Service Creation
Version: 1.0
Created: 10 March 2020
Last Modified: 08 June 2020

Procedure Examples

ID Name Description
S0584 AppleJeus

AppleJeus has loaded a plist file using the launchctl command.[3]

S0274 Calisto

Calisto uses launchctl to enable screen sharing on the victim’s machine.[4]

S0451 LoudMiner

LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl.[5]


ID Mitigation Description
M1018 User Account Management

Prevent users from installing their own launch agents or launch daemons.


KnockKnock can be used to detect persistent programs such as those installed via launchctl as launch agents or launch daemons. Additionally, every launch agent or launch daemon must have a corresponding plist file on disk which can be monitored. Monitor process execution from launchctl/launchd for unusual or unknown processes.