lsregister #

Created by Brendan Chamberlain (@infosecB)

Description ##

lsregister is used to build, dump, and check the validity of the Launch Services database. This database is often abused to create custom URL scheme handlers that point to malicious apps.

Paths ##

• /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister

Use Cases ##

Force an update of the Launch Services database ##

The -f flag can be used to force an update of the Launch Services database. This can be used to quickly register a custom URL scheme that points to a malicious app.

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -f

Get a list of apps and their bindings ##

The -dump flag can be used to get a list of apps and their bindings

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -E "path:|bindings:|name: | more"

Delete the Launch Services database ##

The -delete flag can be used to delete the Launch Services database to impact normal operation of the system.

lsregister -delete

Detections ##

• No detections at time of publishing

Resources ##

• Remote Mac Exploitation Via Custom URL Schemes

• macOS Security & Privilege Escalation

Acknowledgements ##

• Patrick Wardle (@patrickwardle)