Created by Brendan Chamberlain (@infosecB)
lsregister is used to build, dump, and check the validity of the Launch Services database. This database is often abused to create custom URL scheme handlers that point to malicious apps.
Force an update of the Launch Services database
The -f flag can be used to force an update of the Launch Services database. This can be used to quickly register a custom URL scheme that points to a malicious app.
Get a list of apps and their bindings
The -dump flag can be used to get a list of apps and their bindings
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -E "path:|bindings:|name: | more"
Delete the Launch Services database
The -delete flag can be used to delete the Launch Services database to impact normal operation of the system.
- No detections at time of publishing
- Patrick Wardle (@patrickwardle)