Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: <code>launchctl load</code>,<code>launchctl unload</code>, and <code>launchctl start</code>. Adversaries can use scripts or manually run the commands <code>launchctl load -w "%s/Library/LaunchAgents/%s"</code> or <code>/bin/launchctl load</code> to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-02 | Account Management | Protects | T1569.001 | Launchctl |
AC-03 | Access Enforcement | Protects | T1569.001 | Launchctl |
AC-05 | Separation of Duties | Protects | T1569.001 | Launchctl |
AC-06 | Least Privilege | Protects | T1569.001 | Launchctl |
CM-11 | User-installed Software | Protects | T1569.001 | Launchctl |
CM-05 | Access Restrictions for Change | Protects | T1569.001 | Launchctl |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1569.001 | Launchctl |