background
According to the description in att & CK model: https://attack.mitre.org/tactics/TA0003/
Persistence includes techniques used by attackers to maintain access to the system during restarts, credential changes, and other interruptions that may cut off their access. Technologies for persistence include any access, operation, or configuration changes that enable them to maintain a foothold on the system, such as replacing or hijacking legitimate code or adding startup code.
Learning materials:
First look at the materials:
1,[objective-see.com]: https://objective-see.com/
A magical website, which studies mac security, suggests collecting and various magical tools: lulu and blockblock. People have summarized the persistence methods in great detail, including the sample introduction of specific families
https://taomm.org/PDFs/vol1/CH 0x02 Persistence.pdf
2,https://www.jamf.com/blog/category/jamf-protect/
Jamf protect: Research mac security, products born with Apple's golden key, you can have a look
3,https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/,
sentinelone's blog is worth reading
Return to theme
Let's welcome today's protagonist: poisonaapple. I hope you can carefully read the code and understand the implementation process. The author is mainly used to learn and test EDR
https://github.com/CyborgSecurity/PoisonApple
Operation interface:
$ poisonapple --list
, _______ __
.-.:|.-. | _ .-----|__|-----.-----.-----.
.' '. |. | | | | |__ --| | | | |
'-."~". .-' |. ____|_____|__|_____|_____|__|__|
} ` } { |: | _______ __
} } } { |::.| | _ .-----.-----| |-----.
} ` } { `---' |. | | | | | | | -__|
.-'"~" '-. |. _ | __| __|__|_____|
'. .' |: | |__| |__|
'-_.._-' |::.|:. |
`--- ---' v0.2.2
+--------------------+
| AtJob |
+--------------------+
| Bashrc |
+--------------------+
| Cron |
+--------------------+
| CronRoot |
+--------------------+
| Emond |
+--------------------+
| Iterm2 |
+--------------------+
| LaunchAgent |
+--------------------+
| LaunchAgentUser |
+--------------------+
| LaunchDaemon |
+--------------------+
| LoginHook |
+--------------------+
| LoginHookUser |
+--------------------+
| LoginItem |
+--------------------+
| LogoutHook |
+--------------------+
| LogoutHookUser |
+--------------------+
| Periodic |
+--------------------+
| Reopen |
+--------------------+
| Zshrc |
+--------------------+
After analyzing and studying the code, you will find that it has not been described by objective see, but it is basically in line with expectations, mainly including LaunchAgent, LaunchAgentUser, LaunchDaemon, planned tasks, boot recovery, bash/zsh on + off [it may not be mentioned, but it is found that it is OK in practice, and it will be supplemented when you are free later]
Case demonstration
1. Create plist, path: LaunchAgent, LaunchAgentUser, LaunchDaemon
(1) Copy whoami as test:
cp /usr/bin/whoami /tmp/test
(2) Write plist:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.apple.test</string> <key>ProgramArguments</key> <array> <string>/tmp/test</string> </array> <key>RunAtLoad</key> <true/> </dict> </plist> EOL
Reflection summary
In an attack and defense confrontation + mining sample analysis, the plist method has been used for persistence for many times, and the specific detection rules have been written based on it, which has played a miraculous effect (EDR is based on the premise that the log can be collected).
Before, the scheduled task was not cleared completely, which led to a constant mail prompt. Later, the reason was found: https://www.twle.cn/t/19396