From 006e4c7057d715f475d1b22005bf5aef4964fab2 Mon Sep 17 00:00:00 2001 From: Kevin Stapleton <59635226+kevinmstapleton@users.noreply.github.com> Date: Thu, 4 Jul 2024 23:41:34 -0500 Subject: [PATCH] T1037.005, T1543.001, T1543.004 Persist Tests Enhancements (#2755) * add persistence tests T1037.005, T1543.001, T1543.004 * remove manual guid * minor fixes --------- Co-authored-by: kevinmstapleton Co-authored-by: Hare Sudhan --- atomics/T1037.005/T1037.005.yaml | 110 +++++++++++++++++- atomics/T1037.005/src/StartupParameters.plist | 12 ++ atomics/T1037.005/src/T1037.005_agent.sh | 25 ++++ atomics/T1037.005/src/T1037.005_daemon.sh | 25 ++++ atomics/T1037.005/src/T1037_005_agent.plist | 18 +++ atomics/T1037.005/src/T1037_005_daemon.plist | 18 +++ atomics/T1543.001/T1543.001.yaml | 39 +++++++ atomics/T1543.004/T1543.004.yaml | 33 ++++++ 8 files changed, 278 insertions(+), 2 deletions(-) create mode 100644 atomics/T1037.005/src/StartupParameters.plist create mode 100755 atomics/T1037.005/src/T1037.005_agent.sh create mode 100755 atomics/T1037.005/src/T1037.005_daemon.sh create mode 100644 atomics/T1037.005/src/T1037_005_agent.plist create mode 100644 atomics/T1037.005/src/T1037_005_daemon.plist diff --git a/atomics/T1037.005/T1037.005.yaml b/atomics/T1037.005/T1037.005.yaml index 9683bad6..c32ce98c 100644 --- a/atomics/T1037.005/T1037.005.yaml +++ b/atomics/T1037.005/T1037.005.yaml @@ -5,7 +5,6 @@ atomic_tests: auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198 description: | Modify or create an file in /Library/StartupItems - [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware) supported_platforms: - macos @@ -16,4 +15,111 @@ atomic_tests: sudo rm /Library/StartupItems/EvilStartup.plist name: sh elevation_required: true - +- name: Add launch script to launch daemon + auto_generated_guid: + description: | + Add launch script to /Library/StartupItems to launch agent + [Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware) + supported_platforms: + - macos + input_arguments: + path_malicious_script: + description: Name of script to store in cron folder + type: string + default: $PathToAtomicsFolder/T1037.005/src/T1037.005_daemon.sh + path_malicious_plist: + description: Name of file to store in /tmp + type: string + default: $PathToAtomicsFolder/T1037.005/src/T1037_005_daemon.plist + path_startup_params: + description: Name of plist with startup params + type: string + default: $PathToAtomicsFolder/T1037.005/src/StartupParameters.plist + dependency_executor_name: bash + dependencies: + - description: | + /Library/StartupItems must exist + prereq_command: | + if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi; + get_prereq_command: | + echo "Failed to create /Library/StartupItems"; exit 1; + - description: | + The shared library must exist on disk at specified location (#{path_malicious_plist}) + prereq_command: | + if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "The plist file doesn't exist. Check the path and try again."; exit 1; + - description: | + The startup script must exist on disk at specified location (#{path_malicious_script}) + prereq_command: | + if [ -f #{path_malicious_script} ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "The startup script doesn't exist. Check the path and try again."; exit 1; + executor: + name: bash + elevation_required: true + command: | + sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist + sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh + sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist + sudo /Library/StartupItems/atomic.sh start + cleanup_command: | + sudo launchctl unload /tmp/T1037_005_daemon.plist + sudo rm /tmp/T1037_005_daemon.plist + sudo rm /Library/StartupItems/atomic.sh + sudo rm /Library/StartupItems/StartupParameters.plist + sudo rm /tmp/T1037_005_daemon.txt +- name: Add launch script to launch agent + auto_generated_guid: + description: | + Add launch script to /Library/StartupItems to launch agent + [Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware) + supported_platforms: + - macos + input_arguments: + path_malicious_script: + description: Name of script to store in cron folder + type: string + default: $PathToAtomicsFolder/T1037.005/src/T1037.005_agent.sh + path_malicious_plist: + description: Name of file to store in /tmp + type: string + default: $PathToAtomicsFolder/T1037.005/src/T1037_005_agent.plist + path_startup_params: + description: Name of plist with startup params + type: string + default: $PathToAtomicsFolder/T1037.005/src/StartupParameters.plist + dependency_executor_name: bash + dependencies: + - description: | + /Library/StartupItems must exist + prereq_command: | + if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi; + get_prereq_command: | + echo "Failed to create /Library/StartupItems"; exit 1; + - description: | + The shared library must exist on disk at specified location (#{path_malicious_plist}) + prereq_command: | + if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "The plist file doesn't exist. Check the path and try again."; exit 1; + - description: | + The startup script must exist on disk at specified location (#{path_malicious_script}) + prereq_command: | + if [ -f #{path_malicious_script} ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "The startup script doesn't exist. Check the path and try again."; exit 1; + executor: + name: bash + elevation_required: true + command: | + sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist + sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh + sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist + /Library/StartupItems/atomic.sh start + cleanup_command: | + sudo launchctl unload /tmp/T1037_005_agent.plist + sudo rm /tmp/T1037_005_agent.plist + sudo rm /Library/StartupItems/atomic.sh + sudo rm /Library/StartupItems/StartupParameters.plist + sudo rm /tmp/T1037_005_agent.txt \ No newline at end of file diff --git a/atomics/T1037.005/src/StartupParameters.plist b/atomics/T1037.005/src/StartupParameters.plist new file mode 100644 index 00000000..d08e7d72 --- /dev/null +++ b/atomics/T1037.005/src/StartupParameters.plist @@ -0,0 +1,12 @@ + +{ + +Description = "Start atomic"; + +Provides = ("atomic"); + +Requires = ("Network"); + +OrderPreference = "None"; + +} \ No newline at end of file diff --git a/atomics/T1037.005/src/T1037.005_agent.sh b/atomics/T1037.005/src/T1037.005_agent.sh new file mode 100755 index 00000000..1a4fff61 --- /dev/null +++ b/atomics/T1037.005/src/T1037.005_agent.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +. /etc/rc.common + +StartService (){ + +ConsoleMessage "Atomic Test T1037.005 - Agent" + +launchctl load -w /tmp/T1037_005_agent.plist + +} + +StopService (){ + +return 0 + +} + +RestartService (){ + +return 0 + +} + +RunService "$1" \ No newline at end of file diff --git a/atomics/T1037.005/src/T1037.005_daemon.sh b/atomics/T1037.005/src/T1037.005_daemon.sh new file mode 100755 index 00000000..b11ed650 --- /dev/null +++ b/atomics/T1037.005/src/T1037.005_daemon.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +. /etc/rc.common + +StartService (){ + +ConsoleMessage "Atomic Test T1037.005 - Daemon" + +sudo launchctl load /tmp/T1037_005_daemon.plist + +} + +StopService (){ + +return 0 + +} + +RestartService (){ + +return 0 + +} + +RunService "$1" \ No newline at end of file diff --git a/atomics/T1037.005/src/T1037_005_agent.plist b/atomics/T1037.005/src/T1037_005_agent.plist new file mode 100644 index 00000000..6158728c --- /dev/null +++ b/atomics/T1037.005/src/T1037_005_agent.plist @@ -0,0 +1,18 @@ + + + + + + Label + com.atomicredteam.T1037.005.agent + ProgramArguments + + touch + /tmp/T1037_005_agent.txt + + RunAtLoad + + NSUIElement + 1 + + \ No newline at end of file diff --git a/atomics/T1037.005/src/T1037_005_daemon.plist b/atomics/T1037.005/src/T1037_005_daemon.plist new file mode 100644 index 00000000..16eeba1a --- /dev/null +++ b/atomics/T1037.005/src/T1037_005_daemon.plist @@ -0,0 +1,18 @@ + + + + + + Label + com.atomicredteam.T1037.005.daemon + ProgramArguments + + touch + /tmp/T1037_005_daemon.txt + + RunAtLoad + + NSUIElement + 1 + + \ No newline at end of file diff --git a/atomics/T1543.001/T1543.001.yaml b/atomics/T1543.001/T1543.001.yaml index 4f4c8b8c..76f7f6fd 100644 --- a/atomics/T1543.001/T1543.001.yaml +++ b/atomics/T1543.001/T1543.001.yaml @@ -63,3 +63,42 @@ atomic_tests: cleanup_command: |- sudo rm #{script_destination} sudo rm /private/var/db/emondClients/#{empty_file} +- name: Launch Agent - Root Directory + auto_generated_guid: + description: | + Create a plist and execute it + supported_platforms: + - macos + input_arguments: + plist_filename: + description: filename + type: string + default: com.atomicredteam.T1543.001.plist + path_malicious_plist: + description: Name of file to store in cron folder + type: string + default: $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist + dependency_executor_name: bash + dependencies: + - description: | + /Library/LaunchAgents must exist + prereq_command: | + if [ ! -d /Library/LaunchAgents ]; then mkdir /Library/LaunchAgents; exit 0; fi; + get_prereq_command: | + echo "Failed to create /Library/LaunchAgents"; exit 1; + - description: | + The shared library must exist on disk at specified location (#{path_malicious_plist}) + prereq_command: | + if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "The plist file doesn't exist. Check the path and try again."; exit 1; + executor: + name: bash + elevation_required: true + command: | + sudo cp #{path_malicious_plist} /Library/LaunchAgents/#{plist_filename} + launchctl load -w /Library/LaunchAgents/#{plist_filename} + cleanup_command: | + launchctl unload /Library/LaunchAgents/#{plist_filename} + sudo rm /Library/LaunchAgents/#{plist_filename} + sudo rm /tmp/T1543_001_atomicredteam.txt diff --git a/atomics/T1543.004/T1543.004.yaml b/atomics/T1543.004/T1543.004.yaml index b347932c..d3f02950 100644 --- a/atomics/T1543.004/T1543.004.yaml +++ b/atomics/T1543.004/T1543.004.yaml @@ -34,3 +34,36 @@ atomic_tests: sudo launchctl unload /Library/LaunchDaemons/#{plist_filename} sudo rm /Library/LaunchDaemons/#{plist_filename} sudo rm /tmp/T1543_004_atomicredteam.txt +- name: Launch Daemon - Users Directory + auto_generated_guid: + description: | + Utilize LaunchDaemon in /Users directory to touch temporary file in /tmp + supported_platforms: + - macos + input_arguments: + plist_filename: + description: filename + type: string + default: com.atomicredteam.T1543.004.plist + path_malicious_plist: + description: Name of file to store in cron folder + type: string + default: $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist + dependency_executor_name: bash + dependencies: + - description: | + The shared library must exist on disk at specified location (#{path_malicious_plist}) + prereq_command: | + if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "The plist file doesn't exist. Check the path and try again."; exit 1; + executor: + name: bash + elevation_required: true + command: | + sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename} + sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename} + cleanup_command: | + sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename} + sudo rm ~/Library/LaunchDaemons/#{plist_filename} + sudo rm /tmp/T1543_004_atomicredteam.txt \ No newline at end of file