Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Launch Agent/Daemon Execution Via Launchctl

Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Pratinav ChandraCreated Mon May 13ae9d710f-dcd1-4f75-a0a5-93a73b5dda0emacos
Log Source
macOSProcess Creation
ProductmacOS← raw: macos
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '/launchctl'
        CommandLine|contains:
            - 'submit'
            - 'load'
            - 'start'
    condition: selection
False Positives

Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.

References
1
Resolving title…
github.com
2
Resolving title…
sentinelone.com
3
Resolving title…
welivesecurity.com
4
Resolving title…
trendmicro.com
5
Resolving title…
loobins.io
MITRE ATT&CK
Rule Metadata
Rule ID
ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
Status
test
Level
medium
Type
Detection
Created
Mon May 13
Author
Pratinav Chandra
Path
rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml
Raw Tags
attack.privilege-escalationattack.executionattack.persistenceattack.t1569.001attack.t1543.001attack.t1543.004
View on GitHub