Persistence enables red team operators to maintain access to a system by relaunching their payloads automatically after events like startup or login, ensuring uninterrupted operation. macOS provides various built-in persistence mechanisms for legitimate software, which red team operators can exploit. Without persistence, their payload has very limited lifespan.

In this post, I have listed down several ways through which red team operators can establish persistence on macOS machines.

• Login Items - These are the applications or scripts that get executed whenever a user logs in to the machine. They inherit the permissions and privileges of the logged in user.

• Launch Items - Launch items are similar in functionality to login items in the sense that they are also executed automatically. The difference is that launch items are executed at the startup, i.e. before user login, whereas login items are executed post the user login. macOS provides two types of launch items, Launch Agents and Launch Daemons. The primary difference between the two is that Launch Daemons are launched pre-login with root privileges in a non-interactive manner whereas Launch Agents are executed post-login with user-level privileges and may require some form of interaction from the user.

• Scheduled tasks and Cron jobs - Scheduled tasks and cron jobs are bsically applications or scripts that are executed at periodic intervals. macOS offers three methods for scheduling jobs and tasks at specific intervals: cron jobs, at jobs (stored in /private/var/at/jobs/ directory), and periodic scripts (stored in /etc/periodic/ directory). Unlike Login items or Launch Items, they execute at periodic intervals instead of during startup (though they can be configured to execute during startup as well).

• Login and Logout Hooks - Login or logout hooks are scripts or commands that run automatically when a user logs in or logs out of their account. Login Hooks may sound similar to Login Items but they both server different purposes. Login hooks primarily work with scripts or commands whereas Login Items primarily work with applications and services. Login and logout hooks are stored in ~/Library/Preferences/com.apple.loginwindo.plist file as key-value pairs. There can only be one login hook and one logout hook key-value pair at a point in time.

• Dynamic Libraries (Dylib) - These are the libraries that an application can load and execute. Red team operators can use dynamic libraries to establish persistence via DYLD_* environment variables, Dylib proxying or Dylib Hijacking. DYLD_* environment variables can be used to specify malicious dynamic libraries or frameworks for loading during application startup. In Dylib proxying, a legitimate library is replaced with a malicious library with the same name as a legitimate one to intercept and control application behavior. In Dylib Hijacking, an application can be coerced into loading a malicious library by replacing or injecting a malicious library in their search path.

• Plugins - Plugins are used by many applications as a mechanism to extend their functionality. Red team operators can leverage plugins to establish persistence by crafting a malicious plugin and installing it into the application’s plugin directory.

• Profiles - Profiles are typically used by administrators to enforce policies, configure devices, or manage software settings on a Mac. A user can be tricked into installing a red team operator’s crafted profile to configure certain settings, such as launch items, to establish persistence.

• Scripts - If a red team operator has obtained root privileges on Mac, they can leverage certain system scripts, such as rc.common, .bashrc or .bash_profile, to execute commands on the machine. These commands will be executed whenever these scripts execute. For example, .bash_profile script is executed whenever the user launches the Terminal application.

• Kexts - Kernel Extensions (or Kexts) are a mechanism through which macOS allows applications to interface with the system kernel. They are similar to drivers in the Windows world. A red team operator can install a malicious kext on the target machine to establish persistence. It is a less used technique as any interaction with kernel has the potential of crashing the system. Moreover, Apple has now depreciated the use of Kernel Extensions in favor of System Extensions.

• Event Monitor Rules - It is a mechanism that allows monitoring and responding to specific system events, such as file changes, application launches, or user interactions. Event monitor rules are designed to trigger predefined actions or scripts when specific events occur. Red team operators can create an event monitor rule to execute their payload whenever such an event occurs.

• Reopened Applications - Red team operators can leverage macOS’s functionality to re-launch apps upon startup to execute their payload. To do so, they can append an entry in the plist file used by this service (~/Library/Preferences/ByHost/com.apple.loginwindos.<UUID>.plist) pointing to their executable. As a result, this executable will be launched upon the next startup.

• Application and Binary Modifications - Red team operators can establish persistence by altering existing applications or binary on the target machine in a manner (e.g. hijacking the entry point of the binary) that executes their code whenever that binary or application is launched.

• Folder Actions and AppleScript - Folder Actions in macOS are a feature that allows AppleScript to be automatically triggered when certain events occur within a folder, such as adding, removing, or modifying files. By attaching a malicious AppleScript to a folder, actions can be set to trigger based on specific changes to the folder’s contents.

• Overrides - The overrides file (located at /var/db/launchd.db/com.apple.launchd/overrides.plist)is designed to override settings in Launch Daemons or Launch Agents. Even if the 'Disabled' key in a Launch Agent plist is set to true, the value in the overrides plist takes precedence. So a red team operator can create a plist, set the Disabled key to true in that file but add an entry in the overrides file to set this key to false. This will load their plist even though it was marked as disabled.

Red Team Notes
- macOS provides several mechanisms which red team operators can leverage to establish persistence. These include, login items, launch items, dynamic libraries, overrides files, scheduled tasks, cron jobs, scripts, periodic scripts, folder actions and apple script, kernel extensions, modifying an application or binary, profiles, plugins, re-launch at startup and event monitor rules.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

References

• Chapter 2: Persistence - The Art of Mac Malware Vol. 1

• Mac Malware Persistence: What It Is, How It's Achieved

• Mac the Ripper: Persistence

• How Malware Persists on macOS

• Insistence on Persistence