Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Агент запуска
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Агент запуска
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Create or Modify System Process:  Агент запуска

ID Название
.001 Агент запуска
.002 Служба systemd
.003 Служба Windows
.004 Демон запуска

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks. Launch Agents can also be executed using the Launchctl command. Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X)

ID: T1543.001
Относится к технике:  T1543
Тактика(-и): Persistence, Privilege Escalation
Платформы: macOS
Требуемые разрешения: Administrator, User
Источники данных: Command: Command Execution, File: File Creation, File: File Modification, Service: Service Creation, Service: Service Modification
Версия: 1.4
Дата создания: 17 Jan 2020
Последнее изменение: 21 Apr 2022

Примеры процедур
Название Описание
Calisto

Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.(Citation: Securelist Calisto July 2018)
Proton

Proton persists via Launch Agent.(Citation: objsee mac malware 2017)
MacSpy

MacSpy persists via a Launch Agent.(Citation: objsee mac malware 2017)
CrossRAT

CrossRAT creates a Launch Agent on macOS.(Citation: Lookout Dark Caracal Jan 2018)
Dok

Dok installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format com.random.name.plist.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)
Dacls

Dacls can establish persistence via a LaunchAgent.(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)
MacMa

MacMa installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, MacMa is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the MacMa only runs when there is a logged in GUI user.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)
Bundlore

Bundlore can persist via a LaunchAgent.(Citation: MacKeeper Bundlore Apr 2019)
ThiefQuest

ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.(Citation: wardle evilquest parti)
macOS.OSAMiner

macOS.OSAMiner has placed a Stripped Payloads with a `plist` extension in the Launch Agent's folder. (Citation: SentinelLabs reversing run-only applescripts 2021)
CoinTicker

CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.(Citation: CoinTicker 2019)

Green Lambert

Green Lambert can create a Launch Agent with the `RunAtLoad` key-value pair set to true, ensuring the `com.apple.GrowlHelper.plist` file runs every time a user logs in.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)
CookieMiner

CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.(Citation: Unit42 CookieMiner Jan 2019)
FruitFly

FruitFly persists via a Launch Agent.(Citation: objsee mac malware 2017)
Komplex

The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.(Citation: Sofacy Komplex Trojan)
NETWIRE

NETWIRE can use launch agents for persistence.(Citation: Red Canary NETWIRE January 2020)
Keydnap

Keydnap uses a Launch Agent to persist.(Citation: synack 2016 review)

Контрмеры
Контрмера Описание
Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Обнаружение

Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications. Ensure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy.

Ссылки

  1. Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.
  2. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
  3. Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.
  4. Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
  5. Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
  6. Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.
  7. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  8. Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.
  9. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
  10. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  11. Antonio Piazza (4n7m4n). (2021, November 23). Defeating Malicious Launch Persistence. Retrieved April 19, 2022.
  12. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  13. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  14. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  15. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
  16. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  17. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  18. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  19. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
  20. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  21. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  22. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  23. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  24. Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.
  25. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  26. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
  27. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
  28. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.