<<< Hide Navigation Hide TOC >>>
Launchctl - T1152 (53bfc8bf-8f76-4cd7-8958-49a884ddb3ee)
Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made (Citation: Sofacy Komplex Trojan). Running a command from launchctl is as simple as launchctl submit -l
. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges.
Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.
Cluster A![]() |
Galaxy A![]() |
Cluster B![]() |
Galaxy B![]() |
Level![]() |
---|---|---|---|---|
Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d) | Attack Pattern | Launchctl - T1152 (53bfc8bf-8f76-4cd7-8958-49a884ddb3ee) | Attack Pattern | 1 |
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) | Attack Pattern | Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d) | Attack Pattern | 2 |