security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3e4ba89cf472aa88518eea3a85b4469bcc3bbcb5
atomic-red-team/Mac/Persistence/Local_Job_Scheduling.md
T
Dan Bourke b73f61c5dc minor consistency edit
2018-02-13 14:39:08 +11:00

1.4 KiB
Raw Blame History

Local Job Scheduling

MITRE ATT&CK Technique: T1168

Cron Job

echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil

Emond

Place this file in /etc/emond.d/rules/atomicredteam.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <dict>
        <key>name</key>
        <string>atomicredteam</string>
        <key>enabled</key>
        <true/>
        <key>eventTypes</key>
        <array>
            <string>startup</string>
        </array>
        <key>actions</key>
        <array>
            <dict>
                <key>command</key>
                <string>/usr/bin/say</string>
                <key>user</key>
                <string>root</string>
                <key>arguments</key>
                    <array>
                        <string>-v Tessa</string>
                        <string>I am a persistent startup item.</string>
                    </array>
                <key>type</key>
                <string>RunCommand</string>
            </dict>
        </array>
    </dict>
</array>
</plist>

Place an empty file in /private/var/db/emondClients/

sudo touch /private/var/db/emondClients/randomflag
Reference in New Issue View Git Blame Copy Permalink