Mac/Persistence/Local_Job_Scheduling.md

# Local Job Scheduling

MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)

### Cron Job

    echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil

### Emond

Place this file in /etc/emond.d/rules/atomicredteam.plist

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <array>
        <dict>
            <key>name</key>
            <string>atomicredteam</string>
            <key>enabled</key>
            <true/>
            <key>eventTypes</key>
            <array>
                <string>startup</string>
            </array>
            <key>actions</key>
            <array>
                <dict>
                    <key>command</key>
                    <string>/usr/bin/say</string>
                    <key>user</key>
                    <string>root</string>
                    <key>arguments</key>
                        <array>
                            <string>-v Tessa</string>
                            <string>I am a persistent startup item.</string>
                        </array>
                    <key>type</key>
                    <string>RunCommand</string>
                </dict>
            </array>
        </dict>
    </array>
    </plist>

Place an empty file in /private/var/db/emondClients/

    sudo touch /private/var/db/emondClients/randomflag
add emond persistence mechanism 2018-02-13 14:36:59 +11:00			`# Local Job Scheduling`
Initial Commit 2017-10-11 10:35:17 -07:00
			`MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)`

add emond persistence mechanism 2018-02-13 14:36:59 +11:00			`### Cron Job`
Initial Commit 2017-10-11 10:35:17 -07:00
			`echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil`
add emond persistence mechanism 2018-02-13 14:36:59 +11:00
			`### Emond`

minor consistency edit 2018-02-13 14:39:08 +11:00			`Place this file in /etc/emond.d/rules/atomicredteam.plist`
add emond persistence mechanism 2018-02-13 14:36:59 +11:00
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">`
			`<plist version="1.0">`
			`<array>`
			`<dict>`
			`<key>name</key>`
			`<string>atomicredteam</string>`
			`<key>enabled</key>`
			`<true/>`
			`<key>eventTypes</key>`
			`<array>`
			`<string>startup</string>`
			`</array>`
			`<key>actions</key>`
			`<array>`
			`<dict>`
			`<key>command</key>`
			`<string>/usr/bin/say</string>`
			`<key>user</key>`
			`<string>root</string>`
			`<key>arguments</key>`
			`<array>`
			`<string>-v Tessa</string>`
			`<string>I am a persistent startup item.</string>`
			`</array>`
			`<key>type</key>`
			`<string>RunCommand</string>`
			`</dict>`
			`</array>`
			`</dict>`
			`</array>`
			`</plist>`

minor consistency edit 2018-02-13 14:39:08 +11:00			`Place an empty file in /private/var/db/emondClients/`
add emond persistence mechanism 2018-02-13 14:36:59 +11:00
			`sudo touch /private/var/db/emondClients/randomflag`