jipegit/Apple persitence mecanisms.md

## Apple persitence mecanisms.md

      
    Raw
  

              Apple persitence mecanisms.md
            
          
    Apple persitence mecanisms


Type
Location
Documentation


Kernel/Sytem Extensions
/System/Library/Extensions/
/Library/Extensions/
/Extra/Extensions/
https://developer.apple.com/fr/support/kernel-extensions/
/Extra/Extensions/ is deprecated


Launch Daemons
/System/Library/LaunchDaemons/
/Library/LaunchDaemons/
/Users/*/Library/LaunchDaemons/
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html


Launch Agents
/System/Library/LaunchAgents/
/Library/LaunchAgents/
/Users/*/Library/LaunchAgents/
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html


Startup Items
/System/Library/StartupItems/
/Library/StartupItems/
/Users/*/Library/StartupItems/
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html 
Deprecated


Scripting Additions
/System/Library/ScriptingAdditions/
/Library/ScriptingAdditions/
/Applications/*/Contents/Resources/Scripting Additions/
https://developer.apple.com/documentation/macos_release_notes/macos_mojave_10_14_release_notes
/System/Library/ and /Library are deprecated


Login / Logout Hooks
/Library/Preferences/com.apple.loginwindow.plist
/Users/*/Library/Preferences/com.apple.loginwindow.plist
/Users/*/Library/Preferences/loginwindow.plist
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html
Login hooks, Pre-logon, Deprecated


ReOpen Applications
/Users/*/Library/Preferences/ByHost/com.apple.loginwindow.*
https://www.virusbulletin.com/virusbulletin/2014/10/paper-methods-malware-persistence-mac-os-x


Login Items
/Users/*/Library/Preferences/com.apple.loginitems.plist
/Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm
https://objective-see.com/blog/blog_0x31.html 
Post-logon


Authorization Plugins
/System/Library/CoreServices/SecurityAgentPlugins/
/Library/Security/SecurityAgentPlugins/
https://developer.apple.com/documentation/security/authorization_plug-ins/using_authorization_plug-ins


Directory Services Plug-ins
/System/Library/Frameworks/DirectoryService.framework/Versions/A/Resources/Plugins/
/Library/DirectoryServices/PlugIns
https://developer.apple.com/library/archive/documentation/Networking/Conceptual/Open_Dir_Plugin/ConfiguringanOpenDirectoryPlug-in/ConfiguringanOpenDirectoryPlug-in.html


App extensions
/Applications/*/Contents/PlugIns/
https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionCreation.html


Quicklook Generator
/Applications/*/Contents/Library/QuickLook/
https://developer.apple.com/library/archive/documentation/UserExperience/Conceptual/Quicklook_Programming_Guide/Introduction/Introduction.html


Spotlight Importers
/Library/Spotlight/
/Applications/*/Contents/Library/Spotlight/
https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/


Apple Scripts
/Library/Scripts/
/Users/*/Library/Scripts/
Deprecated


Firefox Extensions
/Users/*/Library/Application Support/Firefox/Profiles/*/extensions/


Chrome Extensions
/Users/*/Library/Application Support/Google/Chrome/*/Extensions/
/Users/*/Library/Application Support/Google/Chrome Canary/*/Extensions/
/Users/*/Library/Application Support/Chromium/*/Extensions/


Safari Extensions
/Users/*/Library/Safari/Extensions/


Internet Plugins
/Library/Internet Plug-Ins/
https://developer.apple.com/library/archive/documentation/InternetWeb/Conceptual/WebKit_PluginProgTopic/Concepts/AboutPlugins.html


Launchd
/etc/launchd.conf
Deprecated


Emond rules
/etc/emond.d/emond.plist
/etc/emond.d/rules/
https://www.xorrior.com/emond-persistence/


Cron jobs
/usr/lib/cron/jobs/
man cron


Cron tabs
/etc/crontab
/private/etc/crontab
/usr/lib/cron/tabs/
man crontab


Periodic Scripts
/etc/defaults/periodic.conf
/etc/periodic.conf
/etc/periodic/

man periodic.conf


RC scripts
/etc/rc.common
/etc/rc.boot
/etc/rc.installer_cleanup
/etc/rc.cleanup


Library Inserts
* / active scan required
https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/


Library proxy
* / active scan required
https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf
Type	Location	Documentation
Kernel/Sytem Extensions	/System/Library/Extensions/ /Library/Extensions/ /Extra/Extensions/	https://developer.apple.com/fr/support/kernel-extensions/ /Extra/Extensions/ is deprecated
Launch Daemons	/System/Library/LaunchDaemons/ /Library/LaunchDaemons/ /Users/*/Library/LaunchDaemons/	https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html
Launch Agents	/System/Library/LaunchAgents/ /Library/LaunchAgents/ /Users/*/Library/LaunchAgents/	https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html
Startup Items	/System/Library/StartupItems/ /Library/StartupItems/ /Users/*/Library/StartupItems/	https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html Deprecated
Scripting Additions	/System/Library/ScriptingAdditions/ /Library/ScriptingAdditions/ /Applications/*/Contents/Resources/Scripting Additions/	https://developer.apple.com/documentation/macos_release_notes/macos_mojave_10_14_release_notes /System/Library/ and /Library are deprecated
Login / Logout Hooks	/Library/Preferences/com.apple.loginwindow.plist /Users//Library/Preferences/com.apple.loginwindow.plist /Users//Library/Preferences/loginwindow.plist	https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html Login hooks, Pre-logon, Deprecated
ReOpen Applications	/Users//Library/Preferences/ByHost/com.apple.loginwindow.	https://www.virusbulletin.com/virusbulletin/2014/10/paper-methods-malware-persistence-mac-os-x
Login Items	/Users//Library/Preferences/com.apple.loginitems.plist /Users//Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm	https://objective-see.com/blog/blog_0x31.html Post-logon
Authorization Plugins	/System/Library/CoreServices/SecurityAgentPlugins/ /Library/Security/SecurityAgentPlugins/	https://developer.apple.com/documentation/security/authorization_plug-ins/using_authorization_plug-ins
Directory Services Plug-ins	/System/Library/Frameworks/DirectoryService.framework/Versions/A/Resources/Plugins/ /Library/DirectoryServices/PlugIns	https://developer.apple.com/library/archive/documentation/Networking/Conceptual/Open_Dir_Plugin/ConfiguringanOpenDirectoryPlug-in/ConfiguringanOpenDirectoryPlug-in.html
App extensions	/Applications/*/Contents/PlugIns/	https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionCreation.html
Quicklook Generator	/Applications/*/Contents/Library/QuickLook/	https://developer.apple.com/library/archive/documentation/UserExperience/Conceptual/Quicklook_Programming_Guide/Introduction/Introduction.html
Spotlight Importers	/Library/Spotlight/ /Applications/*/Contents/Library/Spotlight/	https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/
Apple Scripts	/Library/Scripts/ /Users/*/Library/Scripts/	Deprecated
Firefox Extensions	/Users//Library/Application Support/Firefox/Profiles//extensions/
Chrome Extensions	/Users//Library/Application Support/Google/Chrome//Extensions/ /Users//Library/Application Support/Google/Chrome Canary//Extensions/ /Users//Library/Application Support/Chromium//Extensions/
Safari Extensions	/Users/*/Library/Safari/Extensions/
Internet Plugins	/Library/Internet Plug-Ins/	https://developer.apple.com/library/archive/documentation/InternetWeb/Conceptual/WebKit_PluginProgTopic/Concepts/AboutPlugins.html
Launchd	/etc/launchd.conf	Deprecated
Emond rules	/etc/emond.d/emond.plist /etc/emond.d/rules/	https://www.xorrior.com/emond-persistence/
Cron jobs	/usr/lib/cron/jobs/	man cron
Cron tabs	/etc/crontab /private/etc/crontab /usr/lib/cron/tabs/	man crontab
Periodic Scripts	/etc/defaults/periodic.conf /etc/periodic.conf /etc/periodic/	man periodic.conf
RC scripts	/etc/rc.common /etc/rc.boot /etc/rc.installer_cleanup /etc/rc.cleanup
Library Inserts	* / active scan required	https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/
Library proxy	* / active scan required	https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf