CircleCI Atomic Red Team doc generator
1.9 KiB
1.9 KiB
T1164 - Re-opened Applications
Description from ATT&CK
Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at~/Library/Preferences/com.apple.loginwindow.plistand~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist.An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).
Atomic Tests
Atomic Test #1 - Re-Opened Applications
Plist Method
Supported Platforms: macOS
Run it with these steps!
-
create a custom plist:
~/Library/Preferences/com.apple.loginwindow.plist
or
~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
Atomic Test #2 - Re-Opened Applications
Mac Defaults
Supported Platforms: macOS
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| script | path to script | path | /path/to/script |
Run it with sh!
sudo defaults write com.apple.loginwindow LoginHook #{script}
sudo defaults delete com.apple.loginwindow LoginHook