Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d)
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s" or /bin/launchctl load to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) | Attack Pattern | Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d) | Attack Pattern | 1 |