Mika Ayenson
58 lines
1.6 KiB
Python
58 lines
1.6 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
from pathlib import Path
|
|
from . import common
|
|
from . import RtaMetadata
|
|
|
|
|
|
metadata = RtaMetadata(
|
|
uuid="17c710a6-9070-4448-b68c-a3694657552e",
|
|
platforms=["macos"],
|
|
endpoint=[
|
|
{
|
|
"rule_name": "Persistence via Suspicious Launch Agent or Launch Daemon",
|
|
"rule_id": "c6037fad-ad13-46a6-9f7f-4deeef5ac69b",
|
|
},
|
|
],
|
|
siem=[],
|
|
techniques=["T1547", "T1547.011", "T1543", "T1543.001", "T1543.004"],
|
|
)
|
|
|
|
plist = """
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>Label</key>
|
|
<string>com.example.myapp</string>
|
|
<key>ProgramArguments</key>
|
|
<array>
|
|
<string>bash</string>
|
|
</array>
|
|
<key>RunAtLoad</key>
|
|
<true/>
|
|
</dict>
|
|
</plist>
|
|
"""
|
|
|
|
|
|
@common.requires_os(metadata.platforms)
|
|
def main():
|
|
plist_name = "com.test.plist"
|
|
daemon_dir = Path("/", "Library", "LaunchDaemons").expanduser()
|
|
daemon_dir.mkdir(parents=True, exist_ok=True)
|
|
plist_path = str(daemon_dir / plist_name)
|
|
|
|
# with common.temporary_file(plist, file_name=plist_path):
|
|
with open(plist_path, "w") as f:
|
|
f.write(plist)
|
|
common.execute(["launchctl", "load", plist_path], kill=True)
|
|
common.execute(["launchctl", "unload", plist_path], kill=True)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
exit(main())
|