Boot or Logon Autostart Execution: Plist Modification
Other sub-techniques of Boot or Logon Autostart Execution (15)
Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description)
Adversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist file.(Citation: wardle artofmalware volume1)
Примеры процедур |
|
| Название | Описание |
|---|---|
| LoudMiner |
LoudMiner used plists to execute shell scripts and maintain persistence on boot. LoudMiner also added plist files in |
| NETWIRE |
NETWIRE can persist via startup options for Login items.(Citation: Red Canary NETWIRE January 2020) |
| Dok |
Dok persists via a plist login item.(Citation: objsee mac malware 2017) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Restrict File and Directory Permissions |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
| User Training |
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
Обнаружение
Monitor for common command-line editors used to modify plist files located in auto-run locations, such as ~/LaunchAgents, ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist.
Monitor for plist file modification immediately followed by code execution from ~/Library/Scripts and ~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.
Identify new services executed from plist modified in the previous user's session.
Ссылки
- Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017.
- Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021.
- FileInfo.com team. (2019, November 26). .PLIST File Extension. Retrieved October 12, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.