security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1037.005/T1037.005.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

209 lines
6.8 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# T1037.005 - Boot or Logon Initialization Scripts: Startup Items
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/005)
<blockquote>
Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)
This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, <code>/Library/StartupItems</code> isnt guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory.
An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Add file to Local Library StartupItems](#atomic-test-1---add-file-to-local-library-startupitems)
- [Atomic Test #2 - Add launch script to launch daemon](#atomic-test-2---add-launch-script-to-launch-daemon)
- [Atomic Test #3 - Add launch script to launch agent](#atomic-test-3---add-launch-script-to-launch-agent)
<br/>
## Atomic Test #1 - Add file to Local Library StartupItems
Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
**Supported Platforms:** macOS
**auto_generated_guid:** 134627c3-75db-410e-bff8-7a920075f198
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo touch /Library/StartupItems/EvilStartup.plist
```
#### Cleanup Commands:
```sh
sudo rm /Library/StartupItems/EvilStartup.plist
```
<br/>
<br/>
## Atomic Test #2 - Add launch script to launch daemon
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
**Supported Platforms:** macOS
**auto_generated_guid:** fc369906-90c7-4a15-86fd-d37da624dde6
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| path_malicious_script | Name of script to store in cron folder | string | $PathToAtomicsFolder/T1037.005/src/T1037.005_daemon.sh|
| path_malicious_plist | Name of file to store in /tmp | string | $PathToAtomicsFolder/T1037.005/src/T1037_005_daemon.plist|
| path_startup_params | Name of plist with startup params | string | $PathToAtomicsFolder/T1037.005/src/StartupParameters.plist|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist
sudo /Library/StartupItems/atomic.sh start
```
#### Cleanup Commands:
```bash
sudo launchctl unload /tmp/T1037_005_daemon.plist
sudo rm /tmp/T1037_005_daemon.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_daemon.txt
```
#### Dependencies: Run with `bash`!
##### Description: /Library/StartupItems must exist
##### Check Prereq Commands:
```bash
if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi;
```
##### Get Prereq Commands:
```bash
echo "Failed to create /Library/StartupItems"; exit 1;
```
##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
##### Check Prereq Commands:
```bash
if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
echo "The plist file doesn't exist. Check the path and try again."; exit 1;
```
##### Description: The startup script must exist on disk at specified location (#{path_malicious_script})
##### Check Prereq Commands:
```bash
if [ -f #{path_malicious_script} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
echo "The startup script doesn't exist. Check the path and try again."; exit 1;
```
<br/>
<br/>
## Atomic Test #3 - Add launch script to launch agent
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
**Supported Platforms:** macOS
**auto_generated_guid:** 10cf5bec-49dd-4ebf-8077-8f47e420096f
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| path_malicious_script | Name of script to store in cron folder | string | $PathToAtomicsFolder/T1037.005/src/T1037.005_agent.sh|
| path_malicious_plist | Name of file to store in /tmp | string | $PathToAtomicsFolder/T1037.005/src/T1037_005_agent.plist|
| path_startup_params | Name of plist with startup params | string | $PathToAtomicsFolder/T1037.005/src/StartupParameters.plist|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist
/Library/StartupItems/atomic.sh start
```
#### Cleanup Commands:
```bash
sudo launchctl unload /tmp/T1037_005_agent.plist
sudo rm /tmp/T1037_005_agent.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_agent.txt
```
#### Dependencies: Run with `bash`!
##### Description: /Library/StartupItems must exist
##### Check Prereq Commands:
```bash
if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi;
```
##### Get Prereq Commands:
```bash
echo "Failed to create /Library/StartupItems"; exit 1;
```
##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
##### Check Prereq Commands:
```bash
if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
echo "The plist file doesn't exist. Check the path and try again."; exit 1;
```
##### Description: The startup script must exist on disk at specified location (#{path_malicious_script})
##### Check Prereq Commands:
```bash
if [ -f #{path_malicious_script} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
echo "The startup script doesn't exist. Check the path and try again."; exit 1;
```
<br/>
Reference in New Issue View Git Blame Copy Permalink