T1569.001: Launchctl
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.[1]
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s" or /bin/launchctl load to execute Launch Agents or Launch Daemons.[2][3]
Analyst context for executives and security teams
Launchctl matters because it is a normal macOS service-management utility that can be abused to run programs through launchd, including Launch Agents and Launch Daemons. For leaders, the business issue is not the tool itself but whether the organization can distinguish legitimate Mac administration from suspicious execution on endpoints that may hold executive, developer, finance, or operational access.
Executive priority
Prioritize this where macOS endpoints are material to business operations, privileged administration, software development, or regulated data access. Ask whether SOC and IR teams can produce evidence of launchctl use, associated Launch Agent/Daemon changes, and the user context involved. This technique also supports control discussions around least privilege and user account lifecycle management, since ATT&CK maps User Account Management as a mitigation.
Technical view
This is a macOS execution sub-technique under System Services. Validate monitoring for launchctl invocation, especially load, unload, and start activity, and correlate it with Launch Agent and Launch Daemon paths. Because official ATT&CK detection text is not provided, use the related DET0265 detection strategy as a direction rather than proof of coverage. Relationship context shows multiple macOS malware families using this technique, so detection engineering should focus on behavior and context rather than software names alone.
Likely telemetry
- macOS process execution events showing launchctl and parent/child process context
- Command-line arguments or equivalent endpoint telemetry for launchctl subcommands
- File creation or modification events in Launch Agent and Launch Daemon locations
- User account, privilege, and session context for the process invoking launchctl
- Endpoint security alerts or EDR events tied to launchd, Launch Agents, or Launch Daemons
Detection direction
- Confirm that macOS endpoint telemetry captures launchctl execution with command-line detail and user context.
- Correlate launchctl activity with new or modified Launch Agents and Launch Daemons rather than alerting on launchctl alone, which is commonly legitimate.
- Review DET0265, Detection Strategy for System Services: Launchctl, as the ATT&CK-linked detection strategy for this object.
- Tune for administrative false positives from software management, IT maintenance, and legitimate service operations.
- Look for unusual parent processes, unexpected users, uncommon paths, or launchctl use near other suspicious macOS activity.
Mitigation priorities
- Apply User Account Management controls, especially least privilege and disciplined account lifecycle practices for macOS users and administrators.
- Limit who can create, modify, or load service definitions where business operations allow.
- Maintain an auditable inventory of expected Launch Agents and Launch Daemons on managed Macs.
- Ensure incident response playbooks include review of launchctl activity and related launchd service artifacts.
- Use endpoint management and security monitoring to validate configuration drift on macOS systems.
Analyst notes and limits
ATT&CK identifies this as a macOS execution sub-technique and notes that launchctl interfaces with launchd. The prior revoked technique T1152 included persistence and stealth context, but the current object is scoped to execution under T1569. Relationship context to malware is useful for prioritization but should not be treated as evidence of current activity in a local environment.
Official detection guidance for the technique is not provided in the supplied ATT&CK object. Practical coverage depends on local macOS logging, EDR visibility, command-line capture, file monitoring, and the organization’s baseline of legitimate administrative launchctl use.
Launchctl
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.[1]
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s" or /bin/launchctl load to execute Launch Agents or Launch Daemons.[2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1152 | Launchctl | Launchctl revoked by this object. |
| Enterprise | T1569 | System Services | This object subtechnique of System Services. |
Groups, software, and campaigns
S0451: LoudMiner
S1153: Cuckoo Stealer
Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]
S0584: AppleJeus
AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[1]
S1048: macOS.OSAMiner
macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.[1][2]
S0658: XCSSET
XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]
S0274: Calisto
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | fe2c372b311b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Launchctl Man
SS64. (n.d.). launchctl. Retrieved March 28, 2020.
Open source URL -
[2]
Sofacy Komplex Trojan
Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
Open source URL -
[3]
20 macOS Common Tools and Techniques
Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
Open source URL -
[4]
mitre-attack T1569.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.