Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)By loading or reloading Launch Agents or Launch Daemons, adversaries can install persistence or execute changes they made.(Citation: Sofacy Komplex Trojan)
Running a command from launchctl is as simple as
launchctl submit -l -- /Path/to/thing/to/execute "arg" "arg" "arg". Adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.
Utilize launchctl
Supported Platforms: macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| executable_path | Path of the executable to run. | path | /System/Applications/Calculator.app/Contents/MacOS/Calculator |
| label_name | Path of the executable to run. | string | evil |
launchctl submit -l #{label_name} -- #{executable_path}launchctl remove #{label_name}