![]() Two instances of persistence execution PID 5967 and PID 5973 The culmination of this research is ScreenSaverPersist.js, which I have included in the PersistentJXA project. By changing the values in the screensaver plist ( ~/Library/Preferences/ByHost/), an adversary can set a new screensaver and set configuration options such as the user inactivity time. ![]() Plists are the macOS equivalent of the Windows registry. Like my Dock persistence method, this technique relies on the ability end-users have to modify a property list (plist). After taking a closer look, these can be abused for persistence in a similar fashion as on Windows. On macOS, these are Mach-O executables that are saved within application bundles with the. On Windows, screensavers execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a. This is an established persistence method on Windows, as noted on the MITRE ATT&CK page. Screensavers for macOS Persistence BackgroundĪfter revisiting old internal discussions, an area of interest was the possibility of using screensavers for persistence on macOS.
0 Comments
Leave a Reply. |