valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-07 09:58:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f79f50bec3
atomic-threat-coverage/Atomic_Threat_Coverage/Triggers/T1160.md
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

43 lines
2.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# T1160 - Launch Daemon
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1160)
<blockquote>Per Apples developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).
Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.
The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemons executable and gain persistence or Privilege Escalation.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Launch Daemon](#atomic-test-1---launch-daemon)
<br/>
## Atomic Test #1 - Launch Daemon
Utilize LaunchDaemon to launch `Hello World`
**Supported Platforms:** macOS
#### Run it with these steps!
1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons
2.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.example.hello</string>
<key>ProgramArguments</key>
<array>
<string>hello</string>
<string>world</string>
</array>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
<br/>
Reference in New Issue View Git Blame Copy Permalink