From 0fcbe1d0526c8f48e25bac6b26a967f87b5bd48a Mon Sep 17 00:00:00 2001
From: Alex M <20775507+packetzero@users.noreply.github.com>
Date: Sun, 30 Oct 2022 15:47:06 -0500
Subject: [PATCH] Add T1547.015 test to add login item via applescript

---
 atomics/T1547.015/T1547.015.yaml            | 25 ++++++++++++++++++++-
 atomics/T1547.015/src/add_login_item.osa    |  5 +++++
 atomics/T1547.015/src/remove_login_item.osa |  4 ++++
 3 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 atomics/T1547.015/src/add_login_item.osa
 create mode 100644 atomics/T1547.015/src/remove_login_item.osa

diff --git a/atomics/T1547.015/T1547.015.yaml b/atomics/T1547.015/T1547.015.yaml
index 9b70c7ce..fb380a09 100644
--- a/atomics/T1547.015/T1547.015.yaml
+++ b/atomics/T1547.015/T1547.015.yaml
@@ -39,4 +39,27 @@ atomic_tests:
     cleanup_command: |
       mv -Force #{settings_json_tmp} #{settings_json_def}
       taskkill /F /IM "#{calculator}" > $null
-    name: powershell
\ No newline at end of file
+    name: powershell
+- name: Add macOS LoginItem using Applescript
+  description: |
+    Runs osascript on a file to create new LoginItem for current user.
+    NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events"
+    Therefore, it can't be automated until the TCC is granted.
+    The login item will launch Safari.app when user logs in.
+  supported_platforms:
+  - macos
+  input_arguments:
+    scriptfile:
+      description: path to Applescript source to add Safari LoginItem.
+      type: String
+      default: PathToAtomicsFolder/T1547.015/src/add_login_item.osa
+    cleanup_script:
+      description: path to Applescript source to delete Safari LoginItem.
+      type: String
+      default: PathToAtomicsFolder/T1547.015/src/remove_login_item.osa
+  executor:
+    command: |
+      osascript #{scriptfile}
+    cleanup_command: |
+      osascript #{cleanup_script}
+    name: bash
\ No newline at end of file
diff --git a/atomics/T1547.015/src/add_login_item.osa b/atomics/T1547.015/src/add_login_item.osa
new file mode 100644
index 00000000..7fa52208
--- /dev/null
+++ b/atomics/T1547.015/src/add_login_item.osa
@@ -0,0 +1,5 @@
+tell application "System Events"
+    get full name of current user
+    make new login item at end of login items with properties ¬
+        {path:"/Applications/Safari.app", name:"Safari"}
+end tell
diff --git a/atomics/T1547.015/src/remove_login_item.osa b/atomics/T1547.015/src/remove_login_item.osa
new file mode 100644
index 00000000..1826f900
--- /dev/null
+++ b/atomics/T1547.015/src/remove_login_item.osa
@@ -0,0 +1,4 @@
+tell application "System Events"
+    get full name of current user
+    delete login item "Safari"
+end tell