metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

MacOS Persistence

Open h00die opened this issue 1 year ago • 4 comments

Summary

Currently there's only one module (plist). https://www.kandji.io/blog/mac-malware-persistence has a nice list of other places to persist

Basic example

https://github.com/dockur/macos should make development a lot easier

Motivation

There's lots of room for improvement!

  • [ ] Login Items
  • [ ] Launch Items
  • [ ] Scheduled Jobs and Tasks
  • [ ] Dynamic Libraries

h00die avatar Feb 17 '25 13:02 h00die

Full list of persistence methods can be The Art of Mac Malware. There are already persistence support for Launch Items, both Daemons and Agents. Currently this module is called persistence but should probably be called Launch Item Persistence.

At Persistence is supported under unix/local. Cron persistence is available for Linux, my guess would be that this module would work on OSX.

Login Items look promising:

Apple’s backgroundtaskmanagementagent program, which manages various background tasks such as login items, stores these items in a file named backgrounditems.btm. For more technical details on this file and its format, see my blog post “Block Blocking Login Items.”1 To programmatically create a login item, software can invoke various shared file list (LSSharedFileList*) APIs. For example, the LSSharedFileListCreate function returns a reference to the list of existing login items. This list can then be passed to the LSSharedFileListInsertItemURL function, along with the path of a new application you want to persist as a login item

Periodic scripts, which falls under jobs and tasks have not been implemented and seem relatively simple. To my knowledge OSX inherits this feature from BSD, I'm wondering if we could build a module that works for both. As noted in TAOMM periodic scripts are aren't being leveraged for persistence:

If you list the contents of /etc/periodic, you’ll find a directory containing scripts that will run on well-defined intervals (Listing 2-15).


% ls /etc/periodic
daily
weekly
monthly

Though this directory is owned by root, malware with adequate privileges may be able to create (or subvert) a periodic script in order to achieve per- sistence at regular intervals. Although periodic scripts are conceptually rather similar to cron jobs, there are a few differences, such as the fact that they are handled by a separate daemon.8 Similar to at jobs, no malware cur- rently leverages this method for persistence

Login/Logout hooks would be another low hanging fruit for persistence, requiring a payload a PLIST in ~/Library/Preferences/com.apple.loginwindow.plist. This would be very similar logic to the Launch Agent (persistence.rb) module and I'm wondering if we should consolidate this method there?

As noted in TAOMM another neat place to hide persistence would be in system scripts, for example /etc/rc.common which is executed on boot. And then there are normal startup scripts found in *nix systems like ~/.zshrc etc that can be abused.

It would be call if there was just one Meta-Persistence module that would check every nook and cranny of the system and provide you a list with places you can persist.

gardnerapp avatar Feb 21 '25 17:02 gardnerapp

Appreciate the feedback. A lot of this is just placeholders/reminders for after #19815 lands. I've done a bunch of mac testing to make sure the Launch items are still working. Also made sure the at and cron modules worked as well. Waiting on that to land before adding more techniques

h00die avatar Feb 21 '25 21:02 h00die

It would be call if there was just one Meta-Persistence module that would check every nook and cranny of the system and provide you a list with places you can persist.

Persistence suggester, similar to local exploit suggester, is implemented in the persistence overhaul already :) https://github.com/rapid7/metasploit-framework/pull/19815/files#diff-e12cbce40ffdbf4924980a4b6c52b0954eb0ada8938ae51a9134f8b0e724ffb1

h00die avatar Feb 21 '25 22:02 h00die

Added Periodic Script Persistence in #19903

gardnerapp avatar Feb 24 '25 19:02 gardnerapp