From 88bc32c778ca03951e879f41708cb0754a355a0e Mon Sep 17 00:00:00 2001 From: vector-sec Date: Sat, 21 Jul 2018 22:15:11 -0400 Subject: [PATCH] Added T1165 emond rule test --- atomics/T1165/T1165.yaml | 22 ++++++++++++++++ atomics/T1165/T1165_emond.plist | 45 +++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 atomics/T1165/T1165_emond.plist diff --git a/atomics/T1165/T1165.yaml b/atomics/T1165/T1165.yaml index 0fd0ad66..10860062 100644 --- a/atomics/T1165/T1165.yaml +++ b/atomics/T1165/T1165.yaml @@ -16,3 +16,25 @@ atomic_tests: name: manual steps: | 1. /Library/StartupItems/StartupParameters.plist + +- name: Launch Daemon (emond rule) + description: | + Establish persistence via a rule run by emond daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 + + supported_platforms: + - macos + + input_arguments: + plist: + description: Path to emond plist file + type: path + default: /path/to/T1165_emond.plist + + executor: + name: sh + command: | + sudo cp "${plist}" /etc/emond.d/rules/T1165_emond.plist + sudo touch /private/var/db/emondClients/T1165 + #Clean up + sudo rm /etc/emond.d/rules/T1165_emond.plist + sudo rm /private/var/db/emondClients/T1165 diff --git a/atomics/T1165/T1165_emond.plist b/atomics/T1165/T1165_emond.plist new file mode 100644 index 00000000..e8a1d6ae --- /dev/null +++ b/atomics/T1165/T1165_emond.plist @@ -0,0 +1,45 @@ + + + + + + name + Atomic Red Team T1160 + enabled + + eventTypes + + startup + + actions + + + command + /bin/sleep + user + root + arguments + + 30 + + type + RunCommand + + + command + /usr/bin/say + user + root + arguments + + -v + Karen + Hello from Atomic Red Team technique T1165 + + type + RunCommand + + + + + \ No newline at end of file