-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
T1037.005, T1543.001, T1543.004 Persist Tests Enhancements #2755
base: master
Are you sure you want to change the base?
T1037.005, T1543.001, T1543.004 Persist Tests Enhancements #2755
Conversation
T1037.005, T1543.001, T1543.004
a8da3ed
to
58496ee
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay. Requested a couple changes.
- name: Launch Daemon - Users Directory | ||
auto_generated_guid: | ||
description: | | ||
Utilize LaunchDaemon in /Users directory to touch temporary file in /tmp | ||
supported_platforms: | ||
- macos |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My suggestion here would be instead of creating a new test, we can create a new input argument in the previous test launch_daemons_path
and have a default value of /Library/LaunchDaemons
. If needed, others can change this path to execute in a different directory(say Users directory). What are your thoughts ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for the late response, I was on time off myself. I think that could be a valid solution as well, and perhaps more useful for some strange edge cases, but launch daemons are only seen and ran if placed in one of these two directories. Putting it anywhere else wouldn't quite be fair to say is emulating any sort of attack because it would never be run (not automatically by the OS, that is). Could be done, but for the sake of cutting out user input I think this would be fine for now.
f15d27f
to
c816622
Compare
Details:
MACOS ONLY
StartupParameters.plist
, two bash scripts, and two plist files (one for agent, one for daemon) to be spawned from the bash scripts./Library/LaunchAgents
in addition to the already existing~/Library/LaunchAgents
test~/Library/LaunchDaemons
in addition to the already existing/Library/LaunchDaemons
testTesting:
Tested on Apple M1 Pro Sonoma 14.3.1
Associated Issues: