lsregister

Created by Brendan Chamberlain (@infosecB)

Description

lsregister is used to build, dump, and check the validity of the Launch Services database. This database is often abused to create custom URL scheme handlers that point to malicious apps.

CreatedTacticsTags
2023-05-15Discovery Impact

Paths

  • /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister

Use Cases

Force an update of the Launch Services database

The -f flag can be used to force an update of the Launch Services database. This can be used to quickly register a custom URL scheme that points to a malicious app.

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -f

Get a list of apps and their bindings

The -dump flag can be used to get a list of apps and their bindings

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -E "path:|bindings:|name: | more"

Delete the Launch Services database

The -delete flag can be used to delete the Launch Services database to impact normal operation of the system.

lsregister -delete

Detections

  • No detections at time of publishing

Resources

Acknowledgements

  • Patrick Wardle (@patrickwardle)