Modifications of the plist outside of the cfprefsd process may be a good starting point for identifying malicious behavior.Īnother method to edit these plists is through the command line tools defaults and PlistBuddy. In the example above, osascript was the process performing this modification which is abnormal compared to the normal cfprefsd process.
However, this will still result in the file::rename event. Alternative ModificationsĪn adversary could perform the plist modification tasks off-target and upload the modified plist to the ~/Library/Preferences/ByHost/ location to reduce the number of potential indicators. Of course, this behavior can be modified by placing process running checks in the malicious screensaver project. Two instances of persistence execution PID 5967 and PID 5973 The culmination of this research is ScreenSaverPersist.js, which I have included in the PersistentJXA project. By changing the values in the screensaver plist ( ~/Library/Preferences/ByHost/), an adversary can set a new screensaver and set configuration options such as the user inactivity time.
#No screen saver mac windows#
Plists are the macOS equivalent of the Windows registry. Like my Dock persistence method, this technique relies on the ability end-users have to modify a property list (plist). After taking a closer look, these can be abused for persistence in a similar fashion as on Windows. On macOS, these are Mach-O executables that are saved within application bundles with the.
#No screen saver mac portable#
On Windows, screensavers execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a. This is an established persistence method on Windows, as noted on the MITRE ATT&CK page. Screensavers for macOS Persistence BackgroundĪfter revisiting old internal discussions, an area of interest was the possibility of using screensavers for persistence on macOS.
0 kommentar(er)
