d4rtht3ll3ctus' root vault

Persistence

4 min read

  • LaunchAgents
  • LaunchDaemons
  • Cronjobs :
    • Same as linux
  • At Jobs:
    • Scheduled one time tasks
    • located at : /private/var/at/jobs/
    • enumerate using : /usr/bin/atq
    • By default disabled , can be enabled by :
      • launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist
  • Periodic Scripts:
    • scripts that run on well defined interval
    • ls /etc/periodic
    • cronjobs and periodic scripts handled by a different daemon
  • Login and Logout Hooks:
    • these things when installed , run each time a user logs in or logs out
    • stored in : ~/Library/Preferences/com.apple.loginwindow.plist
    • Key value pair where format is : <LoginHook/LogoutHook>:<script to execute>
    • plist so ultimately an XML
    • there can only be one LoginHook and one LogoutHook key/value pair speci!ed at any given time
  • Dynamic Libraries
  • DYLD* environment variables:
    • Eg. DYLD_INSERT _LIBRARIES and DYLD_FRAMEWORK_PATH
    • If the malware is targeting a launch item, it could modify the item’s property list by inserting a new key/value pair into it. The key, EnvironmentVariables, would reference a dictionary containing a DYLD_INSERT_LIBRARIES key/value pair that points to the malicious dynamic library
    • If the malware is targeting an application, the approach involves modifying the application’s Info.plist file and inserting a similar key/value pair, albeit with a key name of LSEnvironment.
    • Hardened Runtime - used to prevent this , it is an apple feature
  • Dylib Proxying:
    • dylib proxying replaces a library that a target process depends on with a malicious library
    • To keep the application from losing legitimate functionality, the malicious library proxies requests to and from the original library.
    • LC_REEXPORT_DYLIB load command essentially tells the dynamic loader, “Hey, while I, the malicious library, don’t implement the required functionality you’re looking for, I know who does!” As it turns out, this is the only information the loader needs to maintain the functionality provided by the proxied library.
    • otool, run with the -l, to list the malicious dynamic library’s load commands
  • Dylib Hijacking:
    • In a dylib hijack, malware can exploit a program that either attempts to load dynamic libraries from multiple attacker-writable locations or that has a weak dependency on a dynamic library that does not exist.
    • add malicious library to higher priority(by order of checking existence of library) so that that particular instance(malicious) is loaded automatically at runtime
    • weak dependency - program can run if it doesnt exist, attacker can add malicious library there. (the place loader checks to see if library is there or not)
  • Plug-Ins:
    • Browser, Spotlight , IDE etc. extensions and plugins.
    • some counter by apple: entitlements, code-signing checks, sandboxing, and other security features
  • Scripts:
    • rc.common file found in /etc
    • For example, the iKitten malware abuses this !le using a method, aptly named addToStartup, that persists a malicious shell script whose path is passed in as the method’s sole parameter
    • Other include app/process specific startup scripts:eg. bash
  • Event Monitor Rules:
    • emond (event monitoring) daemon operating system automatically launches emond during system boot, processing and executing any speci!ed rules, malware can simply create a rule for the daemon to automatically execute
    • /etc/emond.d/rules or /private/var/db/emondClients
  • Reopened Applications:
    • when restarting, we get a box which asks whether we want to reopen applications
    • Behind the scenes, it stores the applications to be reopened in a property list named com.apple.loginwindow.plist within the ~/Library/Preferences/ByHost directory.
  • Applications and Binary Modifications:
    • Crossrider subverts Safari in order to persist various malicious browser extensions
    • EvilQuest:
      • insert itself at start of the binary.
      • original bytes come after that and then ads a marker 0xdeadface at the end of the binary
      • when run, it first checks if launchitem persistence has been removed (if yes replaces it).
      • then gets location of binary origin and then writes that to another file and then executes it.
  • KnockKnock - OpenSource utility to check these persistence mechanisms
  • Some good references:

Graph View