T1037.005, T1543.001, T1543.004 Persist Tests Enhancements (#2755)

* add persistence tests

T1037.005, T1543.001, T1543.004

* remove manual guid

* minor fixes

---------

Co-authored-by: kevinmstapleton <kstapleton@octolabs.io>
Co-authored-by: Hare Sudhan <code@0x6c.dev>

atomics/T1037.005/T1037.005.yaml

@@ -5,7 +5,6 @@ atomic_tests:
   auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198
   description: |
     Modify or create an file in /Library/StartupItems
-
     [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
   supported_platforms:
   - macos
@@ -16,4 +15,111 @@ atomic_tests:
       sudo rm /Library/StartupItems/EvilStartup.plist
     name: sh
     elevation_required: true
-
+- name: Add launch script to launch daemon
+  auto_generated_guid:
+  description: |
+    Add launch script to /Library/StartupItems to launch agent
+    [Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
+  supported_platforms:
+  - macos
+  input_arguments:
+    path_malicious_script:
+      description: Name of script to store in cron folder
+      type: string
+      default: $PathToAtomicsFolder/T1037.005/src/T1037.005_daemon.sh
+    path_malicious_plist:
+      description: Name of file to store in /tmp
+      type: string
+      default: $PathToAtomicsFolder/T1037.005/src/T1037_005_daemon.plist
+    path_startup_params:
+      description: Name of plist with startup params
+      type: string
+      default: $PathToAtomicsFolder/T1037.005/src/StartupParameters.plist
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      /Library/StartupItems must exist
+    prereq_command: |
+      if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi;
+    get_prereq_command: |
+      echo "Failed to create /Library/StartupItems"; exit 1;
+  - description: |
+      The shared library must exist on disk at specified location (#{path_malicious_plist})
+    prereq_command: |
+      if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "The plist file doesn't exist. Check the path and try again."; exit 1;
+  - description: |
+      The startup script must exist on disk at specified location (#{path_malicious_script})
+    prereq_command: |
+      if [ -f #{path_malicious_script} ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "The startup script doesn't exist. Check the path and try again."; exit 1;
+  executor:
+    name: bash
+    elevation_required: true
+    command: |
+      sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
+      sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
+      sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist
+      sudo /Library/StartupItems/atomic.sh start
+    cleanup_command: |
+      sudo launchctl unload /tmp/T1037_005_daemon.plist
+      sudo rm /tmp/T1037_005_daemon.plist
+      sudo rm /Library/StartupItems/atomic.sh
+      sudo rm /Library/StartupItems/StartupParameters.plist
+      sudo rm /tmp/T1037_005_daemon.txt
+- name: Add launch script to launch agent
+  auto_generated_guid:
+  description: |
+    Add launch script to /Library/StartupItems to launch agent
+    [Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
+  supported_platforms:
+  - macos
+  input_arguments:
+    path_malicious_script:
+      description: Name of script to store in cron folder
+      type: string
+      default: $PathToAtomicsFolder/T1037.005/src/T1037.005_agent.sh
+    path_malicious_plist:
+      description: Name of file to store in /tmp
+      type: string
+      default: $PathToAtomicsFolder/T1037.005/src/T1037_005_agent.plist
+    path_startup_params:
+      description: Name of plist with startup params
+      type: string
+      default: $PathToAtomicsFolder/T1037.005/src/StartupParameters.plist
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      /Library/StartupItems must exist
+    prereq_command: |
+      if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi;
+    get_prereq_command: |
+      echo "Failed to create /Library/StartupItems"; exit 1;
+  - description: |
+      The shared library must exist on disk at specified location (#{path_malicious_plist})
+    prereq_command: |
+      if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "The plist file doesn't exist. Check the path and try again."; exit 1;
+  - description: |
+      The startup script must exist on disk at specified location (#{path_malicious_script})
+    prereq_command: |
+      if [ -f #{path_malicious_script} ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "The startup script doesn't exist. Check the path and try again."; exit 1;
+  executor:
+    name: bash
+    elevation_required: true
+    command: |
+      sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
+      sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
+      sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist
+      /Library/StartupItems/atomic.sh start
+    cleanup_command: |
+      sudo launchctl unload /tmp/T1037_005_agent.plist
+      sudo rm /tmp/T1037_005_agent.plist
+      sudo rm /Library/StartupItems/atomic.sh
+      sudo rm /Library/StartupItems/StartupParameters.plist
+      sudo rm /tmp/T1037_005_agent.txt

atomics/T1037.005/src/StartupParameters.plist

@@ -0,0 +1,12 @@
+
+{
+
+Description = "Start atomic";
+
+Provides = ("atomic");
+
+Requires = ("Network");
+
+OrderPreference = "None";
+
+}

atomics/T1037.005/src/T1037.005_agent.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+. /etc/rc.common
+
+StartService (){
+
+ConsoleMessage "Atomic Test T1037.005 - Agent"
+
+launchctl load -w /tmp/T1037_005_agent.plist
+
+}
+
+StopService (){
+
+return 0
+
+}
+
+RestartService (){
+
+return 0
+
+}
+
+RunService "$1"

atomics/T1037.005/src/T1037.005_daemon.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+. /etc/rc.common
+
+StartService (){
+
+ConsoleMessage "Atomic Test T1037.005 - Daemon"
+
+sudo launchctl load /tmp/T1037_005_daemon.plist
+
+}
+
+StopService (){
+
+return 0
+
+}
+
+RestartService (){
+
+return 0
+
+}
+
+RunService "$1"

atomics/T1037.005/src/T1037_005_agent.plist

@@ -0,0 +1,18 @@
+<!-- Sourced from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/src/atomicredteam_T1543_001.plist -->
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>com.atomicredteam.T1037.005.agent</string>
+  <key>ProgramArguments</key>
+  <array>
+  <string>touch</string>
+  <string>/tmp/T1037_005_agent.txt</string>
+  </array>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>NSUIElement</key>
+  <string>1</string>
+</dict>
+</plist>

atomics/T1037.005/src/T1037_005_daemon.plist

@@ -0,0 +1,18 @@
+<!-- Sourced from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/src/atomicredteam_T1543_001.plist -->
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>com.atomicredteam.T1037.005.daemon</string>
+  <key>ProgramArguments</key>
+  <array>
+  <string>touch</string>
+  <string>/tmp/T1037_005_daemon.txt</string>
+  </array>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>NSUIElement</key>
+  <string>1</string>
+</dict>
+</plist>

atomics/T1543.001/T1543.001.yaml

@@ -63,3 +63,42 @@ atomic_tests:
     cleanup_command: |-
       sudo rm #{script_destination}
       sudo rm /private/var/db/emondClients/#{empty_file}
+- name: Launch Agent - Root Directory
+  auto_generated_guid: 
+  description: |
+    Create a plist and execute it
+  supported_platforms:
+  - macos
+  input_arguments:
+    plist_filename:
+      description: filename
+      type: string
+      default: com.atomicredteam.T1543.001.plist
+    path_malicious_plist:
+      description: Name of file to store in cron folder
+      type: string
+      default: $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      /Library/LaunchAgents must exist
+    prereq_command: |
+      if [ ! -d /Library/LaunchAgents ]; then mkdir /Library/LaunchAgents; exit 0; fi;
+    get_prereq_command: |
+      echo "Failed to create /Library/LaunchAgents"; exit 1;
+  - description: |
+      The shared library must exist on disk at specified location (#{path_malicious_plist})
+    prereq_command: |
+      if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "The plist file doesn't exist. Check the path and try again."; exit 1;
+  executor:
+    name: bash
+    elevation_required: true
+    command: |
+      sudo cp #{path_malicious_plist} /Library/LaunchAgents/#{plist_filename}
+      launchctl load -w /Library/LaunchAgents/#{plist_filename}
+    cleanup_command: |
+      launchctl unload /Library/LaunchAgents/#{plist_filename}
+      sudo rm /Library/LaunchAgents/#{plist_filename}
+      sudo rm /tmp/T1543_001_atomicredteam.txt

atomics/T1543.004/T1543.004.yaml

@@ -34,3 +34,36 @@ atomic_tests:
       sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
       sudo rm /Library/LaunchDaemons/#{plist_filename}
       sudo rm /tmp/T1543_004_atomicredteam.txt
+- name: Launch Daemon - Users Directory
+  auto_generated_guid:
+  description: |
+    Utilize LaunchDaemon in /Users directory  to touch temporary file in /tmp
+  supported_platforms:
+  - macos
+  input_arguments:
+    plist_filename:
+      description: filename
+      type: string
+      default: com.atomicredteam.T1543.004.plist
+    path_malicious_plist:
+      description: Name of file to store in cron folder
+      type: string
+      default: $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      The shared library must exist on disk at specified location (#{path_malicious_plist})
+    prereq_command: |
+      if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "The plist file doesn't exist. Check the path and try again."; exit 1;
+  executor:
+    name: bash
+    elevation_required: true
+    command: |
+      sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename}
+      sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename}
+    cleanup_command: |
+      sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename}
+      sudo rm ~/Library/LaunchDaemons/#{plist_filename}
+      sudo rm /tmp/T1543_004_atomicredteam.txt