T1569.001 - System Services: Launchctl
Description from ATT&CK (opens in a new tab)
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
Adversaries use launchctl to execute commands and programs as Launch Agent (opens in a new tab)s or Launch Daemon (opens in a new tab)s. Common subcommands include:
launchctl load
,launchctl unload
, andlaunchctl start
. Adversaries can use scripts or manually run the commandslaunchctl load -w "%s/Library/LaunchAgents/%s"
or/bin/launchctl load
to execute Launch Agent (opens in a new tab)s or Launch Daemon (opens in a new tab)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)
Atomic Tests
Atomic Test #1 - Launchctl
Utilize launchctl
Supported Platforms: macOS
auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
executable_path | Path of the executable to run. | path | /System/Applications/Calculator.app/Contents/MacOS/Calculator |
label_name | Unique label to assign this job to launchd. | string | evil |
Attack Commands: Run with bash
!
launchctl submit -l #{label_name} -- #{executable_path}
Cleanup Commands:
launchctl remove #{label_name}