CYBERSECURITY JOB HUNTING GUIDE
T1546.001 Event Triggered Execution: Change Default File Association
Author: Stefan Waldvogel
LimaCharlie vs. Change Default File Association
Overview:
T1543.001 - Launch Agent
Description from ATT&CK
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).
Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories (Citation: Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1543.001 -ShowDetailsBrief
Invoke-AtomicTest T1543.001 -CheckPrereqs
Invoke-AtomicTest T1543.001 -GetPrereqs
Invoke-AtomicTest T1543.001 -TestNumbers 1
Invoke-AtomicTest T1543.001 -Cleanup
Changes:
-none-
Limitations:
no Mac available
Results:
This section has 1 subtests.
Invoke-AtomicTest T1098.001 -TestNumbers 1 it is a MacOS test
T1543.001 - Launch Agent
Description from ATT&CK
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).
Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories (Citation: Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1543.001 -ShowDetailsBrief
Invoke-AtomicTest T1543.001 -CheckPrereqs
Invoke-AtomicTest T1543.001 -GetPrereqs
Invoke-AtomicTest T1543.001 -TestNumbers 1
Invoke-AtomicTest T1543.001 -Cleanup
Changes:
-none-
Limitations:
no Mac available
Results:
This section has 1 subtests.
Invoke-AtomicTest T1098.001 -TestNumbers 1 it is a MacOS test
© 2021. This work is licensed under a CC BY-SA 4.0 license