Skip to content

Instantly share code, notes, and snippets.

@MohitDabas

MohitDabas/MacOS EDR RTR Persistence and Permission.md

Created November 10, 2023 11:27
Show Gist options
  • Save MohitDabas/262362b1ccf675c751c1ac14270682bf to your computer and use it in GitHub Desktop.
Save MohitDabas/262362b1ccf675c751c1ac14270682bf to your computer and use it in GitHub Desktop.
Download ZIP
You can use these one liner in any supported EDR Realtime response script runner.
Raw
MacOS EDR RTR Persistence and Permission.md

MacOS EDR RTR Persistence and Permission

You can use these one liner in any supported EDR Realtime response script runner.

Persistence on Mac

python3 -c "import os; paths = ['/Library/LaunchAgents','/Library/LaunchDaemons','/System/Library/LaunchDaemons', os.path.expanduser('/users/<username>/Library/LaunchAgents'),os.path.expanduser('/Users/<username>/Library/Preferences'),'/Library/Preferences']; [print(f'File: {filename}\n{repr(open(os.path.join(path, filename), \"rb\").read())}') for path in paths if os.path.exists(path) for filename in os.listdir(path)]; print(f'Directory not found: {[path for path in paths if not os.path.exists(path)]}') if any(not os.path.exists(path) for path in paths) else None"

Cron jobs

python3 -c "import os; paths = [ os.path.expanduser('~/Library/LaunchAgents'), '/etc/periodic/daily', '/etc/periodic/monthly', '/etc/periodic/weekly']; [print(f'File: {filename}\n{repr(open(os.path.join(path, filename), \"rb\").read())}') for path in paths if os.path.exists(path) for filename in os.listdir(path)]; print(f'Directory not found: {[path for path in paths if not os.path.exists(path)]}') if any(not os.path.exists(path) for path in paths) else None"

Permission of Applications

find /Applications -type d -name '*.app' -exec sh -c 'echo "Directory: {}"; codesign -dv --entitlements :- "{}"' \;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment