Austin Robertson
5cb3fed680
* Fix string interpolation from ${foo} to #{foo} across all atomics
* remove non-ASCII characters from atomics YAML
* fix erroneous input_arguments
46 lines
1.0 KiB
YAML
46 lines
1.0 KiB
YAML
---
|
|
attack_technique: T1164
|
|
display_name: Re-Opened Applications
|
|
|
|
atomic_tests:
|
|
- name: Re-Opened Applications
|
|
description: |
|
|
Plist Method
|
|
|
|
[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
|
|
|
|
supported_platforms:
|
|
- macos
|
|
|
|
executor:
|
|
name: manual
|
|
steps: |
|
|
1. create a custom plist:
|
|
|
|
~/Library/Preferences/com.apple.loginwindow.plist
|
|
|
|
or
|
|
|
|
~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
|
|
|
|
- name: Re-Opened Applications
|
|
description: |
|
|
Mac Defaults
|
|
|
|
[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
|
|
|
|
supported_platforms:
|
|
- macos
|
|
|
|
input_arguments:
|
|
script:
|
|
description: path to script
|
|
type: path
|
|
default: /path/to/script
|
|
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
sudo defaults write com.apple.loginwindow LoginHook #{script}
|
|
sudo defaults delete com.apple.loginwindow LoginHook
|