Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Элементы входа в систему
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Элементы входа в систему
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Boot or Logon Autostart Execution:  Элементы входа в систему

ID Название
.001 Ключи запуска в реестре / Папка автозагрузки
.002 Пакет аутентификации
.003 Поставщики времени
.004 DLL-библиотеки загружаемые с помощью Winlogon
.005 Поставщик поддержки безопасности (SSP)
.006 Модули и расширения ядра
.007 Перезапуск приложений
.008 Драйвер LSASS
.009 Изменение ярлыков
.010 Мониторы портов
.011 Plist Modification
.012 Обработчики печати
.013 Записи автозапуска XDG
.014 Активная установка
.015 Элементы входа в систему

Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications. Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using AppleScript to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)

ID: T1547.015
Относится к технике:  T1547
Тактика(-и): Persistence, Privilege Escalation
Платформы: macOS
Требуемые разрешения: User
Источники данных: File: File Creation, File: File Modification, Process: Process Creation
Версия: 1.0
Дата создания: 05 Oct 2021
Последнее изменение: 18 Oct 2021

Примеры процедур
Название Описание
Green Lambert

Green Lambert can add Login Items to establish persistence.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)

NETWIRE

NETWIRE can persist via startup options for Login items.(Citation: Red Canary NETWIRE January 2020)
Dok

Dok uses AppleScript to install a login Item by sending Apple events to the System Events process.(Citation: hexed osx.dok analysis 2019)

Обнаружение

All login items created via shared file lists are viewable by using the System Preferences GUI or in the ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm file.(Citation: Open Login Items Apple)(Citation: Startup Items Eclectic)(Citation: objsee block blocking login items)(Citation: sentinelone macos persist Jun 2019) These locations should be monitored and audited for known good applications. Otherwise, login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) Monitor applications that leverage login items with either the LSUIElement or LSBackgroundOnly key in the Info.plist file set to true.(Citation: Adding Login Items)(Citation: Launch Service Keys Developer Apple) Monitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior,, such as establishing network connections.

Ссылки

  1. Apple. (2018, June 4). Launch Services Keys. Retrieved October 5, 2021.
  2. Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.
  3. Patrick Wardle. (2018, July 23). Block Blocking Login Items. Retrieved October 1, 2021.
  4. Patrick Wardle. (2019, June 20). Burned by Fire(fox). Retrieved October 1, 2021.
  5. Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.
  6. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  7. kaloprominat. (2013, July 30). macos: manage add list remove login items apple script. Retrieved October 5, 2021.
  8. fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021.
  9. hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021.
  10. Apple. (n.d.). Login Items AE. Retrieved October 4, 2021.
  11. hoakley. (2018, May 22). Running at startup: when to use a Login Item or a LaunchAgent/LaunchDaemon. Retrieved October 5, 2021.
  12. Apple. (n.d.). Launch Services. Retrieved October 5, 2021.
  13. Tim Schroeder. (2013, April 21). SMLoginItemSetEnabled Demystified. Retrieved October 5, 2021.
  14. Apple. (2016, September 13). Adding Login Items. Retrieved July 11, 2017.
  15. Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021.
  16. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  17. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
  18. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.