T1569.001
System Services: Launchctl
Description from ATT&CK
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s" or /bin/launchctl load to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)
Atomic Tests
Atomic Test #1 - Launchctl
Utilize launchctl
Supported Platforms: macos
auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
executable_path | Path of the executable to run. | path | /System/Applications/Calculator.app/Contents/MacOS/Calculator |
label_name | Unique label to assign this job to launchd. | string | evil |
Attack Commands: Run with bash!
1
launchctl submit -l #{label_name} -- #{executable_path}
Cleanup Commands:
1
launchctl remove #{label_name}