security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1159/T1159.md
T
CircleCI Atomic Red Team doc generator 159697cc2e Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 15:21:17 +00:00

54 lines
2.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# T1159 - Launch Agent
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1159)
<blockquote>Per Apples developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>$HOME/Library/LaunchAgents</code> (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).
Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories (Citation: Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific users directory structure) or when any user logs in (which requires administrator privileges).</blockquote>
## Atomic Tests
- [Atomic Test #1 - Launch Agent](#atomic-test-1---launch-agent)
<br/>
## Atomic Test #1 - Launch Agent
Create a plist and execute it
**Supported Platforms:** macOS
#### Run it with these steps!
1. Create file - .client
2. osascript -e 'tell app "Finder" to display dialog "Hello World"'
3. Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist
4.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.client.client</string>
<key>ProgramArguments</key>
<array>
<string>/Users/<update path to .clent file>/.client</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>NSUIElement</key>
<string>1</string>
</dict>
</plist>
5. launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist
<br/>
Reference in New Issue View Git Blame Copy Permalink