lsregister
Created by Brendan Chamberlain (@infosecB)
Description
lsregister is used to build, dump, and check the validity of the Launch Services database. This database is often abused to create custom URL scheme handlers that point to malicious apps.
Created | Tactics | Tags |
---|---|---|
2023-05-15 | Discovery Impact |
Paths
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister
Use Cases
Force an update of the Launch Services database
The -f flag can be used to force an update of the Launch Services database. This can be used to quickly register a custom URL scheme that points to a malicious app.
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -f
Get a list of apps and their bindings
The -dump flag can be used to get a list of apps and their bindings
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -E "path:|bindings:|name: | more"
Delete the Launch Services database
The -delete flag can be used to delete the Launch Services database to impact normal operation of the system.
lsregister -delete
Detections
- No detections at time of publishing
Resources
Acknowledgements
- Patrick Wardle (@patrickwardle)