MITRE ATT&CK Technique
Description
Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made (Citation: Sofacy Komplex Trojan). Running a command from launchctl is as simple as <code>launchctl submit -l <labelName> -- /Path/to/thing/to/execute "arg" "arg" "arg"</code>. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges. Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Launchctl controls the macOS launchd process which handles '
'things like launch agents and launch daemons, but can execute '
'other commands or programs itself. Launchctl supports taking '
'subcommands on the command-line, interactively, or even '
'redirected from standard input. By loading or reloading '
'launch agents or launch daemons, adversaries can install '
'persistence or execute changes they made (Citation: Sofacy '
'Komplex Trojan). Running a command from launchctl is as '
'simple as <code>launchctl submit -l <labelName> -- '
'/Path/to/thing/to/execute "arg" "arg" "arg"</code>. Loading, '
'unloading, or reloading launch agents or launch daemons can '
'require elevated privileges. \n'
'\n'
'Adversaries can abuse this functionality to execute code or '
'even bypass whitelisting if launchctl is an allowed process.',
'external_references': [{'external_id': 'T1152',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1152'},
{'description': 'Dani Creus, Tyler Halfpop, Robert '
'Falcone. (2016, September 26). '
"Sofacy's 'Komplex' OS X Trojan. "
'Retrieved July 8, 2017.',
'source_name': 'Sofacy Komplex Trojan',
'url': 'https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/'}],
'id': 'attack-pattern--53bfc8bf-8f76-4cd7-8958-49a884ddb3ee',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:48.110Z',
'name': 'Launchctl',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.1'}