T1569.001 Launchctl Mappings

Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)

Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: <code>launchctl load</code>,<code>launchctl unload</code>, and <code>launchctl start</code>. Adversaries can use scripts or manually run the commands <code>launchctl load -w "%s/Library/LaunchAgents/%s"</code> or <code>/bin/launchctl load</code> to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1569.001 Launchctl
AC-03 Access Enforcement Protects T1569.001 Launchctl
AC-05 Separation of Duties Protects T1569.001 Launchctl
AC-06 Least Privilege Protects T1569.001 Launchctl
CM-11 User-installed Software Protects T1569.001 Launchctl
CM-05 Access Restrictions for Change Protects T1569.001 Launchctl
IA-02 Identification and Authentication (organizational Users) Protects T1569.001 Launchctl