MacOS Persistence

[h00die]

Summary

Currently there's only one module (plist). https://www.kandji.io/blog/mac-malware-persistence has a nice list of other places to persist

Basic example

https://github.com/dockur/macos should make development a lot easier

Motivation

There's lots of room for improvement!

• Login Items
• Launch Items
• Scheduled Jobs and Tasks
• Dynamic Libraries

[gardnerapp]

Full list of persistence methods can be The Art of Mac Malware. There are already persistence support for Launch Items, both Daemons and Agents. Currently this module is called persistence but should probably be called Launch Item Persistence.

At Persistence is supported under unix/local. Cron persistence is available for Linux, my guess would be that this module would work on OSX.

Login Items look promising:

Apple’s backgroundtaskmanagementagent program, which manages various
background tasks such as login items, stores these items in a file named
backgrounditems.btm. For more technical details on this file and its format,
see my blog post “Block Blocking Login Items.”1
To programmatically create a login item, software can invoke various shared
file list (LSSharedFileList*) APIs. For example, the LSSharedFileListCreate
function returns a reference to the list of existing login items. This list can
then be passed to the LSSharedFileListInsertItemURL function, along with
the path of a new application you want to persist as a login item

Periodic scripts, which falls under jobs and tasks have not been implemented and seem relatively simple. To my knowledge OSX inherits this feature from BSD, I'm wondering if we could build a module that works for both. As noted in TAOMM periodic scripts are aren't being leveraged for persistence:

If you list the contents of /etc/periodic, you’ll find a directory containing
scripts that will run on well-defined intervals (Listing 2-15).

% ls /etc/periodic
daily
weekly
monthly

Though this directory is owned by root, malware with adequate privileges
may be able to create (or subvert) a periodic script in order to achieve per-
sistence at regular intervals. Although periodic scripts are conceptually
rather similar to cron jobs, there are a few differences, such as the fact that
they are handled by a separate daemon.8 Similar to at jobs, no malware cur-
rently leverages this method for persistence

Login/Logout hooks would be another low hanging fruit for persistence, requiring a payload a PLIST in ~/Library/Preferences/com.apple.loginwindow.plist. This would be very similar logic to the Launch Agent (persistence.rb) module and I'm wondering if we should consolidate this method there?

As noted in TAOMM another neat place to hide persistence would be in system scripts, for example /etc/rc.common which is executed on boot. And then there are normal startup scripts found in *nix systems like ~/.zshrc etc that can be abused.

It would be call if there was just one Meta-Persistence module that would check every nook and cranny of the system and provide you a list with places you can persist.

[h00die]

Appreciate the feedback. A lot of this is just placeholders/reminders for after #19815 lands. I've done a bunch of mac testing to make sure the Launch items are still working. Also made sure the at and cron modules worked as well. Waiting on that to land before adding more techniques

[h00die]

It would be call if there was just one Meta-Persistence module that would check every nook and cranny of the system and provide you a list with places you can persist.

Persistence suggester, similar to local exploit suggester, is implemented in the persistence overhaul already :) https://github.com/rapid7/metasploit-framework/pull/19815/files#diff-e12cbce40ffdbf4924980a4b6c52b0954eb0ada8938ae51a9134f8b0e724ffb1

[gardnerapp]

Added Periodic Script Persistence in #19903