Carrie Roberts
41 lines
1.0 KiB
YAML
41 lines
1.0 KiB
YAML
---
|
|
attack_technique: T1165
|
|
display_name: Startup Items
|
|
|
|
atomic_tests:
|
|
- name: Startup Items
|
|
description: |
|
|
Modify or create an file in StartupItems
|
|
|
|
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
|
|
|
|
supported_platforms:
|
|
- macos
|
|
|
|
executor:
|
|
name: manual
|
|
steps: |
|
|
1. /Library/StartupItems/StartupParameters.plist
|
|
|
|
- name: Startup Items (emond rule)
|
|
description: |
|
|
Establish persistence via a rule run by emond daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
|
|
|
|
supported_platforms:
|
|
- macos
|
|
|
|
input_arguments:
|
|
plist:
|
|
description: Path to emond plist file
|
|
type: path
|
|
default: /path/to/T1165_emond.plist
|
|
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
|
|
sudo touch /private/var/db/emondClients/T1165
|
|
cleanup_command: |
|
|
sudo rm /etc/emond.d/rules/T1165_emond.plist
|
|
sudo rm /private/var/db/emondClients/T1165
|