Try it using Invoke-Atomic

Boot or Logon Autostart Execution: Re-opened Applications

Description from ATT&CK

Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.

Adversaries can establish Persistence by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Re-Opened Applications

Plist Method

Reference

Supported Platforms: macos

auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba

Inputs:

None

Run it with these steps!

  1. create a custom plist:

    ~/Library/Preferences/com.apple.loginwindow.plist

or

1
~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
1

Atomic Test #2 - Re-Opened Applications

Mac Defaults

Reference

Supported Platforms: macos

auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb

Inputs:

Name Description Type Default Value
script path to script Path /path/to/script

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
sudo defaults write com.apple.loginwindow LoginHook #{script}

Cleanup Commands:

1
2
sudo defaults delete com.apple.loginwindow LoginHook

source