security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1547.007/T1547.007.yaml
T
Josh Rickard a5dd0813cd fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323) 
* fix: Updating atomics YAML file structure to align with the new JSON schema definition.

This also fixes some white space issues and general line formatting across all impacted atomics.

* fix: One additional change needed

---------

Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2023-02-13 16:10:37 -07:00

85 lines
3.1 KiB
YAML
Raw Permalink Blame History

attack_technique: T1547.007
display_name: 'Boot or Logon Autostart Execution: Re-opened Applications'
atomic_tests:
- name: Copy in loginwindow.plist for Re-Opened Applications
auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba
description: |
Copy in new loginwindow.plist to launch Calculator.
supported_platforms:
- macos
input_arguments:
calc_plist_path:
description: path to binary plist with entry to open calculator
type: path
default: PathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist
executor:
command: |
cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
cleanup_command: |
rm -f ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
name: sh
- name: Re-Opened Applications using LoginHook
auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb
description: |
Mac Defaults
[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
supported_platforms:
- macos
input_arguments:
script:
description: path to script
type: path
default: /path/to/script
executor:
command: |
sudo defaults write com.apple.loginwindow LoginHook #{script}
cleanup_command: |
sudo defaults delete com.apple.loginwindow LoginHook
elevation_required: true
name: sh
- name: Append to existing loginwindow for Re-Opened Applications
auto_generated_guid: 766b6c3c-9353-4033-8b7e-38b309fa3a93
description: |
Appends an entry to launch Calculator hidden loginwindow.*.plist for next login.
Note that the change may not result in the added Calculator program launching on next user login.
It may depend on which version of macOS you are running on.
supported_platforms:
- macos
input_arguments:
objc_source_path:
description: path to objective C program
type: path
default: PathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m
exe_path:
description: path to compiled program
type: path
default: /tmp/t1547007_append_exe
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
get_prereq_command: |
cc #{objc_source_path} -o #{exe_path} -framework Cocoa
executor:
command: |
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
echo save backup copy to /tmp/
cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
echo before
plutil -p ${FILE}
echo overwriting...
#{exe_path} ${FILE} && echo after && plutil -p ${FILE}
cleanup_command: |
rm -f #{exe_path}
# revert to backup copy
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then
exit 0
fi
mv /tmp/t1547007_loginwindow-backup.plist ${FILE}
name: sh
Reference in New Issue View Git Blame Copy Permalink