diff --git a/atomics/T1165/T1165.md b/atomics/T1165/T1165.md
index d84f360e..65d32b1c 100644
--- a/atomics/T1165/T1165.md
+++ b/atomics/T1165/T1165.md
@@ -6,33 +6,37 @@ An adversary can create the appropriate folders/files in the StartupItems direct
## Atomic Tests
-- [Atomic Test #1 - Startup Items](#atomic-test-1---startup-items)
+- [Atomic Test #1 - add file to Local Library StartupItems](#atomic-test-1---add-file-to-local-library-startupitems)
-- [Atomic Test #2 - Startup Items (emond rule)](#atomic-test-2---startup-items-emond-rule)
+- [Atomic Test #2 - Persistance with Event Monitor - emond](#atomic-test-2---persistance-with-event-monitor---emond)
-## Atomic Test #1 - Startup Items
-Modify or create an file in StartupItems
+## Atomic Test #1 - add file to Local Library StartupItems
+Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
**Supported Platforms:** macOS
-#### Run it with these steps!
-1. /Library/StartupItems/StartupParameters.plist
-
-
+#### Run it with `sh`! Elevation Required (e.g. root or admin)
+```
+sudo touch /Library/StartupItems/EvilStartup.plist
+```
+#### Cleanup Commands:
+```
+sudo rm /Library/StartupItems/EvilStartup.plist
+```
-## Atomic Test #2 - Startup Items (emond rule)
-Establish persistence via a rule run by emond daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+## Atomic Test #2 - Persistance with Event Monitor - emond
+Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
**Supported Platforms:** macOS
@@ -40,9 +44,9 @@ Establish persistence via a rule run by emond daemon at startup, based on https:
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| plist | Path to emond plist file | path | /path/to/T1165_emond.plist|
+| plist | Path to attacker emond plist file | path | $PathToAtomics/T1165/src/T1165_emond.plist|
-#### Run it with `sh`!
+#### Run it with `sh`! Elevation Required (e.g. root or admin)
```
sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
sudo touch /private/var/db/emondClients/T1165
diff --git a/atomics/index.md b/atomics/index.md
index 44b7afed..59d15a88 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -134,8 +134,8 @@
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- [T1165 Startup Items](./T1165/T1165.md)
- - Atomic Test #1: Startup Items [macos]
- - Atomic Test #2: Startup Items (emond rule) [macos]
+ - Atomic Test #1: add file to Local Library StartupItems [macos]
+ - Atomic Test #2: Persistance with Event Monitor - emond [macos]
- T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1501 Systemd Service](./T1501/T1501.md)
- Atomic Test #1: Create Systemd Service [linux]
@@ -478,8 +478,8 @@
- Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
- [T1165 Startup Items](./T1165/T1165.md)
- - Atomic Test #1: Startup Items [macos]
- - Atomic Test #2: Startup Items (emond rule) [macos]
+ - Atomic Test #1: add file to Local Library StartupItems [macos]
+ - Atomic Test #2: Persistance with Event Monitor - emond [macos]
- [T1169 Sudo](./T1169/T1169.md)
- Atomic Test #1: Sudo usage [macos, linux]
- [T1206 Sudo Caching](./T1206/T1206.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 1c0d5d5b..323003dd 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -4663,32 +4663,37 @@ persistence:
modified: '2019-07-18T17:58:17.016Z'
identifier: T1165
atomic_tests:
- - name: Startup Items
+ - name: add file to Local Library StartupItems
description: |
- Modify or create an file in StartupItems
+ Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
executor:
- name: manual
- steps: '1. /Library/StartupItems/StartupParameters.plist
+ name: sh
+ elevation_required: true
+ command: 'sudo touch /Library/StartupItems/EvilStartup.plist
'
- - name: Startup Items (emond rule)
- description: 'Establish persistence via a rule run by emond daemon at startup,
- based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+ cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
+
+'
+ - name: Persistance with Event Monitor - emond
+ description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
+ daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
'
supported_platforms:
- macos
input_arguments:
plist:
- description: Path to emond plist file
+ description: Path to attacker emond plist file
type: path
- default: "/path/to/T1165_emond.plist"
+ default: "$PathToAtomics/T1165/src/T1165_emond.plist"
executor:
name: sh
+ elevation_required: true
command: |
sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
sudo touch /private/var/db/emondClients/T1165
@@ -15040,32 +15045,37 @@ privilege-escalation:
modified: '2019-07-18T17:58:17.016Z'
identifier: T1165
atomic_tests:
- - name: Startup Items
+ - name: add file to Local Library StartupItems
description: |
- Modify or create an file in StartupItems
+ Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
executor:
- name: manual
- steps: '1. /Library/StartupItems/StartupParameters.plist
+ name: sh
+ elevation_required: true
+ command: 'sudo touch /Library/StartupItems/EvilStartup.plist
'
- - name: Startup Items (emond rule)
- description: 'Establish persistence via a rule run by emond daemon at startup,
- based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+ cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
+
+'
+ - name: Persistance with Event Monitor - emond
+ description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
+ daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
'
supported_platforms:
- macos
input_arguments:
plist:
- description: Path to emond plist file
+ description: Path to attacker emond plist file
type: path
- default: "/path/to/T1165_emond.plist"
+ default: "$PathToAtomics/T1165/src/T1165_emond.plist"
executor:
name: sh
+ elevation_required: true
command: |
sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
sudo touch /private/var/db/emondClients/T1165
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index b6dee394..363c81ea 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -46,8 +46,8 @@
- Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
- [T1165 Startup Items](./T1165/T1165.md)
- - Atomic Test #1: Startup Items [macos]
- - Atomic Test #2: Startup Items (emond rule) [macos]
+ - Atomic Test #1: add file to Local Library StartupItems [macos]
+ - Atomic Test #2: Persistance with Event Monitor - emond [macos]
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -363,8 +363,8 @@
- Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
- [T1165 Startup Items](./T1165/T1165.md)
- - Atomic Test #1: Startup Items [macos]
- - Atomic Test #2: Startup Items (emond rule) [macos]
+ - Atomic Test #1: add file to Local Library StartupItems [macos]
+ - Atomic Test #2: Persistance with Event Monitor - emond [macos]
- [T1169 Sudo](./T1169/T1169.md)
- Atomic Test #1: Sudo usage [macos, linux]
- [T1206 Sudo Caching](./T1206/T1206.md)