Find sigma rule
Attack: System Services: Launchctl
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load
,launchctl unload
, and launchctl start
. Adversaries can use scripts or manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s"
or /bin/launchctl load
to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)
MITRE
Tactic
- execution
technique
- T1569.001
Test : Launchctl
OS
- macos
Description:
Utilize launchctl
Executor
bash