Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Plist File Modification

Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description) Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. Hidden Window) or running additional commands for persistence (ex: Launch Agent/Launch Daemon or Re-opened Applications). For example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist` file, which controls apps that appear in the Dock. Adversaries can also modify the LSUIElement key in an application’s info.plist file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as LSEnvironment, to enable persistence via Dynamic Linker Hijacking.(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback)

ID: T1647
Tactic(s): Defense Evasion
Platforms: macOS
Data Sources: Command: Command Execution, File: File Modification, Process: Process Creation
Version: 1.0
Created: 09 Apr 2022
Last Modified: 20 Apr 2022

Procedure Examples

Name Description
Cuckoo Stealer

Cuckoo Stealer can create and populate property list (plist) files to enable execution.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)

XCSSET

XCSSET uses the plutil command to modify the LSUIElement, DFBundleDisplayName, and CFBundleIdentifier keys in the /Contents/Info.plist file to change how XCSSET is visible on the system.(Citation: trendmicro xcsset xcode project 2020)

Mitigations

Mitigation Description
Application Developer Guidance

This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.

Detection

Monitor for common command-line editors used to modify plist files located in auto-run locations, such as \~/LaunchAgents, ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist. Monitor for plist file modification immediately followed by code execution from \~/Library/Scripts and ~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist. Identify new services executed from plist modified in the previous user's session.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.