Beyond good ol' LaunchAgent - part 1
Last week, on the inception diary of this series [1], I’ve talked about LaunchAgent and LaunchDaemon, probably the most known and popular persistence mechanisms under macOS. But there are other mechanisms, definitely not new and well known in the *nix world, which are still linked or managed by launchd [2]:
- at commands
- Cronjob
- Periodic
at commands and cronjobs [3][4] are the traditional *nix mechanism to schedule task execution and recurring execution respectively. Those are very much linked to LaunchDaemons, since Apple has replaced those functionalities with Daemons. However, although are deprecated mechanisms, Apple has still legacy support, which means that can be still (ab)used by malware.
AT command
Differently from cronjobs, at commands are meant to be run only once, the next time they are scheduled. In the new OS versions, at daemon has been moved to LaunchDaemon to be handled by the launchd process, and it is disabled by default, as you can verify here:
$ plutil -p /System/Library/LaunchDaemons/com.apple.atrun.plist
{
"Disabled" => 1
" Label" => "com.apple.atrun"
"ProgramArguments" => [
0 => "/usr/libexec/atrun"
]
"StartInterval" => 30
}
If enabled, standard at command can be used to schedule a task to run, such as
at 1450 tomorrow command_to_run
and you may still able to find evidence of those scheduled under /usr/lib/cron/jobs/
Cronjobs
Cronjobs, as most of you already know, is the mechanism to tell the system to run specific tasks periodically at give intervals of time. The official way to do it in modern Apple systems, would be by using the StartCalendarInterval key in the Agent/Daemon plist file, as we have seen in the previous diary [1]. However, Apple still supports the legacy crontab mechanisms, which will run /usr/sbin/cron anytime a change in crontab or to files into /usr/lib/cron/tabs is detected [2]. To schedule a cronjob, it is sufficient to run crontab -e and insert the properly configured entry. As recap, the syntax is the following :
* * * * * command to execute
where the meaning of the asterisk is, in order from left to right:
- min (0 - 59)
- hour (0 - 23)
- day of month (1 - 31)
- month (1 - 12)
- day of week (0 - 6), Sunday to Saturday, 7 is Sunday, same as 0
Some example of recurring execution:
Recurrence | Example |
Every day at 3pm | 0 15 * * * /path/to/my/script.py |
Every work day at 3pm | 0 15 * * 1-5 /path/to/my/script.py --argument |
Every hour (at exactly hh:00) | 0 * * * * /path/to/my/script.py |
Periodic
One more way to schedule recurring tasks is to use periodic, part of the FreeBSD inheritance. Although commonly used to run system maintenance scripts, it can as well be abused to hide persistence mechanisms, also considering that is not often considered. Basically, periodic will run the scripts in the folders /etc/periodic/daily/, /etc/periodic/weekly/ and /etc/periodic/monthly/, the recurrence of which is easily comprehensible from the folders name. There you may be able to find traces of malicious recurring tasks as well.
Artifacts summary
Here a quick summary of the specific paths for the forensics artifacts of interest [5]:
AT Command:
/usr/lib/cron/jobs/
/System/Library/LaunchDaemons/com.apple.atrun.plist
Cronjobs:
/usr/lib/cron/tabs/
Periodic:
/etc/periodic/daily/*
/etc/periodic/weekly/*
/etc/periodic/monthly/*
Happy Hunting,
Pasquale
References:
[1] - SANS ISC, “Beyond good ol’ LaunchAgent - part 0”, https://isc.sans.edu/forums/diary/Beyond+good+ol+LaunchAgent+part+0/24230/
[2] - Jonathan Levin (@Morpheus______), “*OS Internals”, http://newosxbook.com/index.php
[3] - MITRE ATT&CK (@MITREattack), “MacOS Techniques - Local Job Scheduling”, https://attack.mitre.org/techniques/T1168/
[4] - Patrick Warlde (@patrickwardle), “OSX Malware Persistence”, https://s3.amazonaws.com/s3.synack.com/Synack_Shakacon_OSX_Malware_Persistence.pdf
[5] - Pasquale Stirparo (@pstirparo), “mac4n6 Artifacts Project”, https://github.com/pstirparo/mac4n6
---
Pasquale Stirparo,
@pstirparo
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago