Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: <code>launchctl load</code>,<code>launchctl unload</code>, and <code>launchctl start</code>. Adversaries can use scripts or manually run the commands <code>launchctl load -w "%s/Library/LaunchAgents/%s"</code> or <code>/bin/launchctl load</code> to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1569.001 | Launchctl |
| AC-3 | Access Enforcement | Protects | T1569.001 | Launchctl |
| AC-5 | Separation of Duties | Protects | T1569.001 | Launchctl |
| AC-6 | Least Privilege | Protects | T1569.001 | Launchctl |
| CM-11 | User-installed Software | Protects | T1569.001 | Launchctl |
| CM-5 | Access Restrictions for Change | Protects | T1569.001 | Launchctl |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1569.001 | Launchctl |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1569.001 | System Services: Launchctl |