4/16/2023 0 Comments Blockblock max![]() ![]() How does this work? After system boot and during system initialization, launchd searches the /System/Library/LaunchDaemons/ and the root /Library/LaunchDaemons/ directories for property list files (plists) and launches the daemon that the plist requests to be running at all times. ![]() “Launch items are the Apple recommended way to persist non-application binaries (e.g., software updates, background processes, etc)” (Wardle, 2020, p. Launch persistence includes launch agents and launch daemons. Otherwise, a system reboot would kill access to the infected system. Most malware attempts to gain persistence. "Persistence is the means by which malware ensures that it will be automatically (re)executed by the operating system on system startup or user (re)login" (Wardle, 2020, p. It is typically the next step after initial access and payload/malware execution. Persistence is a vital tactic in the adversarial kill chain. So, if you already understand this or don’t want/need a refresher, you can skip to the next section. The first section of this blog will cover persistence, launch agents, and why it is important to mitigate the techniques. She was a great help in tracking down some individuals with experience in macOS administration who I was able to bounce my mitigation idea off of for a sanity check. I also reached out to Cat Self, macOS lead for MITRE ATT&CK, for some leads in the macOS community. Matt describes how to prepare this method using Jamf Pro in his section below. He connected me with Matthew Benyo, also from Jamf, who I teamed up with on this blog. Upon discovering this new mitigation method, I reached out to my friend Jaron Bradley at Jamf Protect to see if he knew if my approach was possible using an MDM solution like Jamf Pro. So, I decided to figure out how an enterprise could mitigate launch persistence at scale. I started asking around, and no one could tell me how any organization does this. The problem was that I hadn't heard of any organization doing this, and I could not find any reference for this from MITRE or otherwise. MITRE suggested setting group policies for mitigation to block launch persistence behavior. Collectively I am calling these two sub-techniques “launch persistence.” Patrick Wardle calls launch persistence “launch items.” Still, I want to ensure no confusion between these and “login items” or “startup items,” which are entirely different persistence mechanisms. I took a look at the macOS MITRE ATT&CK matrix for the persistence tactic ( TA003), its launch persistence technique which MITRE calls "Create or Modify System Process" ( T1543), and more specifically, the “Launch Agent” ( T1543.001) and “Launch Daemon” ( T1543.004) sub techniques. As a red team operator, sharing knowledge and recommendations with our security organizations is crucial to making our customers safer. This research started with me looking for suggestions for my organization on mitigating launch persistence techniques for macOS. A New Mitigation Strategy for the most used macOS Persistence Technique Why Launch Persistence Research? ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |