Merge pull request #2211 from packetzero/am_t1547_015_loginitem

Add macOS T1547.015 add/remove LoginItem via AppleScript

atomics/T1547.015/T1547.015.yaml

@@ -39,4 +39,29 @@ atomic_tests:
     cleanup_command: |
       mv -Force #{settings_json_tmp} #{settings_json_def}
       taskkill /F /IM "#{calculator}" > $null
-    name: powershell
+    name: powershell
+- name: Add macOS LoginItem using Applescript
+  description: |
+    Runs osascript on a file to create new LoginItem for current user.
+    NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events"
+    Therefore, it can't be automated until the TCC is granted.
+    The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well.
+    In addition to the `osascript` Process Events, file modification events to
+    `/Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm` should be seen.
+  supported_platforms:
+  - macos
+  input_arguments:
+    scriptfile:
+      description: path to Applescript source to add Safari LoginItem.
+      type: String
+      default: PathToAtomicsFolder/T1547.015/src/add_login_item.osa
+    cleanup_script:
+      description: path to Applescript source to delete Safari LoginItem.
+      type: String
+      default: PathToAtomicsFolder/T1547.015/src/remove_login_item.osa
+  executor:
+    command: |
+      osascript #{scriptfile}
+    cleanup_command: |
+      osascript #{cleanup_script}
+    name: bash

atomics/T1547.015/src/add_login_item.osa

@@ -0,0 +1,5 @@
+tell application "System Events"
+    get full name of current user
+    make new login item at end of login items with properties ¬
+        {path:"/Applications/Safari.app", name:"Safari"}
+end tell

atomics/T1547.015/src/remove_login_item.osa

@@ -0,0 +1,4 @@
+tell application "System Events"
+    get full name of current user
+    delete login item "Safari"
+end tell