rapid7
MacOS Persistence
Summary
Currently there's only one module (plist). https://www.kandji.io/blog/mac-malware-persistence has a nice list of other places to persist
Basic example
https://github.com/dockur/macos should make development a lot easier
Motivation
There's lots of room for improvement!
- [ ] Login Items
- [ ] Launch Items
- [ ] Scheduled Jobs and Tasks
- [ ] Dynamic Libraries
Full list of persistence methods can be The Art of Mac Malware. There are already persistence support for Launch Items, both Daemons and Agents. Currently this module is called persistence but should probably be called Launch Item Persistence.
At Persistence is supported under unix/local. Cron persistence is available for Linux, my guess would be that this module would work on OSX.
Login Items look promising:
Apple’s backgroundtaskmanagementagent program, which manages various background tasks such as login items, stores these items in a file named backgrounditems.btm. For more technical details on this file and its format, see my blog post “Block Blocking Login Items.”1 To programmatically create a login item, software can invoke various shared file list (LSSharedFileList*) APIs. For example, the LSSharedFileListCreate function returns a reference to the list of existing login items. This list can then be passed to the LSSharedFileListInsertItemURL function, along with the path of a new application you want to persist as a login item
Periodic scripts, which falls under jobs and tasks have not been implemented and seem relatively simple. To my knowledge OSX inherits this feature from BSD, I'm wondering if we could build a module that works for both. As noted in TAOMM periodic scripts are aren't being leveraged for persistence:
If you list the contents of /etc/periodic, you’ll find a directory containing scripts that will run on well-defined intervals (Listing 2-15).
% ls /etc/periodic
daily
weekly
monthly
Though this directory is owned by root, malware with adequate privileges may be able to create (or subvert) a periodic script in order to achieve per- sistence at regular intervals. Although periodic scripts are conceptually rather similar to cron jobs, there are a few differences, such as the fact that they are handled by a separate daemon.8 Similar to at jobs, no malware cur- rently leverages this method for persistence
Login/Logout hooks would be another low hanging fruit for persistence, requiring a payload a PLIST in ~/Library/Preferences/com.apple.loginwindow.plist. This would be very similar logic to the Launch Agent (persistence.rb) module and I'm wondering if we should consolidate this method there?
As noted in TAOMM another neat place to hide persistence would be in system scripts, for example /etc/rc.common which is executed on boot. And then there are normal startup scripts found in *nix systems like ~/.zshrc etc that can be abused.
It would be call if there was just one Meta-Persistence module that would check every nook and cranny of the system and provide you a list with places you can persist.
Appreciate the feedback. A lot of this is just placeholders/reminders for after #19815 lands. I've done a bunch of mac testing to make sure the Launch items are still working. Also made sure the at and cron modules worked as well. Waiting on that to land before adding more techniques
It would be call if there was just one Meta-Persistence module that would check every nook and cranny of the system and provide you a list with places you can persist.
Persistence suggester, similar to local exploit suggester, is implemented in the persistence overhaul already :) https://github.com/rapid7/metasploit-framework/pull/19815/files#diff-e12cbce40ffdbf4924980a4b6c52b0954eb0ada8938ae51a9134f8b0e724ffb1