T1569.001 Launchctl Mappings

Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like Launch Agents and Launch Daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)

By loading or reloading Launch Agents or Launch Daemons, adversaries can install persistence or execute changes they made.(Citation: Sofacy Komplex Trojan)

Running a command from launchctl is as simple as <code>launchctl submit -l <labelName> – /Path/to/thing/to/execute "arg" "arg" "arg"</code>. Adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1569.001 Launchctl
AC-3 Access Enforcement Protects T1569.001 Launchctl
AC-5 Separation of Duties Protects T1569.001 Launchctl
AC-6 Least Privilege Protects T1569.001 Launchctl
CM-11 User-installed Software Protects T1569.001 Launchctl
CM-5 Access Restrictions for Change Protects T1569.001 Launchctl
IA-2 Identification and Authentication (organizational Users) Protects T1569.001 Launchctl