Introduction: Welcome to another insightful blog post where we explore various methods of persistence in Mac OS applications. In this article, we will delve into three specific techniques commonly employed by both legitimate applications and malware. By understanding these persistence mechanisms, incident responders can effectively identify and mitigate potential threats. So, let's jump right in!
LaunchAgents and LaunchDaemons:
LaunchAgents and LaunchDaemons are plists that facilitate persistence in Mac OS applications. LaunchDaemons run as system processes before login, while LaunchAgents execute as user-specific processes upon login. These plists can reference other locations, such as scripts, enabling them to initiate actions during system startup.
To interact with LaunchAgents and LaunchDaemons, the 'launchctl' command is often utilized. It allows for the registration and inspection of these processes.
Also includes ; agents and xpc services (/usr/libexec/xpcproxy)
By using 'launchctl list,' one can obtain a comprehensive list of all active LaunchAgents and LaunchDaemons. Similarly, 'launchctl unload' can be used to unload a specific LaunchAgent or LaunchDaemon.
These persistence plists (property list) are typically located in the following directories and are registered on Boot/login:
- ~/Library/LaunchAgents: User-specific agents provided by the user.
- /Library/LaunchAgents: User-specific agents provided by the administrator.
- /Library/LaunchDaemons: System-wide daemons provided by the administrator.
- /System/Library/LaunchAgents: MacOS user-specific agents.
- /System/Library/LaunchDaemons: MacOS system-wide daemons.
plists can be located anywhere on disk but above are the usual locations.The launchctl command will show all the running LaunchAgents/LaunchDaemons regardless of plist location.
After an infection, during the remediation process of the IR pipeline, it is crucial to ensure that these plists are no longer present on the host and that the corresponding LaunchAgent or LaunchDaemon has been unloaded. If the plist remains and the associated process is still active, a malicious actor could potentially replace the target binary specified in the plist (Best practices would want that the target folder is not writeable by all users but this is not always a given). Therefore, monitoring modifications in these locations and cleaning these up is essential when dealing with malware infections.
As an example:
➜ irhost cat nice.sh
#!/bin/bash
{ echo 'nice!' ;} >> /Users/warsang/stuff/nice.log
➜ irhost defaults read ~/Library/LaunchAgents/com.warsang.nice
{
Label = "com.warsang.nice";
Program = "/Users/warsang/stuff/nice.sh";
RunAtLoad = 1;
StartInterval = 10;
}
➜ irhost launchctl load ~/Library/LaunchAgents/com.warsang.nice.plist
➜ irhost launchctl list | grep nice
- 0 com.warsang.nice
➜ irhost cat nice.log
➜ irhost cat nice.log
nice!
nice!
nice!
nice!
➜ irhost rm nice.sh && mv evil.sh nice.sh
➜ irhost cat nice.log
nice!
nice!
nice!
nice!
evil!
evil!
evil!
In the above, we register a plist that wil run nice.sh every 10 s
An attacker deletes nice.sh and replaces it with evil.sh; the plist will keep running and will execute bad code (possibly at a privileged level).
If you're using Crowdstike, the above will record an AsepFileChange event. It will not record any other Asep* events.
Crontab:
Similar to Unix systems, MacOS employs crontabs for scheduling periodic tasks. Crontabs are stored as flat files and can be found in various locations, including /var/at/tabs/, /etc/cron.d/ (System wide contabs), and /usr/lib/cron/tabs/. To list the crontabs for a user you can cat the flatfile for that username:
user@irhost ~ $ sudo ls /var/at/tabs/
someone warsang
user@irhost ~ $ sudo cat /var/at/tabs/warsang
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.I9iGemZmcd installed on Tue Feb 16 09:31:35 2021)
# (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24 2006/09/03 17:52:19 ru Exp $)
* * * * * /bin/echo 'badness'
To remove a crontab:
rm /var/at/tabs/<username>The cron daemon, 'crond,' launches and manages crontab processes on Mac OS.
➜ irhost sudo launchctl list | grep cron
- 0 com.vix.cron
However, on Mac OS, 'crond' is managed by 'launchctl' (launchd). When examining CrowdStrike data, it is important to note that crontab creation does not trigger an ASEP event. Instead, one should look for ProcessRollup2 events that mention crontab activities.
Login Items:
Malicious applications can execute themselves at login by including a Login Item within their bundle. Login items are launched by LaunchServices rather than launchd and are executed after LaunchAgents during the login process.
The details of login items for a user are stored in the file ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm. However, this file is not plaintext readable as it uses the bookmark data format.
Malware employing Login Items typically calls APIs such as LSSharedFileListCreate, LSSharedFileListInsertItemURL, and SMLoginItemSetEnabled.
Reviewing these items can be a bit more complex. To obtain the names of login items, an AppleScript command can be utilized, but it requires user permission to run and will prompt a user for permission.
osascript -e 'tell application "System Events" to get the name of every login item'A utility called KnockKnock, developed by Patrick Wardle from the Objective-See blog, offers a comprehensive exploration of common macOS persistence mechanisms. I'd recommend most IR teams to deploy this script as part of the company's security posture to quickly explore persistence on Mac OS hosts.
Conclusion:
In this blog post, we have uncovered three key methods of persistence commonly found in Mac OS applications. LaunchAgents and LaunchDaemons, crontabs, and Login Items are all crucial elements to consider during incident response and threat mitigation. By understanding these persistence mechanisms, security professionals can enhance their ability to detect and neutralize potential threats effectively.
Extra-reads:
https://taomm.org/vol1/analysis.html
https://www.sentinelone.com/blog/how-malware-persists-on-macos/
https://objective-see.com/products/knockknock.html
https://pastebin.com/raw/TJGTr9af
http://martiancraft.com/blog/2015/01/login-items/
https://rderik.com/blog/creating-a-launch-agent-that-provides-an-xpc-service-on-macos/
https://apple.stackexchange.com/questions/266835/how-do-i-restart-the-cron-service-on-osx
http://michaellynn.github.io/2015/10/24/apples-bookmarkdata-exposed/