ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1162

术语表: /attack/glossary

登录项目

MacOS提供了列出用户登录时要运行的特定应用程序的选项。这些应用程序在登录用户的上下文中运行,并且将在用户每次登录时启动。使用“服务管理框架”安装的登录项在菜单中不可见。系统偏好设置,只能由创建它们的应用程序删除[1]。用户可以直接控制使用共享文件列表安装的登录项目,这些文件也可以在“系统偏好设置” 中看到。这些登录项存储在用户~/Library/Preferences/目录中的名为[2]的plist文件中。com.apple.loginitems.plist 。这些应用程序中的一些可以向用户打开可见的对话框,但是由于可以“隐藏”窗口,因此不必全部打开。如果攻击者可以注册自己的登录项或修改现有的登录项,则每次用户登录时,他们都可以使用它来为持久性机制执行其代码。API方法 SMLoginItemSetEnabled 可用于设置登录项,但是脚本语言(如AppleScript)也可以做到这一点。

MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them . Users have direct control over login items installed using a shared file list which are also visible in System Preferences. These login items are stored in the user's ~/Library/Preferences/ directory in a plist file called com.apple.loginitems.plist. Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in . The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like AppleScript can do this as well .

标签

ID编号: T1162

策略: 持久性

平台: macOS

所需权限: user

数据源: 文件监视,API监视

CAPEC ID: CAPEC-564

程序示例

名称 描述
Dok (S0281) Dok(S0281) 通过登录项保留。
Name Description
Dok (S0281) Dok(S0281 ) persists via a login item.

缓解措施

缓解 描述
用户帐号管理 (M1018) 限制用户无法创建自己的登录项目。
用户培训 (M1017) 登录期间按住Shift键可防止应用自动打开。
Mitigation Description
User Account Management (M1018) Restrict users from being able to create their own login items.
User Training (M1017) Holding the shift key during login prevents apps from opening automatically.

检测

通过苹果菜单->系统偏好设置->用户和组->登录项目,可以查看通过共享文件列表创建的所有登录项目。对于已知的良好应用,应监视该区域(以及相应的文件位置)并将其列入白名单。否则,登录项位于Contents/Library/LoginItems应用程序捆绑包内,因此也应监视这些路径 [1]。监视由登录操作导致的异常或未知应用程序的流程执行。

All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and whitelisted for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItemswithin an application bundle, so these paths should be monitored as well [1]. Monitor process execution resulting from login actions for unusual or unknown applications.