Home
ATT&CK Techniques
T1569.001 Launchctl

T1569.001 Launchctl

Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)

Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: <code>launchctl load</code>,<code>launchctl unload</code>, and <code>launchctl start</code>. Adversaries can use scripts or manually run the commands <code>launchctl load -w "%s/Library/LaunchAgents/%s"</code> or <code>/bin/launchctl load</code> to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.AA-01.01	Identity and credential management	Mitigates	T1569.001	Launchctl	Comments This diagnostic statement protects against Launchctl through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CM-05	Access Restrictions for Change	mitigates	T1569.001	Launchctl
CM-11	User-installed Software	mitigates	T1569.001	Launchctl
IA-02	Identification and Authentication (Organizational Users)	mitigates	T1569.001	Launchctl
AC-02	Account Management	mitigates	T1569.001	Launchctl
AC-03	Access Enforcement	mitigates	T1569.001	Launchctl
AC-05	Separation of Duties	mitigates	T1569.001	Launchctl
AC-06	Least Privilege	mitigates	T1569.001	Launchctl

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.hacking.variety.Abuse of functionality	Abuse of functionality.	related-to	T1569.001	Launchctl