Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like Launch Agents and Launch Daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
By loading or reloading Launch Agents or Launch Daemons, adversaries can install persistence or execute changes they made.(Citation: Sofacy Komplex Trojan)
Running a command from launchctl is as simple as <code>launchctl submit -l <labelName> – /Path/to/thing/to/execute "arg" "arg" "arg"</code>. Adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1569.001 | Launchctl |
| AC-3 | Access Enforcement | Protects | T1569.001 | Launchctl |
| AC-5 | Separation of Duties | Protects | T1569.001 | Launchctl |
| AC-6 | Least Privilege | Protects | T1569.001 | Launchctl |
| CM-11 | User-installed Software | Protects | T1569.001 | Launchctl |
| CM-5 | Access Restrictions for Change | Protects | T1569.001 | Launchctl |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1569.001 | Launchctl |
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1569.001 | System Services: Launchctl |