launchctl #

Created by Josh Carullo

Description ##

launchctl can be used to load, start, stop, and unload macOS services. It is a command-line frontend to launchd.

Paths ##

• /bin/launchctl

Use Cases ##

Use launchctl to execute an application ##

A oneliner that will load a plist as a LaunchAgent or LaunchDaemon, achieving persistence on a target machine. This command requires root privileges.

sudo launchctl load /Library/LaunchAgent/com.apple.installer

Detections ##

• LaunchAgents and LaunchDaemons must have a plist file on disk in the root, system, or user Library directory. Monitoring for plist’s with executables located in /tmp or /Shared could identify suspicious applications.

Resources ##

• 20 Common Tools & Techniques used by macOS threat Actors & Malware

• Mitre Attack Technique: launchctl T1569