Merge pull request #2220 from packetzero/am_t1547007_reopen_coded
Add two MacOS T1547.007 loginwindow reopen tests
This commit is contained in:
Jose Enrique Hernandez
@@ -1,25 +1,24 @@
|
||||
attack_technique: T1547.007
|
||||
display_name: 'Boot or Logon Autostart Execution: Re-opened Applications'
|
||||
atomic_tests:
|
||||
- name: Re-Opened Applications
|
||||
- name: Copy in loginwindow.plist for Re-Opened Applications
|
||||
auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba
|
||||
description: |
|
||||
Plist Method
|
||||
|
||||
[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
|
||||
Copy in new loginwindow.plist to launch Calculator.
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
calc_plist_path:
|
||||
description: path to binary plist with entry to open calculator
|
||||
type: Path
|
||||
default: PathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist
|
||||
executor:
|
||||
steps: |
|
||||
1. create a custom plist:
|
||||
|
||||
~/Library/Preferences/com.apple.loginwindow.plist
|
||||
|
||||
or
|
||||
|
||||
~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
|
||||
name: manual
|
||||
- name: Re-Opened Applications
|
||||
command: |
|
||||
cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
|
||||
cleanup_command: |
|
||||
rm -f ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
|
||||
name: sh
|
||||
- name: Re-Opened Applications using LoginHook
|
||||
auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb
|
||||
description: |
|
||||
Mac Defaults
|
||||
@@ -39,3 +38,46 @@ atomic_tests:
|
||||
sudo defaults delete com.apple.loginwindow LoginHook
|
||||
elevation_required: true
|
||||
name: sh
|
||||
- name: Append to existing loginwindow for Re-Opened Applications
|
||||
description: |
|
||||
Appends an entry to launch Calculator hidden loginwindow.*.plist for next login.
|
||||
Note that the change may not result in the added Calculator program launching on next user login.
|
||||
It may depend on which version of macOS you are running on.
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
objc_source_path:
|
||||
description: path to objective C program
|
||||
type: Path
|
||||
default: PathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m
|
||||
exe_path:
|
||||
description: path to compiled program
|
||||
type: Path
|
||||
default: /tmp/t1547007_append_exe
|
||||
dependency_executor_name: bash
|
||||
dependencies:
|
||||
- description: |
|
||||
compile C program
|
||||
prereq_command: |
|
||||
if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
|
||||
get_prereq_command: |
|
||||
cc #{objc_source_path} -o #{exe_path} -framework Cocoa
|
||||
executor:
|
||||
command: |
|
||||
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
|
||||
if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
|
||||
echo save backup copy to /tmp/
|
||||
cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
|
||||
echo before
|
||||
plutil -p ${FILE}
|
||||
echo overwriting...
|
||||
#{exe_path} ${FILE} && echo after && plutil -p ${FILE}
|
||||
cleanup_command: |
|
||||
rm -f #{exe_path}
|
||||
# revert to backup copy
|
||||
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
|
||||
if [ -z "${FILE}" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
mv /tmp/t1547007_loginwindow-backup.plist ${FILE}
|
||||
name: sh
|
||||
|
||||
@@ -0,0 +1,43 @@
|
||||
#include <stdio.h>
|
||||
|
||||
#import <Cocoa/Cocoa.h>
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
if (2 > argc) {
|
||||
printf("usage: %s <path to loginwindow plist file>\n", argv[0]);
|
||||
return 1;
|
||||
}
|
||||
|
||||
// load
|
||||
|
||||
NSString *path = [NSString stringWithUTF8String: argv[1]];
|
||||
NSDictionary *dict = [[NSMutableDictionary alloc] initWithContentsOfFile:path];
|
||||
if (0 == dict.count) {
|
||||
printf("ERROR: unable read or parse plist at %s\n", argv[1]);
|
||||
return 2;
|
||||
}
|
||||
|
||||
// create a Calculator hidden node
|
||||
|
||||
NSDictionary *node = [[NSMutableDictionary alloc] init];
|
||||
[node setValue: @"com.apple.calculator" forKey: @"BundleID"];
|
||||
[node setValue: @"/System/Applications/Calculator.app" forKey: @"Path"];
|
||||
[node setValue: [NSNumber numberWithInt:2] forKey: @"BackgroundState"];
|
||||
[node setValue: [NSNumber numberWithInt:1] forKey: @"Hide"];
|
||||
|
||||
// append node to end of array
|
||||
|
||||
NSMutableArray *a = [dict objectForKey: @"TALAppsToRelaunchAtLogin"];
|
||||
[a addObject: node];
|
||||
|
||||
// overwrite file
|
||||
|
||||
BOOL status = [dict writeToFile: path atomically: NO];
|
||||
if (NO == status) {
|
||||
printf("Failed to overwrite plist file\n");
|
||||
return 3;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
Binary file not shown.
Reference in New Issue
Block a user