Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
24 lines
924 B
YAML
24 lines
924 B
YAML
attack_technique: T1546.014
|
|
display_name: 'Event Triggered Execution: Emond'
|
|
atomic_tests:
|
|
- name: Persistance with Event Monitor - emond
|
|
auto_generated_guid: 23c9c127-322b-4c75-95ca-eff464906114
|
|
description: |
|
|
Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
|
|
supported_platforms:
|
|
- macos
|
|
input_arguments:
|
|
plist:
|
|
description: Path to attacker emond plist file
|
|
type: path
|
|
default: PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist
|
|
executor:
|
|
command: |
|
|
sudo cp "#{plist}" /etc/emond.d/rules/T1546.014_emond.plist
|
|
sudo touch /private/var/db/emondClients/T1546.014
|
|
cleanup_command: |
|
|
sudo rm /etc/emond.d/rules/T1546.014_emond.plist
|
|
sudo rm /private/var/db/emondClients/T1546.014
|
|
name: sh
|
|
elevation_required: true
|