Try it using Invoke-Atomic

System Services: Launchctl

Description from ATT&CK

Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)

Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: <code>launchctl load</code>,<code>launchctl unload</code>, and <code>launchctl start</code>. Adversaries can use scripts or manually run the commands <code>launchctl load -w "%s/Library/LaunchAgents/%s"</code> or <code>/bin/launchctl load</code> to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)

https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Launchctl

Utilize launchctl

Supported Platforms: macos

auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2

Inputs:

Name Description Type Default Value
executable_path Path of the executable to run. Path /System/Applications/Calculator.app/Contents/MacOS/Calculator
label_name Path of the executable to run. String evil

Attack Commands: Run with bash!

1
2
launchctl submit -l #{label_name} -- #{executable_path}

Cleanup Commands:

1
2
launchctl remove #{label_name}

source