Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0736: Analytic 0736

Abuse of launchctl to execute or manage Launch Agents and Daemons. Defender perspective: correlation of suspicious plist file creation or modification in LaunchAgents/LaunchDaemons directories with subsequent execution of the launchctl command. Abnormal executable paths (e.g., /tmp, /Shared) or launchctl activity followed by network connections are highly suspicious.

EnterpriseAN0736AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic focuses on macOS abuse of launchctl to execute or manage Launch Agents and Launch Daemons. For leaders, the decision value is persistence and execution readiness on macOS endpoints: if the organization relies on Macs for executives, developers, administrators, or privileged workflows, teams should know whether they can connect suspicious plist changes to later launchctl activity and possible network behavior.

Executive priority

Prioritize this as a macOS endpoint resilience and incident-response validation item. The business question is not just whether launchctl exists, but whether security teams can prove when LaunchAgents or LaunchDaemons are created or modified, who made the change, what executable path is referenced, and whether launchctl execution is followed by network connections. This supports control assurance, audit evidence, and faster scoping during a macOS incident.

Technical view

SOC and detection teams should validate correlation across suspicious plist file creation or modification in LaunchAgents/LaunchDaemons directories and subsequent launchctl command execution. The supplied ATT&CK description highlights abnormal executable paths such as /tmp or /Shared and launchctl activity followed by network connections as highly suspicious. Because no tactic mapping, detection logic, or relationships are supplied, local tuning should be based on observed administrative workflows and legitimate macOS management tooling.

Likely telemetry

  • macOS file creation and modification events for LaunchAgents and LaunchDaemons directories
  • Process execution telemetry for launchctl
  • Command-line arguments associated with launchctl execution
  • File path details referenced by plist files, especially unusual locations such as /tmp or /Shared
  • Network connection telemetry following launchctl activity

Detection direction

  • Validate that endpoint telemetry can correlate plist creation or modification with later launchctl execution on the same host and user context where available.
  • Prioritize alerts where plist-referenced executables reside in abnormal paths such as /tmp or /Shared.
  • Increase suspicion when launchctl activity is followed by outbound network connections.
  • Tune for legitimate macOS administration, software management, and endpoint management workflows to reduce false positives.
  • Check for blind spots on unmanaged or lightly monitored macOS systems, especially where file modification, command-line, or network telemetry is incomplete.

Mitigation priorities

  • Confirm macOS endpoints are covered by logging that captures plist file changes, process execution, command-line detail, and network connections.
  • Restrict and monitor write access to LaunchAgents and LaunchDaemons locations according to least privilege and administrative need.
  • Establish baselines for approved launchctl usage and authorized Launch Agent/Daemon changes.
  • Document expected macOS management workflows so SOC teams can distinguish routine administration from suspicious persistence or execution patterns.
  • Use incident-response playbooks to preserve relevant plist files, process context, and network evidence when suspicious launchctl activity is observed.
Analyst notes and limits

This object is a MITRE detection analytic for macOS. The official description provides the core defensive pattern: correlate suspicious plist changes in LaunchAgents/LaunchDaemons directories with launchctl execution, and treat abnormal executable paths or subsequent network activity as higher risk. No ATT&CK tactics, relationships, aliases, or separate official detection body were supplied.

This take is limited to the supplied STIX fields and external reference. It does not establish active exploitation, adversary attribution, impact, or guaranteed detection coverage. Local environment data is required to determine normal launchctl usage, approved management tooling, and alert thresholds.

Official MITRE ATT&CK definition

Analytic 0736

Abuse of launchctl to execute or manage Launch Agents and Daemons. Defender perspective: correlation of suspicious plist file creation or modification in LaunchAgents/LaunchDaemons directories with subsequent execution of the launchctl command. Abnormal executable paths (e.g., /tmp, /Shared) or launchctl activity followed by network connections are highly suspicious.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b7c3cfd7c00ced31...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b7c3cfd7c00c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0736
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use