From 0fcbe1d0526c8f48e25bac6b26a967f87b5bd48a Mon Sep 17 00:00:00 2001 From: Alex M <20775507+packetzero@users.noreply.github.com> Date: Sun, 30 Oct 2022 15:47:06 -0500 Subject: [PATCH 1/3] Add T1547.015 test to add login item via applescript --- atomics/T1547.015/T1547.015.yaml | 25 ++++++++++++++++++++- atomics/T1547.015/src/add_login_item.osa | 5 +++++ atomics/T1547.015/src/remove_login_item.osa | 4 ++++ 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 atomics/T1547.015/src/add_login_item.osa create mode 100644 atomics/T1547.015/src/remove_login_item.osa diff --git a/atomics/T1547.015/T1547.015.yaml b/atomics/T1547.015/T1547.015.yaml index 9b70c7ce..fb380a09 100644 --- a/atomics/T1547.015/T1547.015.yaml +++ b/atomics/T1547.015/T1547.015.yaml @@ -39,4 +39,27 @@ atomic_tests: cleanup_command: | mv -Force #{settings_json_tmp} #{settings_json_def} taskkill /F /IM "#{calculator}" > $null - name: powershell \ No newline at end of file + name: powershell +- name: Add macOS LoginItem using Applescript + description: | + Runs osascript on a file to create new LoginItem for current user. + NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events" + Therefore, it can't be automated until the TCC is granted. + The login item will launch Safari.app when user logs in. + supported_platforms: + - macos + input_arguments: + scriptfile: + description: path to Applescript source to add Safari LoginItem. + type: String + default: PathToAtomicsFolder/T1547.015/src/add_login_item.osa + cleanup_script: + description: path to Applescript source to delete Safari LoginItem. + type: String + default: PathToAtomicsFolder/T1547.015/src/remove_login_item.osa + executor: + command: | + osascript #{scriptfile} + cleanup_command: | + osascript #{cleanup_script} + name: bash \ No newline at end of file diff --git a/atomics/T1547.015/src/add_login_item.osa b/atomics/T1547.015/src/add_login_item.osa new file mode 100644 index 00000000..7fa52208 --- /dev/null +++ b/atomics/T1547.015/src/add_login_item.osa @@ -0,0 +1,5 @@ +tell application "System Events" + get full name of current user + make new login item at end of login items with properties ¬ + {path:"/Applications/Safari.app", name:"Safari"} +end tell diff --git a/atomics/T1547.015/src/remove_login_item.osa b/atomics/T1547.015/src/remove_login_item.osa new file mode 100644 index 00000000..1826f900 --- /dev/null +++ b/atomics/T1547.015/src/remove_login_item.osa @@ -0,0 +1,4 @@ +tell application "System Events" + get full name of current user + delete login item "Safari" +end tell From 04506ef79b3daf76186811e5277f18d10bb5bbea Mon Sep 17 00:00:00 2001 From: Alex M <20775507+packetzero@users.noreply.github.com> Date: Sun, 30 Oct 2022 15:49:21 -0500 Subject: [PATCH 2/3] update description --- atomics/T1547.015/T1547.015.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1547.015/T1547.015.yaml b/atomics/T1547.015/T1547.015.yaml index fb380a09..d3dc5d25 100644 --- a/atomics/T1547.015/T1547.015.yaml +++ b/atomics/T1547.015/T1547.015.yaml @@ -45,7 +45,7 @@ atomic_tests: Runs osascript on a file to create new LoginItem for current user. NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events" Therefore, it can't be automated until the TCC is granted. - The login item will launch Safari.app when user logs in. + The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well. supported_platforms: - macos input_arguments: From 2b06c090457f9172fb5aabef0d8cff4632c10f0f Mon Sep 17 00:00:00 2001 From: Alex M <20775507+packetzero@users.noreply.github.com> Date: Sun, 30 Oct 2022 16:00:54 -0500 Subject: [PATCH 3/3] Add note in description about backgrounditems.btm file --- atomics/T1547.015/T1547.015.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/atomics/T1547.015/T1547.015.yaml b/atomics/T1547.015/T1547.015.yaml index d3dc5d25..699677bb 100644 --- a/atomics/T1547.015/T1547.015.yaml +++ b/atomics/T1547.015/T1547.015.yaml @@ -46,6 +46,8 @@ atomic_tests: NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events" Therefore, it can't be automated until the TCC is granted. The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well. + In addition to the `osascript` Process Events, file modification events to + `/Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm` should be seen. supported_platforms: - macos input_arguments: