From b229230a6cb3ae52a07d3a8efe48c56e993f3f9e Mon Sep 17 00:00:00 2001
From: Alex M <20775507+packetzero@users.noreply.github.com>
Date: Tue, 1 Nov 2022 14:46:20 -0500
Subject: [PATCH 1/3] Add two T1547.007 loginwindow reopen tests

---
 atomics/T1547.007/T1547.007.yaml              |  75 ++++++++++++++----
 .../T1547.007/src/append_reopen_loginwindow.m |  43 ++++++++++
 .../src/reopen_loginwindow_calc.plist         | Bin 0 -> 194 bytes
 3 files changed, 104 insertions(+), 14 deletions(-)
 create mode 100644 atomics/T1547.007/src/append_reopen_loginwindow.m
 create mode 100644 atomics/T1547.007/src/reopen_loginwindow_calc.plist

diff --git a/atomics/T1547.007/T1547.007.yaml b/atomics/T1547.007/T1547.007.yaml
index 73d0ec28..6310c285 100644
--- a/atomics/T1547.007/T1547.007.yaml
+++ b/atomics/T1547.007/T1547.007.yaml
@@ -1,25 +1,24 @@
 attack_technique: T1547.007
 display_name: 'Boot or Logon Autostart Execution: Re-opened Applications'
 atomic_tests:
-- name: Re-Opened Applications
+- name: Copy in loginwindow.plist for Re-Opened Applications
   auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba
   description: |
-    Plist Method
-
-    [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
+    Copy in new loginwindow.plist to launch Calculator.
   supported_platforms:
   - macos
+  input_arguments:
+    calc_plist_path:
+      description: path to binary plist with entry to open calculator
+      type: Path
+      default: PathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist
   executor:
-    steps: |
-      1. create a custom plist:
-
-          ~/Library/Preferences/com.apple.loginwindow.plist
-
-      or
-
-          ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
-    name: manual
-- name: Re-Opened Applications
+    command: |
+      cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
+    cleanup_command: |
+      rm -f ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
+    name: sh
+- name: Re-Opened Applications using LoginHook
   auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb
   description: |
     Mac Defaults
@@ -39,3 +38,51 @@ atomic_tests:
       sudo defaults delete com.apple.loginwindow LoginHook
     elevation_required: true
     name: sh
+- name: Append to existing loginwindow for Re-Opened Applications
+  auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba
+  description: |
+    Appends an entry to launch Calculator hidden loginwindow.*.plist for next login.
+  supported_platforms:
+  - macos
+  input_arguments:
+    objc_source_path:
+      description: path to objective C program
+      type: Path
+      default: PathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m
+    exe_path:
+      description: path to compiled program
+      type: Path
+      default: /tmp/t1547007_append_exe
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+         compile C program
+      prereq_command: |
+         exit 1
+      get_prereq_command: |
+         cc #{objc_source_path} -o #{exe_path} -framework Cocoa
+  executor:
+    command: |
+      set -x
+      FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
+      if [ -z "${FILE}" ] ; then
+         echo "No loginwindow plist file found"
+         exit 1
+      fi
+      # save backup copy
+      cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
+      # before
+      plutil -p ${FILE}
+      # overwrite
+      #{exe_path} ${FILE}
+      # after
+      plutil -p ${FILE}
+    cleanup_command: |
+      rm -f #{exe_path}
+      # revert to backup copy
+      FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
+      if [ -z "${FILE}" ] ; then
+         exit 0
+      fi
+      mv /tmp/t1547007_loginwindow-backup.plist ${FILE}
+    name: sh
diff --git a/atomics/T1547.007/src/append_reopen_loginwindow.m b/atomics/T1547.007/src/append_reopen_loginwindow.m
new file mode 100644
index 00000000..b8137e91
--- /dev/null
+++ b/atomics/T1547.007/src/append_reopen_loginwindow.m
@@ -0,0 +1,43 @@
+#include <stdio.h>
+
+#import <Cocoa/Cocoa.h>
+
+int main(int argc, char *argv[])
+{
+   if (2 > argc) {
+      printf("usage: %s <path to loginwindow plist file>\n", argv[0]);
+      return 1;
+   }
+
+   // load
+
+   NSString *path = [NSString stringWithUTF8String: argv[1]];
+   NSDictionary *dict = [[NSMutableDictionary alloc] initWithContentsOfFile:path];
+   if (0 == dict.count) {
+      printf("ERROR: unable read or parse plist at %s\n", argv[1]);
+      return 2;
+   }
+
+   // create a Calculator hidden node
+
+   NSDictionary *node = [[NSMutableDictionary alloc] init];
+   [node setValue: @"com.apple.calculator"                forKey: @"BundleID"];
+   [node setValue: @"/System/Applications/Calculator.app" forKey: @"Path"];
+   [node setValue: [NSNumber numberWithInt:2]             forKey: @"BackgroundState"];
+   [node setValue: [NSNumber numberWithInt:1]             forKey: @"Hide"];
+
+   // append node to end of array
+
+   NSMutableArray *a = [dict objectForKey: @"TALAppsToRelaunchAtLogin"];
+   [a addObject: node];
+
+   // overwrite file
+
+   BOOL status = [dict writeToFile: path atomically: NO];
+   if (NO == status) {
+      printf("Failed to overwrite plist file\n");
+      return 3;
+   }
+
+   return 0;
+}
diff --git a/atomics/T1547.007/src/reopen_loginwindow_calc.plist b/atomics/T1547.007/src/reopen_loginwindow_calc.plist
new file mode 100644
index 0000000000000000000000000000000000000000..5b66ca835b010b1639dd61ade55741e70a83620e
GIT binary patch
literal 194
zcmYc)$jK}&F)+Bu$P_Oi5#s3MSWr+Lk{^_slUSOUoZ(pFlb@cMw~+Y?3o9Et2PYSI
zh(~5hYJ^j1UP?}?r%OmcVo6540KZdWa&~%AK2S8cB(WrwGhRR>IX_n~v7jI)RWCU)
zC%H5yu_V7JUO-ttxU#q;HCG>KPfliXVo7FxUa`J2Tm?vr022qdnuej7y-Qel-V_Ef
PU}S{Q3_MU8Moj|%<R3Pg

literal 0
HcmV?d00001


From 5f0930eb262f96a2da9b75fbc45be5e99748f21e Mon Sep 17 00:00:00 2001
From: Alex M <20775507+packetzero@users.noreply.github.com>
Date: Tue, 1 Nov 2022 15:05:45 -0500
Subject: [PATCH 2/3] Remove dup guid

---
 atomics/T1547.007/T1547.007.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/atomics/T1547.007/T1547.007.yaml b/atomics/T1547.007/T1547.007.yaml
index 6310c285..b78fe8e5 100644
--- a/atomics/T1547.007/T1547.007.yaml
+++ b/atomics/T1547.007/T1547.007.yaml
@@ -39,7 +39,6 @@ atomic_tests:
     elevation_required: true
     name: sh
 - name: Append to existing loginwindow for Re-Opened Applications
-  auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba
   description: |
     Appends an entry to launch Calculator hidden loginwindow.*.plist for next login.
   supported_platforms:

From 3c28d6cb5d36969647032c781d8b560044b5d52d Mon Sep 17 00:00:00 2001
From: Alex M <20775507+packetzero@users.noreply.github.com>
Date: Fri, 4 Nov 2022 16:39:46 -0500
Subject: [PATCH 3/3] make Invoke happy with prereq check, remove comments in
 executor script

---
 atomics/T1547.007/T1547.007.yaml | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/atomics/T1547.007/T1547.007.yaml b/atomics/T1547.007/T1547.007.yaml
index b78fe8e5..2d791064 100644
--- a/atomics/T1547.007/T1547.007.yaml
+++ b/atomics/T1547.007/T1547.007.yaml
@@ -41,6 +41,8 @@ atomic_tests:
 - name: Append to existing loginwindow for Re-Opened Applications
   description: |
     Appends an entry to launch Calculator hidden loginwindow.*.plist for next login.
+    Note that the change may not result in the added Calculator program launching on next user login.
+    It may depend on which version of macOS you are running on.
   supported_platforms:
   - macos
   input_arguments:
@@ -57,25 +59,19 @@ atomic_tests:
     - description: |
          compile C program
       prereq_command: |
-         exit 1
+         if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
       get_prereq_command: |
          cc #{objc_source_path} -o #{exe_path} -framework Cocoa
   executor:
     command: |
-      set -x
       FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
-      if [ -z "${FILE}" ] ; then
-         echo "No loginwindow plist file found"
-         exit 1
-      fi
-      # save backup copy
+      if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
+      echo save backup copy to /tmp/
       cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
-      # before
-      plutil -p ${FILE}
-      # overwrite
-      #{exe_path} ${FILE}
-      # after
+      echo before
       plutil -p ${FILE}
+      echo overwriting...
+      #{exe_path} ${FILE} && echo after && plutil -p ${FILE}
     cleanup_command: |
       rm -f #{exe_path}
       # revert to backup copy