Create or Modify System Process: Агент запуска
Other sub-techniques of Create or Modify System Process (4)
ID | Название |
---|---|
.001 | Агент запуска |
.002 | Служба systemd |
.003 | Служба Windows |
.004 | Демон запуска |
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents
, /Library/LaunchAgents
, and ~/Library/LaunchAgents
.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label
, ProgramArguments
, and RunAtLoad
keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
Launch Agents can also be executed using the Launchctl command.
Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad
or KeepAlive
keys set to true
.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X)
Примеры процедур |
|
Название | Описание |
---|---|
Calisto |
Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.(Citation: Securelist Calisto July 2018) |
Proton |
Proton persists via Launch Agent.(Citation: objsee mac malware 2017) |
MacSpy |
MacSpy persists via a Launch Agent.(Citation: objsee mac malware 2017) |
CrossRAT |
CrossRAT creates a Launch Agent on macOS.(Citation: Lookout Dark Caracal Jan 2018) |
Dok |
Dok installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format |
Dacls |
Dacls can establish persistence via a LaunchAgent.(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020) |
MacMa |
MacMa installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, MacMa is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the MacMa only runs when there is a logged in GUI user.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021) |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D can create a persistence file in the folder |
Bundlore |
Bundlore can persist via a LaunchAgent.(Citation: MacKeeper Bundlore Apr 2019) |
ThiefQuest |
ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the |
macOS.OSAMiner |
macOS.OSAMiner has placed a Stripped Payloads with a `plist` extension in the Launch Agent's folder. (Citation: SentinelLabs reversing run-only applescripts 2021) |
CoinTicker |
CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.(Citation: CoinTicker 2019) |
Green Lambert |
Green Lambert can create a Launch Agent with the `RunAtLoad` key-value pair set to |
CookieMiner |
CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.(Citation: Unit42 CookieMiner Jan 2019) |
FruitFly |
FruitFly persists via a Launch Agent.(Citation: objsee mac malware 2017) |
Komplex |
The Komplex trojan creates a persistent launch agent called with |
NETWIRE |
NETWIRE can use launch agents for persistence.(Citation: Red Canary NETWIRE January 2020) |
Keydnap |
Keydnap uses a Launch Agent to persist.(Citation: synack 2016 review) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Restrict File and Directory Permissions |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Обнаружение
Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.
Ensure Launch Agent's ProgramArguments
key pointing to executables located in the /tmp
or /shared
folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad
key set to true
are in alignment with policy.
Ссылки
- Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.
- Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
- Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.
- Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
- Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
- Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.
- Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
- M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
- Antonio Piazza (4n7m4n). (2021, November 23). Defeating Malicious Launch Persistence. Retrieved April 19, 2022.
- Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
- Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
- Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
- Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
- Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
- Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
- Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.
- Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
- Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
- Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
- Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.