CircleCI Atomic Red Team doc generator
28 lines
1.2 KiB
Markdown
28 lines
1.2 KiB
Markdown
# T1152 - Launchctl
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1152)
|
|
<blockquote>Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made (Citation: Sofacy Komplex Trojan). Running a command from launchctl is as simple as <code>launchctl submit -l <labelName> -- /Path/to/thing/to/execute "arg" "arg" "arg"</code>. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges.
|
|
|
|
Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Launchctl](#atomic-test-1---launchctl)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Launchctl
|
|
Utilize launchctl
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
|
|
```
|
|
|
|
|
|
|
|
<br/>
|