Michael Haag
43 lines
1.1 KiB
YAML
43 lines
1.1 KiB
YAML
---
|
|
attack_technique: T1159
|
|
display_name: Launch Agent
|
|
|
|
atomic_tests:
|
|
- name: Launch Agent
|
|
description: |
|
|
Create a plist and execute it
|
|
|
|
supported_platforms:
|
|
- macos
|
|
|
|
executor:
|
|
name: manual
|
|
steps: |
|
|
1. Create file - .client
|
|
|
|
2. osascript -e 'tell app "Finder" to display dialog "Hello World"'
|
|
|
|
3. Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist
|
|
|
|
4.
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>KeepAlive</key>
|
|
<true/>
|
|
<key>Label</key>
|
|
<string>com.client.client</string>
|
|
<key>ProgramArguments</key>
|
|
<array>
|
|
<string>/Users/<update path to .clent file>/.client</string>
|
|
</array>
|
|
<key>RunAtLoad</key>
|
|
<true/>
|
|
<key>NSUIElement</key>
|
|
<string>1</string>
|
|
</dict>
|
|
</plist>
|
|
|
|
5. launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist
|