legitimate administration activities is expected to trigger false positives. investigate the command line being passed to determine if the service or launch agent are suspicious.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml>sigma
technicques: t1543 t1543.001 t1543.004 t1569 t1569.001

Techniques

Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.

condition: selection
selection:
  CommandLine|contains:
  - submit
  - load
  - start
  Image|endswith: /launchctl