Skip to content
Atomic Red Team
atomics
T1569.001

T1569.001 - System Services: Launchctl

Description from ATT&CK (opens in a new tab)

Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)

Adversaries use launchctl to execute commands and programs as Launch Agent (opens in a new tab)s or Launch Daemon (opens in a new tab)s. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s" or /bin/launchctl load to execute Launch Agent (opens in a new tab)s or Launch Daemon (opens in a new tab)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)

Atomic Tests


Atomic Test #1 - Launchctl

Utilize launchctl

Supported Platforms: macOS

auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2

Inputs:

NameDescriptionTypeDefault Value
executable_pathPath of the executable to run.path/System/Applications/Calculator.app/Contents/MacOS/Calculator
label_nameUnique label to assign this job to launchd.stringevil

Attack Commands: Run with bash!

launchctl submit -l #{label_name} -- #{executable_path}

Cleanup Commands:

launchctl remove #{label_name}