Skip to content

Instantly share code, notes, and snippets.

@invictus-ir

invictus-ir/Persistence_techniques.csv

Last active February 7, 2022 09:29
Show Gist options
  • Save invictus-ir/e781152bcd8d230cf8a28b74d4a1a0b5 to your computer and use it in GitHub Desktop.
Save invictus-ir/e781152bcd8d230cf8a28b74d4a1a0b5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Persistence_techniques.csv
Technique File Location Note
T1543.001 /System/Library/LaunchAgents Apple-supplied agents that apply to all users on a per-user basis
/Library/LaunchAgents Third-party agents that apply to all users on a per-user basis
~/Library/LaunchAgents Third-party agents that apply only to the logged-in user
T1543.004 /System/Library/LaunchDaemons Apple-supplied system daemons
/Library/LaunchDaemons Third-party system daemons
T1546.014 /private/var/db/emondClients
/private/etc/emon.d/rules
T1546.004 /etc/zshenv File can also exist in user home directory
/etc/zprofile File can also exist in user home directory
/etc/zshrc File can also exist in user home directory
/etc/zlogin File can also exist in user home directory
/etc/zlogout File can also exist in user home directory
T1037.002 var/root/Library/Preferences/com.apple.loginwindow.plist File is required for Login/Logout scripts to work
T1574.004 ~/lib Location for dynamic libraries
/usr/local/lib Location for dynamic libraries
/usr/lib Location for dynamic libraries
T1547.006 /System/Library/Extensions System level kernel extensions
~/Library/Extensions User level kernel extensions
T1547.007 ~/Library/Preferences/com.apple.loginwindow.plist
~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist
T1547.015 ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm Contains login items
T1098.004 ~/.ssh/authorized_keys File can also exist in user home directory
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment