Apple persitence mecanisms

June 1, 2020 · View on GitHub

Type	Location	Documentation
Kernel/Sytem Extensions	/System/Library/Extensions/ /Library/Extensions/ /Extra/Extensions/	https://developer.apple.com/fr/support/kernel-extensions/ /Extra/Extensions/ is deprecated
Launch Daemons	/System/Library/LaunchDaemons/ /Library/LaunchDaemons/ /Users/*/Library/LaunchDaemons/	https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html
Launch Agents	/System/Library/LaunchAgents/ /Library/LaunchAgents/ /Users/*/Library/LaunchAgents/	https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html
Startup Items	/System/Library/StartupItems/ /Library/StartupItems/ /Users/*/Library/StartupItems/	https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html Deprecated
Scripting Additions	/System/Library/ScriptingAdditions/ /Library/ScriptingAdditions/ /Applications/*/Contents/Resources/Scripting Additions/	https://developer.apple.com/documentation/macos_release_notes/macos_mojave_10_14_release_notes /System/Library/ and /Library are deprecated
Login / Logout Hooks	/Library/Preferences/com.apple.loginwindow.plist /Users//Library/Preferences/com.apple.loginwindow.plist /Users//Library/Preferences/loginwindow.plist	https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html Login hooks, Pre-logon, Deprecated
ReOpen Applications	/Users//Library/Preferences/ByHost/com.apple.loginwindow.	https://www.virusbulletin.com/virusbulletin/2014/10/paper-methods-malware-persistence-mac-os-x
Login Items	/Users//Library/Preferences/com.apple.loginitems.plist /Users//Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm	https://objective-see.com/blog/blog_0x31.html Post-logon
Authorization Plugins	/System/Library/CoreServices/SecurityAgentPlugins/ /Library/Security/SecurityAgentPlugins/	https://developer.apple.com/documentation/security/authorization_plug-ins/using_authorization_plug-ins
Directory Services Plug-ins	/System/Library/Frameworks/DirectoryService.framework/Versions/A/Resources/Plugins/ /Library/DirectoryServices/PlugIns	https://developer.apple.com/library/archive/documentation/Networking/Conceptual/Open_Dir_Plugin/ConfiguringanOpenDirectoryPlug-in/ConfiguringanOpenDirectoryPlug-in.html
App extensions	/Applications/*/Contents/PlugIns/	https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionCreation.html
Quicklook Generator	/Applications/*/Contents/Library/QuickLook/	https://developer.apple.com/library/archive/documentation/UserExperience/Conceptual/Quicklook_Programming_Guide/Introduction/Introduction.html
Spotlight Importers	/Library/Spotlight/ /Applications/*/Contents/Library/Spotlight/	https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/
Apple Scripts	/Library/Scripts/ /Users/*/Library/Scripts/	Deprecated
Firefox Extensions	/Users//Library/Application Support/Firefox/Profiles//extensions/
Chrome Extensions	/Users//Library/Application Support/Google/Chrome//Extensions/ /Users//Library/Application Support/Google/Chrome Canary//Extensions/ /Users//Library/Application Support/Chromium//Extensions/
Safari Extensions	/Users/*/Library/Safari/Extensions/
Internet Plugins	/Library/Internet Plug-Ins/	https://developer.apple.com/library/archive/documentation/InternetWeb/Conceptual/WebKit_PluginProgTopic/Concepts/AboutPlugins.html
Launchd	/etc/launchd.conf	Deprecated
Emond rules	/etc/emond.d/emond.plist /etc/emond.d/rules/	https://www.xorrior.com/emond-persistence/
Cron jobs	/usr/lib/cron/jobs/	man cron
Cron tabs	/etc/crontab /private/etc/crontab /usr/lib/cron/tabs/	man crontab
Periodic Scripts	/etc/defaults/periodic.conf /etc/periodic.conf /etc/periodic/	man periodic.conf
RC scripts	/etc/rc.common /etc/rc.boot /etc/rc.installer_cleanup /etc/rc.cleanup
Library Inserts	* / active scan required	https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/
Library proxy	* / active scan required	https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf