Skip to main content

Summary

Use LaunchServices API to run applications and binaries out of PID 1 (launchd). Works as a PPID spoof to evade process tree detections.
  • Needs Admin: False
  • Version: 1
  • Author: @coolcoolnoworries

Arguments

application

  • Description: Path to the target application/binary
  • Required Value: True
  • Default Value: None

hideApp

  • Description: If true, launch the application with the kLSLaunchAndHide flag set. If false, use the kLSLaunchDefaults flag
  • Required Value: False
  • Default Value: None

appArgs

  • Description: Arguments to pass to application/binary
  • Required Value: True
  • Default Value: None

Usage

lsopen -application "/sbin/ping" -hideApp false -appArgs 8.8.8.8 -t 47

MITRE ATT&CK Mapping

  • T1036.009

Detailed Summary

The lsopen command uses the LaunchServices API to run applications and binaries directly out of PID 1 (launchd), the macOS equivalent of explorer.exe on Windows. Where “shell” and “run” commands directly spawn processes as children, lsopen can be used as a form of PPID spoofing. This is especially helpful to evade detections built around strange process trees. Note that application/binary output is not accessible when run through lsopen, since the parent process is no longer the poseidon payload. If the application/binary has an output argument (like nmap -o), that can be used as a workaround to this limitation.