security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mac Persistence

Browse Source 
Added many mac persistence items and updated readme
This commit is contained in:
Michael Haag
2018-01-09 09:07:41 -07:00
parent 4480d4d11d
commit 3c84c659f5
7 changed files with 151 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Mac/Persistence/Hidden_Files_and_Directories.md
+34
View File
@@ -0,0 +1,34 @@
# Hidden Files and Directories
MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158)
### Hide files
Input:
mv filename .filename
Input:
(Requires Apple Dev Tools)
setfile -a V filename
### Hide Directories
Input:
chflags hidden /secret/dir
Unhide:
chflags nohidden
### Show all Hidden
Execute within terminal:
defaults write com.apple.finder AppleShowAllFiles YES
Mac/Persistence/Launch_Agent.md
+38
View File
@@ -0,0 +1,38 @@
# Launch Agent
MITRE ATT&CK Technique: [T1159](https://attack.mitre.org/wiki/Technique/T1159)
Input:
Filename: .client
(Place within any directory, it will need to be referenced in the plist)
osascript -e 'tell app "Finder" to display dialog "Hello World"'
Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.client.client</string>
<key>ProgramArguments</key>
<array>
<string>/Users/<update path to .clent file>/.client</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>NSUIElement</key>
<string>1</string>
</dict>
</plist>
Launch:
launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist
Mac/Persistence/Launch_Daemon.md
+23
View File
@@ -0,0 +1,23 @@
# Launch Daemon
MITRE ATT&CK Technique: [T1160](https://attack.mitre.org/wiki/Technique/T1160)
Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.example.hello</string>
<key>ProgramArguments</key>
<array>
<string>hello</string>
<string>world</string>
</array>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
Mac/Persistence/Plist_Modification.md
+13
View File
@@ -0,0 +1,13 @@
# Plist Modification
MITRE ATT&CK Technique: [T1150](https://attack.mitre.org/wiki/Technique/T1150)
Modify a .plist in
/Library/Preferences
or
~/Library/Preferences
Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)
Mac/Persistence/Re-opened_Applications.md
+26
View File
@@ -0,0 +1,26 @@
# Re-Opened Applications
MITRE ATT&CK Technique: [T1164](https://attack.mitre.org/wiki/Technique/T1164)
### Plist method
create a custom plist:
~/Library/Preferences/com.apple.loginwindow.plist
or
~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
### Mac Defaults
Create:
sudo defaults write com.apple.loginwindow LoginHook /path/to/script
Delete:
sudo defaults delete com.apple.loginwindow LoginHook
[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
Mac/Persistence/Startup_Items.md
+10
View File
@@ -0,0 +1,10 @@
# Startup Items
MITRE ATT&CK Technique: [T1165](https://attack.mitre.org/wiki/Technique/T1165)
Modify or create:
/Library/StartupItems/StartupParameters.plist
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
Mac/README.md
+7 -7
View File
@@ -5,19 +5,19 @@
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md ) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port |
| [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media |
| Dylib Hijacking | Launch Daemon | Code Signing | Create Account | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
| Hidden Files and Directories | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Credentials in Files | Network Share Discovery | Logon Scripts | [Launchctl](Defense_Evasion/Launchctl.md) | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
| Dylib Hijacking | [Launch Daemon](Persistence/Launch_Daemon.md) | Code Signing | Create Account | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
| [Hidden Files and Directories](/Persistence/Hidden_Files_and_Directories.md) | [Plist Modification](Persistence/Plist_Modification.md) | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Credentials in Files | Network Share Discovery | Logon Scripts | [Launchctl](Defense_Evasion/Launchctl.md) | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Launch Agent | Startup Items | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
| Launch Daemon | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Launch Agent](Persistence/Launch_Agent.md) | [Startup Items](Persistence/Startup_Items.md) | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
| [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Launchctl](Defense_Evasion/Launchctl.md) | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels |
| Logon Scripts | | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication |
| Plist Modification | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |
| [Plist Modification](Persistence/Plist_Modification.md) | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |
| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | System Owner/User Discovery | | | | | Remote File Copy |
| Re-opened Applications | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | | | | | | Standard Application Layer Protocol |
| [Re-opened Applications](Persistence/Re-opened_Applications.md) | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | | | | | | Standard Application Layer Protocol |
| Redundant Access | | LC_MAIN Hijacking | | | | | | | Standard Cryptographic Protocol |
| Startup Items | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | | Standard Non-Application Layer Protocol |
| [Startup Items](Persistence/Startup_Items.md) | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | | Standard Non-Application Layer Protocol |
| Trap | | Masquerading | | | | | | | Uncommonly Used Port |
| Valid Accounts | | Plist Modification | | | | | | | Web Service |
| Web Shell | | Redundant Access | | | | | | | |