Try it using Invoke-Atomic

Create or Modify System Process: Launch Agent

Description from ATT&CK

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

Launch Agents can also be executed using the Launchctl command.

Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the <code>RunAtLoad</code> or <code>KeepAlive</code> keys set to <code>true</code>.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Launch Agent

Create a plist and execute it

Supported Platforms: macos

auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900

Inputs:

Name Description Type Default Value
plist_filename filename string com.atomicredteam.plist
path_malicious_plist Name of file to store in cron folder string $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
3
4
if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;
sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}

Dependencies: Run with bash!

Description: The shared library must exist on disk at specified location (#{path_malicious_plist})

Check Prereq Commands:

1
2
if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
echo "The shared library doesn't exist. Check the path"; exit 1;

source