ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1160

术语表: /attack/glossary

启动守护程序

根据Apple的开发人员文档,当启动macOS和OS X时,将运行启动来完成系统初始化。此过程从/System/Library/LaunchDaemons/Library/LaunchDaemons 中找到的属性列表(plist)文件中为每个按需启动的系统级守护程序加载参数。这些LaunchDaemons具有属性列表文件,这些文件指向将要启动的可执行文件。

对手可能会安装新的启动守护程序,该启动守护程序可以配置为在启动时执行,方法是使用launchd或launchctl将plist加载到适当的目录中。可以通过使用相关操作系统或良性软件名称来伪装守护程序名称 。启动守护程序可以使用管理员特权创建,但是在root特权下执行,因此攻击者还可以使用服务将特权从管理员升级到root。

plist文件的权限必须是root:wheel,但是它指向的脚本或程序没有这样的要求。因此,不良的配置可能允许对手修改当前的启动守护程序的可执行文件并获得持久性或特权升级。

Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons. These LaunchDaemons have property list files which point to the executables that will be launched.

Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories . The daemon name may be disguised by using a name from a related operating system or benign software . Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.

The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.

标签

ID编号: T1160

策略: 持久性,特权升级

平台: macOS

所需权限: 管理员

有效权限: root

数据源: 过程监控,文件监控

程序示例

名称 描述
OSX_OCEANLOTUS.D (S0352) OSX_OCEANLOTUS.D 可以在文件夹中创建一个持久性文件/Library/LaunchDaemons
Name Description
OSX_OCEANLOTUS.D (S0352) OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.

缓解措施

缓解 描述
用户帐号管理 ( M1018) 限制用户帐户的特权并补救特权升级向量,以便只有授权的管理员才能创建新的启动守护程序。
Mitigation Description
User Account Management (M1018) Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

检测

通过其他plist文件和实用程序(例如Objective-See的Knock Knock应用程序)监视启动进程守护的创建。

Monitor Launch Daemon creation through additional plist files and utilities such as Objective-See's Knock Knock application.