Type | Location | Documentation |
---|---|---|
Kernel/Sytem Extensions | /System/Library/Extensions/ /Library/Extensions/ /Extra/Extensions/ |
https://developer.apple.com/fr/support/kernel-extensions/ /Extra/Extensions/ is deprecated |
Launch Daemons | /System/Library/LaunchDaemons/ /Library/LaunchDaemons/ /Users/*/Library/LaunchDaemons/ |
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html |
Launch Agents | /System/Library/LaunchAgents/ /Library/LaunchAgents/ /Users/*/Library/LaunchAgents/ |
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html |
Startup Items | /System/Library/StartupItems/ /Library/StartupItems/ /Users/*/Library/StartupItems/ |
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html Deprecated |
Scripting Additions | /System/Library/ScriptingAdditions/ /Library/ScriptingAdditions/ /Applications/*/Contents/Resources/Scripting Additions/ |
https://developer.apple.com/documentation/macos_release_notes/macos_mojave_10_14_release_notes /System/Library/ and /Library are deprecated |
Login / Logout Hooks | /Library/Preferences/com.apple.loginwindow.plist /Users/*/Library/Preferences/com.apple.loginwindow.plist /Users/*/Library/Preferences/loginwindow.plist |
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html Login hooks, Pre-logon, Deprecated |
ReOpen Applications | /Users/*/Library/Preferences/ByHost/com.apple.loginwindow.* | https://www.virusbulletin.com/virusbulletin/2014/10/paper-methods-malware-persistence-mac-os-x |
Login Items | /Users/*/Library/Preferences/com.apple.loginitems.plist /Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm |
https://objective-see.com/blog/blog_0x31.html Post-logon |
Authorization Plugins | /System/Library/CoreServices/SecurityAgentPlugins/ /Library/Security/SecurityAgentPlugins/ |
https://developer.apple.com/documentation/security/authorization_plug-ins/using_authorization_plug-ins |
Directory Services Plug-ins | /System/Library/Frameworks/DirectoryService.framework/Versions/A/Resources/Plugins/ /Library/DirectoryServices/PlugIns |
https://developer.apple.com/library/archive/documentation/Networking/Conceptual/Open_Dir_Plugin/ConfiguringanOpenDirectoryPlug-in/ConfiguringanOpenDirectoryPlug-in.html |
App extensions | /Applications/*/Contents/PlugIns/ | https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionCreation.html |
Quicklook Generator | /Applications/*/Contents/Library/QuickLook/ | https://developer.apple.com/library/archive/documentation/UserExperience/Conceptual/Quicklook_Programming_Guide/Introduction/Introduction.html |
Spotlight Importers | /Library/Spotlight/ /Applications/*/Contents/Library/Spotlight/ |
https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/ |
Apple Scripts | /Library/Scripts/ /Users/*/Library/Scripts/ |
Deprecated |
Firefox Extensions | /Users/*/Library/Application Support/Firefox/Profiles/*/extensions/ | |
Chrome Extensions | /Users/*/Library/Application Support/Google/Chrome/*/Extensions/ /Users/*/Library/Application Support/Google/Chrome Canary/*/Extensions/ /Users/*/Library/Application Support/Chromium/*/Extensions/ |
|
Safari Extensions | /Users/*/Library/Safari/Extensions/ | |
Internet Plugins | /Library/Internet Plug-Ins/ | https://developer.apple.com/library/archive/documentation/InternetWeb/Conceptual/WebKit_PluginProgTopic/Concepts/AboutPlugins.html |
Launchd | /etc/launchd.conf | Deprecated |
Emond rules | /etc/emond.d/emond.plist /etc/emond.d/rules/ |
https://www.xorrior.com/emond-persistence/ |
Cron jobs | /usr/lib/cron/jobs/ | man cron |
Cron tabs | /etc/crontab /private/etc/crontab /usr/lib/cron/tabs/ |
man crontab |
Periodic Scripts | /etc/defaults/periodic.conf /etc/periodic.conf /etc/periodic/ |
man periodic.conf |
RC scripts | /etc/rc.common /etc/rc.boot /etc/rc.installer_cleanup /etc/rc.cleanup |
|
Library Inserts | * / active scan required | https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/ |
Library proxy | * / active scan required | https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf |
-
-
Save its-a-feature/24c91e2a982553c305e4d13cd218a4f3 to your computer and use it in GitHub Desktop.
Apple persitence mecanisms
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment